On Wed, 22 Jan 2020, David Gwynne wrote: > Has anyone got an opinion on this? I am still interested in doing more > packet capture things on OpenBSD using GRE as a transport, and the idea > of maintaining this out of tree just makes me feel tired.
This is cool. I don't spot any major problems with this, but I'm rusty on kernel networking. > > Index: sys/kern/kern_pledge.c > > =================================================================== > > RCS file: /cvs/src/sys/kern/kern_pledge.c,v > > retrieving revision 1.255 > > diff -u -p -r1.255 kern_pledge.c > > --- sys/kern/kern_pledge.c 25 Aug 2019 18:46:40 -0000 1.255 > > +++ sys/kern/kern_pledge.c 29 Oct 2019 07:57:58 -0000 > > @@ -666,7 +666,7 @@ pledge_namei(struct proc *p, struct name > > } > > } > > > > - /* DNS needs /etc/{resolv.conf,hosts,services}. */ > > + /* DNS needs /etc/{resolv.conf,hosts,services,protocols}. */ > > if ((ni->ni_pledge == PLEDGE_RPATH) && > > (p->p_p->ps_pledge & PLEDGE_DNS)) { > > if (strcmp(path, "/etc/resolv.conf") == 0) { > > @@ -678,6 +678,10 @@ pledge_namei(struct proc *p, struct name > > return (0); > > } > > if (strcmp(path, "/etc/services") == 0) { > > + ni->ni_cnd.cn_flags |= BYPASSUNVEIL; > > + return (0); > > + } > > + if (strcmp(path, "/etc/protocols") == 0) { > > ni->ni_cnd.cn_flags |= BYPASSUNVEIL; > > return (0); This looks like it is fixing a real, separate bug in pledge vs getaddrinfo, no? (specifically: that lookups for named ports will fail currently).