[moved to ports@]

On 2017/01/16 06:58, Sebastien Marie wrote:
> sthen@, does a subpackage for tools like dig could be a way ?

I considered it before, but it adds a lot of complexity to the port on an
ongoing basis ("make plist" doesn't cope well with multi-packages ports)
and doesn't make much of a saving; the libraries, headers and tools account
for the majority of the 3.9MB package size, the server binaries only a
few hundred KB.

> Eventually with pledging it with "inet" (instead of "dns") ?

Possible diff below. I disabled setsockopt IPV6_RECVTCLASS but it could
be whitelisted in kern_pledge.c:pledge_sockopt() instead, I think that
should be safe.

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/isc-bind/Makefile,v
retrieving revision 1.63
diff -u -p -r1.63 Makefile
--- Makefile    12 Jan 2017 12:22:20 -0000      1.63
+++ Makefile    16 Jan 2017 10:07:12 -0000
@@ -3,6 +3,8 @@
 COMMENT=       Berkeley Internet Name Daemon: DNS server and tools
 
 V=             9.10.4-P5
+REVISION=      0
+
 DISTNAME=      bind-$V
 PKGNAME=       isc-bind-${V:S/-P/pl/}
 
Index: patches/patch-bin_dig_dig_c
===================================================================
RCS file: patches/patch-bin_dig_dig_c
diff -N patches/patch-bin_dig_dig_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-bin_dig_dig_c 16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+--- bin/dig/dig.c.orig Sun Dec 11 22:05:58 2016
++++ bin/dig/dig.c      Mon Jan 16 10:02:24 2017
+@@ -2066,6 +2066,11 @@ main(int argc, char **argv) {
+       ISC_LIST_INIT(server_list);
+       ISC_LIST_INIT(search_list);
+ 
++      if (pledge("stdio rpath inet unix dns", NULL) == -1) {
++              perror("pledge");
++              exit(1);
++      }
++
+       debug("main()");
+       preparse_args(argc, argv);
+       progname = argv[0];
+@@ -2073,6 +2078,13 @@ main(int argc, char **argv) {
+       check_result(result, "isc_app_start");
+       setup_libs();
+       parse_args(ISC_FALSE, ISC_FALSE, argc, argv);
++
++      /* inet for network connections, dns for resolv.conf */
++      if (pledge("stdio inet dns", NULL) == -1) {
++              perror("pledge");
++              exit(1);
++      }
++
+       setup_system();
+       if (domainopt[0] != '\0') {
+               set_search_domain(domainopt);
Index: patches/patch-bin_dig_host_c
===================================================================
RCS file: patches/patch-bin_dig_host_c
diff -N patches/patch-bin_dig_host_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-bin_dig_host_c        16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+--- bin/dig/host.c.orig        Sun Dec 11 22:05:58 2016
++++ bin/dig/host.c     Mon Jan 16 10:02:31 2017
+@@ -888,6 +888,11 @@ main(int argc, char **argv) {
+       idnoptions = IDN_ASCCHECK;
+ #endif
+ 
++      if (pledge("stdio rpath inet unix dns", NULL) == -1) {
++              perror("pledge");
++              exit(1);
++      }
++
+       debug("main()");
+       progname = argv[0];
+       pre_parse_args(argc, argv);
+@@ -895,6 +900,13 @@ main(int argc, char **argv) {
+       check_result(result, "isc_app_start");
+       setup_libs();
+       parse_args(ISC_FALSE, argc, argv);
++
++      /* inet for network connections, dns for resolv.conf */
++      if (pledge("stdio inet dns", NULL) == -1) {
++              perror("pledge");
++              exit(1);
++      }
++
+       setup_system();
+       result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+       check_result(result, "isc_app_onrun");
Index: patches/patch-bin_dig_nslookup_c
===================================================================
RCS file: patches/patch-bin_dig_nslookup_c
diff -N patches/patch-bin_dig_nslookup_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-bin_dig_nslookup_c    16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,23 @@
+$OpenBSD$
+--- bin/dig/nslookup.c.orig    Sun Dec 11 22:05:58 2016
++++ bin/dig/nslookup.c Mon Jan 16 10:02:34 2017
+@@ -905,8 +905,19 @@ main(int argc, char **argv) {
+       result = isc_app_start();
+       check_result(result, "isc_app_start");
+ 
++      if (pledge("stdio rpath inet unix dns", NULL) == -1) {
++              perror("pledge");
++              exit(1);
++      }
++
+       setup_libs();
+       progname = argv[0];
++
++      /* inet for network connections, dns for resolv.conf */
++      if (pledge("stdio inet dns", NULL) == -1) {
++              perror("pledge");
++              exit(1);
++      }
+ 
+       parse_args(argc, argv);
+ 
Index: patches/patch-lib_isc_unix_net_c
===================================================================
RCS file: patches/patch-lib_isc_unix_net_c
diff -N patches/patch-lib_isc_unix_net_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-lib_isc_unix_net_c    16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- lib/isc/unix/net.c.orig    Mon Jan 16 09:47:30 2017
++++ lib/isc/unix/net.c Mon Jan 16 09:48:12 2017
+@@ -731,7 +731,7 @@ try_dscp_v6(void) {
+       if (setsockopt(s, IPPROTO_IPV6, IPV6_TCLASS, &dscp, sizeof(dscp)) == 0)
+               dscp_result |= ISC_NET_DSCPSETV6;
+ 
+-#ifdef IPV6_RECVTCLASS
++#if 0 /* pledge doesn't allow setsockopt IPV6_RECVTCLASS */
+       on = 1;
+       if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVTCLASS, &on, sizeof(on)) == 0)
+               dscp_result |= ISC_NET_DSCPRECVV6;
Index: patches/patch-lib_isc_unix_socket_c
===================================================================
RCS file: patches/patch-lib_isc_unix_socket_c
diff -N patches/patch-lib_isc_unix_socket_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-lib_isc_unix_socket_c 16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- lib/isc/unix/socket.c.orig Mon Jan 16 09:58:13 2017
++++ lib/isc/unix/socket.c      Mon Jan 16 09:58:32 2017
+@@ -2885,7 +2885,7 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *s
+               }
+ #endif
+       }
+-#ifdef IPV6_RECVTCLASS
++#if 0 /* pledge doesn't allow setsockopt IPV6_RECVTCLASS */
+       if ((sock->pf == AF_INET6)
+           && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVTCLASS,
+                          (void *)&on, sizeof(on)) < 0)) {

Reply via email to