On 2019/05/23 11:54, Ricardo Mestre wrote: > bonkers my brain must have farted :\ rpath should be dropped after loading the > certs. I just tested it with remote-control with certificates, could you > please let me know if it works for you now? > > Index: unbound-checkconf.c > =================================================================== > RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v > retrieving revision 1.11 > diff -u -p -u -r1.11 unbound-checkconf.c > --- unbound-checkconf.c 8 Feb 2019 10:29:08 -0000 1.11 > +++ unbound-checkconf.c 23 May 2019 10:45:48 -0000 > @@ -602,6 +602,9 @@ morechecks(struct config_file* cfg) > cfg->control_cert_file); > } > > + if (pledge("stdio", NULL) == -1) > + fatal_exit("Could not pledge"); > + > localzonechecks(cfg); > view_and_respipchecks(cfg); > #ifdef CLIENT_SUBNET > @@ -724,6 +727,10 @@ int main(int argc, char* argv[]) > if(argc == 1) > f = argv[0]; > else f = cfgfile; > + > + if (pledge("stdio rpath getpw", NULL) == -1) > + fatal_exit("Could not pledge"); > + > checkconf(f, opt, final); > checklock_stop(); > return 0; > > On 10:29 Thu 23 May , Stuart Henderson wrote: > > Not ok - if you're using remote-control with certificates (for example, > > to control remote unbound instances over a network connection) it hits the > > following: > > > > unbound-checkcon[21086]: pledge "rpath", syscall 38 > > > > (gdb) bt > > #0 stat () at -:3 > > #1 0x000004da8ddd61dc in is_file (fname=0x4dd11e9e3c0 > > "/var/unbound/etc/unbound_server.key") > > at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:278 > > #2 0x000004da8ddd5f10 in check_chroot_string (desc=0x4da8dda7c5d > > "server-key-file", ss=0x4dca3ee33d0, > > chrootdir=0x0, cfg=0x4dca3ee3000) at > > /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:335 > > #3 0x000004da8ddd5114 in morechecks (cfg=0x4dca3ee3000) > > at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:597 > > #4 0x000004da8ddd4776 in checkconf (cfgfile=0x4da8dda9506 > > "/var/unbound/etc/unbound.conf", opt=0x0, final=0) > > at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:674 > > #5 0x000004da8ddd44e2 in main (argc=0, argv=0x7f7ffffd1850) > > at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:735 > >
check_mod(cfg, val_get_funcblock()); - needs to read the DNSSEC root key, check_hints(cfg); - needs to read hints files, check_auth(cfg); - needs to read zones I think you could do this, though: Index: smallapp/unbound-checkconf.c =================================================================== RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v retrieving revision 1.11 diff -u -p -r1.11 unbound-checkconf.c --- smallapp/unbound-checkconf.c 8 Feb 2019 10:29:08 -0000 1.11 +++ smallapp/unbound-checkconf.c 23 May 2019 12:17:03 -0000 @@ -587,6 +587,10 @@ morechecks(struct config_file* cfg) endpwent(); # endif } + + if (pledge("stdio rpath", NULL) == -1) + fatal_exit("Could not pledge"); + #endif if(cfg->remote_control_enable && options_remote_is_address(cfg) && cfg->control_use_cert) { @@ -724,6 +728,10 @@ int main(int argc, char* argv[]) if(argc == 1) f = argv[0]; else f = cfgfile; + + if (pledge("stdio rpath getpw", NULL) == -1) + fatal_exit("Could not pledge"); + checkconf(f, opt, final); checklock_stop(); return 0;