Hi, This add pledge(2) to the main proc of relayd(8) with the following promises:
- rpath: load (and reload) the config file - cpath: unlink the RELAYD_SOCKET - inet/dns: the daemon deals with AF_INET sockets and also needs to resolve dns - sendfd: send fds to its childs - unix: additionaly if SNMP is configured it will also need to communicate with it through an AF_UNIX socket With this patch my relays with TLS and http(s) filters configured still work as intended and can get/set information on it through relayctl(8). Comments? OK? Index: relayd.c =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v retrieving revision 1.171 diff -u -p -u -r1.171 relayd.c --- relayd.c 29 Nov 2017 15:24:50 -0000 1.171 +++ relayd.c 1 Aug 2018 09:34:17 -0000 @@ -221,6 +221,14 @@ main(int argc, char *argv[]) if (ps->ps_noaction == 0) log_info("startup"); + if (env->sc_conf.flags & F_SNMP) { + if (pledge("stdio rpath cpath inet unix dns sendfd", NULL) == -1) + err(1, "pledge"); + } else { + if (pledge("stdio rpath cpath inet dns sendfd", NULL) == -1) + err(1, "pledge"); + } + event_init(); signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);