Hello,
Fairly simple pledge to spamd-setup(8), it needs "rpath" for reading
/etc/services, /etc/mail/spamd.conf through cgetent(3) and also to open the
gzfile/txt with the blacklists. "proc exec" for lauching pfctl(8) and ftp(1)
externally and "inet dns" in order for ftp(1) to download the lists themselves.
spamd.conf(5) supports also file and exec methods instead of http/ftp,
nevertheless since spamd-setup(8) parses that file in a loop we cannot reduce
it further for "stdio rpath proc exec" since the next list in list may have an
http/ftp method and will need "inet dns".
To overcome this I thought about separating the current logic of parsing the
file, getting the blacklists, then send them to pfctl and freeing them in the
same loop, by parsing the file in one go first and putting the blacklists in
memory then drop "inet dns" and call pfctl, nevertheless this strategy may not
be good since the lists may be really big and if they are not free'ed it may
cause memory issues.
Any comments?
Index: spamd-setup.c
===================================================================
RCS file: /cvs/src/libexec/spamd-setup/spamd-setup.c,v
retrieving revision 1.46
diff -u -p -u -r1.46 spamd-setup.c
--- spamd-setup.c 3 Jun 2015 02:24:36 -0000 1.46
+++ spamd-setup.c 26 Nov 2015 13:02:49 -0000
@@ -826,6 +826,9 @@ main(int argc, char *argv[])
if (argc != 0)
usage();
+ if (pledge("stdio rpath inet dns proc exec", NULL) == -1)
+ err(1, "pledge");
+
if (daemonize)
daemon(0, 0);
