[moved to ports@]
On 2017/01/16 06:58, Sebastien Marie wrote:
> sthen@, does a subpackage for tools like dig could be a way ?
I considered it before, but it adds a lot of complexity to the port on an
ongoing basis ("make plist" doesn't cope well with multi-packages ports)
and doesn't make much of a saving; the libraries, headers and tools account
for the majority of the 3.9MB package size, the server binaries only a
few hundred KB.
> Eventually with pledging it with "inet" (instead of "dns") ?
Possible diff below. I disabled setsockopt IPV6_RECVTCLASS but it could
be whitelisted in kern_pledge.c:pledge_sockopt() instead, I think that
should be safe.
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/isc-bind/Makefile,v
retrieving revision 1.63
diff -u -p -r1.63 Makefile
--- Makefile 12 Jan 2017 12:22:20 -0000 1.63
+++ Makefile 16 Jan 2017 10:07:12 -0000
@@ -3,6 +3,8 @@
COMMENT= Berkeley Internet Name Daemon: DNS server and tools
V= 9.10.4-P5
+REVISION= 0
+
DISTNAME= bind-$V
PKGNAME= isc-bind-${V:S/-P/pl/}
Index: patches/patch-bin_dig_dig_c
===================================================================
RCS file: patches/patch-bin_dig_dig_c
diff -N patches/patch-bin_dig_dig_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bin_dig_dig_c 16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+--- bin/dig/dig.c.orig Sun Dec 11 22:05:58 2016
++++ bin/dig/dig.c Mon Jan 16 10:02:24 2017
+@@ -2066,6 +2066,11 @@ main(int argc, char **argv) {
+ ISC_LIST_INIT(server_list);
+ ISC_LIST_INIT(search_list);
+
++ if (pledge("stdio rpath inet unix dns", NULL) == -1) {
++ perror("pledge");
++ exit(1);
++ }
++
+ debug("main()");
+ preparse_args(argc, argv);
+ progname = argv[0];
+@@ -2073,6 +2078,13 @@ main(int argc, char **argv) {
+ check_result(result, "isc_app_start");
+ setup_libs();
+ parse_args(ISC_FALSE, ISC_FALSE, argc, argv);
++
++ /* inet for network connections, dns for resolv.conf */
++ if (pledge("stdio inet dns", NULL) == -1) {
++ perror("pledge");
++ exit(1);
++ }
++
+ setup_system();
+ if (domainopt[0] != '\0') {
+ set_search_domain(domainopt);
Index: patches/patch-bin_dig_host_c
===================================================================
RCS file: patches/patch-bin_dig_host_c
diff -N patches/patch-bin_dig_host_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bin_dig_host_c 16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+--- bin/dig/host.c.orig Sun Dec 11 22:05:58 2016
++++ bin/dig/host.c Mon Jan 16 10:02:31 2017
+@@ -888,6 +888,11 @@ main(int argc, char **argv) {
+ idnoptions = IDN_ASCCHECK;
+ #endif
+
++ if (pledge("stdio rpath inet unix dns", NULL) == -1) {
++ perror("pledge");
++ exit(1);
++ }
++
+ debug("main()");
+ progname = argv[0];
+ pre_parse_args(argc, argv);
+@@ -895,6 +900,13 @@ main(int argc, char **argv) {
+ check_result(result, "isc_app_start");
+ setup_libs();
+ parse_args(ISC_FALSE, argc, argv);
++
++ /* inet for network connections, dns for resolv.conf */
++ if (pledge("stdio inet dns", NULL) == -1) {
++ perror("pledge");
++ exit(1);
++ }
++
+ setup_system();
+ result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+ check_result(result, "isc_app_onrun");
Index: patches/patch-bin_dig_nslookup_c
===================================================================
RCS file: patches/patch-bin_dig_nslookup_c
diff -N patches/patch-bin_dig_nslookup_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bin_dig_nslookup_c 16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,23 @@
+$OpenBSD$
+--- bin/dig/nslookup.c.orig Sun Dec 11 22:05:58 2016
++++ bin/dig/nslookup.c Mon Jan 16 10:02:34 2017
+@@ -905,8 +905,19 @@ main(int argc, char **argv) {
+ result = isc_app_start();
+ check_result(result, "isc_app_start");
+
++ if (pledge("stdio rpath inet unix dns", NULL) == -1) {
++ perror("pledge");
++ exit(1);
++ }
++
+ setup_libs();
+ progname = argv[0];
++
++ /* inet for network connections, dns for resolv.conf */
++ if (pledge("stdio inet dns", NULL) == -1) {
++ perror("pledge");
++ exit(1);
++ }
+
+ parse_args(argc, argv);
+
Index: patches/patch-lib_isc_unix_net_c
===================================================================
RCS file: patches/patch-lib_isc_unix_net_c
diff -N patches/patch-lib_isc_unix_net_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-lib_isc_unix_net_c 16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- lib/isc/unix/net.c.orig Mon Jan 16 09:47:30 2017
++++ lib/isc/unix/net.c Mon Jan 16 09:48:12 2017
+@@ -731,7 +731,7 @@ try_dscp_v6(void) {
+ if (setsockopt(s, IPPROTO_IPV6, IPV6_TCLASS, &dscp, sizeof(dscp)) == 0)
+ dscp_result |= ISC_NET_DSCPSETV6;
+
+-#ifdef IPV6_RECVTCLASS
++#if 0 /* pledge doesn't allow setsockopt IPV6_RECVTCLASS */
+ on = 1;
+ if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVTCLASS, &on, sizeof(on)) == 0)
+ dscp_result |= ISC_NET_DSCPRECVV6;
Index: patches/patch-lib_isc_unix_socket_c
===================================================================
RCS file: patches/patch-lib_isc_unix_socket_c
diff -N patches/patch-lib_isc_unix_socket_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-lib_isc_unix_socket_c 16 Jan 2017 10:07:12 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- lib/isc/unix/socket.c.orig Mon Jan 16 09:58:13 2017
++++ lib/isc/unix/socket.c Mon Jan 16 09:58:32 2017
+@@ -2885,7 +2885,7 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *s
+ }
+ #endif
+ }
+-#ifdef IPV6_RECVTCLASS
++#if 0 /* pledge doesn't allow setsockopt IPV6_RECVTCLASS */
+ if ((sock->pf == AF_INET6)
+ && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVTCLASS,
+ (void *)&on, sizeof(on)) < 0)) {
