On 2022-12-23, Alexander Klimov <[email protected]> wrote: > Grüzi! > > The ports already contain icinga2 which includes the `icinga2 console` > feature: > > $ icinga2 console > Icinga 2 (version: r2.13.5-1) > Type $help to view available commands. ><1> => 1 + 1 > 2.000000 ><2> => > > I'm building a (free) "icinga2 console as a service" via -long story > short- JS, websocket, FastCGI and forkpty(3). > > To maximally sandbox each icinga2 console, I use pledge(2) and > unveil(2). Unfortunately pledge(2) requires not only > execpromises="stdio error", but also "rpath" for loading the libs. OK, I > can live with it as I can unveil(2) across execvpe(3). To unveil(2) only > as much as needed, I'm trying to unveil(2) only step-by-step until > success. I use ld error messages as signposts, i.e.: > > Me: unveil("/usr/local/lib/icinga2/sbin/icinga2", "x"), unveil(0, 0) > execve: cannot load /usr/libexec/ld.so > Me: unveil("/usr/libexec/ld.so", "r") > ld.so: icinga2: can't load library 'libcurses.so.14.0' > Me: unveil("/usr/lib", "r") > ld.so: icinga2: can't load library 'libboost_date_time-mt.so.21.0' > Me: unveil("/usr/local/lib", "r") > ld.so: icinga2: can't load library 'libbz2.so.10.4' > > That's interesting: > > /usr/local/lib/libboost_date_time-mt.so.21.0 and > /usr/local/lib/libbz2.so.10.4 are in the same dir, but only one can be > loaded. > > Has anyone an idea why? Btw. no unveil(2) at all works.
You may need /var/run/ld.so.hints. If that's not it, you can try running with LD_DEBUG set in the environment to see if that gives more clues, or run under ktrace (typically ktrace -di $whatever, kdump, searching backwards for the error message and look at previous EACCES/ENOENT returns).
