On Mon, Feb 03, 2020 at 12:52:05AM +0000, Jimmy Brush wrote: > No golang tcp server can be pledged without this change because it > queries kern.somaxconn before it listens on a tcp socket[1][2][3]. > > I cannot think of any advantage this change would give an attacker > who has compromised a pledged process. > > [1] https://golang.org/src/net/sock_posix.go#L57 > [2] https://golang.org/src/net/net.go#L373 > [3] https://golang.org/src/net/sock_bsd.go#L27 > > --- > sys/kern/kern_pledge.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git sys/kern/kern_pledge.c sys/kern/kern_pledge.c > index 9f436df4893..8d1203198ed 100644 > --- sys/kern/kern_pledge.c > +++ sys/kern/kern_pledge.c > @@ -904,6 +904,12 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, void > *new) > return (0); > } > > + if ((p->p_p->ps_pledge & PLEDGE_INET)) { > + if (miblen == 2 && /* kern.somaxconn */ > + mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN) > + return (0); > + } > + > if ((p->p_p->ps_pledge & (PLEDGE_ROUTE | PLEDGE_INET | PLEDGE_DNS))) { > if (miblen == 6 && /* getifaddrs() */ > mib[0] == CTL_NET && mib[1] == PF_ROUTE && >
I think go should not query the sysctl and instead just use a reasonably high default (or let users choose). The kernel will then use the minimum of the two values. At least this is what all other daemons do. Guess that option will not happen... -- :wq Claudio
