small patch for haproxy / pledge

David CARLIER Fri, 29 Jan 2016 14:44:45 -0800

Hi,

I had this little patch although I m not sure any server on ports is meant
to be "pledged" ... But ... Just in case if it has any use.


Kind regards.

Index: patches/patch-src_haproxy_c
===================================================================
RCS file: patches/patch-src_haproxy_c
diff -N patches/patch-src_haproxy_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_haproxy_c 25 Jan 2016 17:20:39 -0000
@@ -0,0 +1,27 @@
+$OpenBSD$
+--- src/haproxy.c.orig Sun Dec 27 14:04:17 2015
++++ src/haproxy.c      Mon Jan 25 17:11:14 2016
+@@ -1636,6 +1636,11 @@ int main(int argc, char **argv)
+       char errmsg[100];
+       int pidfd = -1;
+ 
++      if (pledge("stdio proc inet dns id rpath cpath wpath", NULL) == -1) {
++              Warning("pledge");
++              exit(1);
++      }
++
+       init(argc, argv);
+       signal_register_fct(SIGQUIT, dump, SIGQUIT);
+       signal_register_fct(SIGUSR1, sig_soft_stop, SIGUSR1);
+@@ -1921,6 +1926,11 @@ int main(int argc, char **argv)
+               pid = getpid(); /* update child's pid */
+               setsid();
+               fork_poller();
++      }
++
++      if (pledge("stdio inet dns", NULL) == -1) {
++              Warning("pledge");
++              exit(1);
+       }
+ 
+       protocol_enable_all();

small patch for haproxy / pledge

Reply via email to