[moved to ports@] On 2017/01/16 06:58, Sebastien Marie wrote: > sthen@, does a subpackage for tools like dig could be a way ?
I considered it before, but it adds a lot of complexity to the port on an ongoing basis ("make plist" doesn't cope well with multi-packages ports) and doesn't make much of a saving; the libraries, headers and tools account for the majority of the 3.9MB package size, the server binaries only a few hundred KB. > Eventually with pledging it with "inet" (instead of "dns") ? Possible diff below. I disabled setsockopt IPV6_RECVTCLASS but it could be whitelisted in kern_pledge.c:pledge_sockopt() instead, I think that should be safe. Index: Makefile =================================================================== RCS file: /cvs/ports/net/isc-bind/Makefile,v retrieving revision 1.63 diff -u -p -r1.63 Makefile --- Makefile 12 Jan 2017 12:22:20 -0000 1.63 +++ Makefile 16 Jan 2017 10:07:12 -0000 @@ -3,6 +3,8 @@ COMMENT= Berkeley Internet Name Daemon: DNS server and tools V= 9.10.4-P5 +REVISION= 0 + DISTNAME= bind-$V PKGNAME= isc-bind-${V:S/-P/pl/} Index: patches/patch-bin_dig_dig_c =================================================================== RCS file: patches/patch-bin_dig_dig_c diff -N patches/patch-bin_dig_dig_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-bin_dig_dig_c 16 Jan 2017 10:07:12 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ +--- bin/dig/dig.c.orig Sun Dec 11 22:05:58 2016 ++++ bin/dig/dig.c Mon Jan 16 10:02:24 2017 +@@ -2066,6 +2066,11 @@ main(int argc, char **argv) { + ISC_LIST_INIT(server_list); + ISC_LIST_INIT(search_list); + ++ if (pledge("stdio rpath inet unix dns", NULL) == -1) { ++ perror("pledge"); ++ exit(1); ++ } ++ + debug("main()"); + preparse_args(argc, argv); + progname = argv[0]; +@@ -2073,6 +2078,13 @@ main(int argc, char **argv) { + check_result(result, "isc_app_start"); + setup_libs(); + parse_args(ISC_FALSE, ISC_FALSE, argc, argv); ++ ++ /* inet for network connections, dns for resolv.conf */ ++ if (pledge("stdio inet dns", NULL) == -1) { ++ perror("pledge"); ++ exit(1); ++ } ++ + setup_system(); + if (domainopt[0] != '\0') { + set_search_domain(domainopt); Index: patches/patch-bin_dig_host_c =================================================================== RCS file: patches/patch-bin_dig_host_c diff -N patches/patch-bin_dig_host_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-bin_dig_host_c 16 Jan 2017 10:07:12 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ +--- bin/dig/host.c.orig Sun Dec 11 22:05:58 2016 ++++ bin/dig/host.c Mon Jan 16 10:02:31 2017 +@@ -888,6 +888,11 @@ main(int argc, char **argv) { + idnoptions = IDN_ASCCHECK; + #endif + ++ if (pledge("stdio rpath inet unix dns", NULL) == -1) { ++ perror("pledge"); ++ exit(1); ++ } ++ + debug("main()"); + progname = argv[0]; + pre_parse_args(argc, argv); +@@ -895,6 +900,13 @@ main(int argc, char **argv) { + check_result(result, "isc_app_start"); + setup_libs(); + parse_args(ISC_FALSE, argc, argv); ++ ++ /* inet for network connections, dns for resolv.conf */ ++ if (pledge("stdio inet dns", NULL) == -1) { ++ perror("pledge"); ++ exit(1); ++ } ++ + setup_system(); + result = isc_app_onrun(mctx, global_task, onrun_callback, NULL); + check_result(result, "isc_app_onrun"); Index: patches/patch-bin_dig_nslookup_c =================================================================== RCS file: patches/patch-bin_dig_nslookup_c diff -N patches/patch-bin_dig_nslookup_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-bin_dig_nslookup_c 16 Jan 2017 10:07:12 -0000 @@ -0,0 +1,23 @@ +$OpenBSD$ +--- bin/dig/nslookup.c.orig Sun Dec 11 22:05:58 2016 ++++ bin/dig/nslookup.c Mon Jan 16 10:02:34 2017 +@@ -905,8 +905,19 @@ main(int argc, char **argv) { + result = isc_app_start(); + check_result(result, "isc_app_start"); + ++ if (pledge("stdio rpath inet unix dns", NULL) == -1) { ++ perror("pledge"); ++ exit(1); ++ } ++ + setup_libs(); + progname = argv[0]; ++ ++ /* inet for network connections, dns for resolv.conf */ ++ if (pledge("stdio inet dns", NULL) == -1) { ++ perror("pledge"); ++ exit(1); ++ } + + parse_args(argc, argv); + Index: patches/patch-lib_isc_unix_net_c =================================================================== RCS file: patches/patch-lib_isc_unix_net_c diff -N patches/patch-lib_isc_unix_net_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-lib_isc_unix_net_c 16 Jan 2017 10:07:12 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- lib/isc/unix/net.c.orig Mon Jan 16 09:47:30 2017 ++++ lib/isc/unix/net.c Mon Jan 16 09:48:12 2017 +@@ -731,7 +731,7 @@ try_dscp_v6(void) { + if (setsockopt(s, IPPROTO_IPV6, IPV6_TCLASS, &dscp, sizeof(dscp)) == 0) + dscp_result |= ISC_NET_DSCPSETV6; + +-#ifdef IPV6_RECVTCLASS ++#if 0 /* pledge doesn't allow setsockopt IPV6_RECVTCLASS */ + on = 1; + if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVTCLASS, &on, sizeof(on)) == 0) + dscp_result |= ISC_NET_DSCPRECVV6; Index: patches/patch-lib_isc_unix_socket_c =================================================================== RCS file: patches/patch-lib_isc_unix_socket_c diff -N patches/patch-lib_isc_unix_socket_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-lib_isc_unix_socket_c 16 Jan 2017 10:07:12 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- lib/isc/unix/socket.c.orig Mon Jan 16 09:58:13 2017 ++++ lib/isc/unix/socket.c Mon Jan 16 09:58:32 2017 +@@ -2885,7 +2885,7 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *s + } + #endif + } +-#ifdef IPV6_RECVTCLASS ++#if 0 /* pledge doesn't allow setsockopt IPV6_RECVTCLASS */ + if ((sock->pf == AF_INET6) + && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVTCLASS, + (void *)&on, sizeof(on)) < 0)) {