On 2015/12/02 12:14, Ricardo Mestre wrote: > Hi tech@ > > This is a revised version of pledging dhcpd(8) with earler pledging. > > Hoist up sync_init() due to a multicast setsockopt(2) (IP_MULTICAST_TTL) that > pledge doesn't allow, also hoist up the daemon(3) section, getpwnam(3) and the > check if arguments -A, -C or -L were used (pf table handling) since it calls > 2 ioctl(2)'s that pledge pf doesn't allow. > > After this if !udpsockmode then apply the following annotations: > > "rpath": > icmp_startup()->getprotobyname(3)->read /etc/protocols > "inet": > icmp_startup()->socket(2) > "sendfd": > for sendmsg(2) in ICMP echo request > "proc/id" > chroot(2) and privdrop section > > If in udpsockmode then the pledge needs to happen inside udpsock_startup() > instead of main() since setsockopt(2) IP_RECVIF is not allowed by pledge. > After > that happens then apply the same pledge with the annotations above, although > additionally this code path also needs "route" for ioctl(2) SIOCGIFADDR. > > Just before the main loop of the program then it can drop to "stdio inet route > sendfd" if in udpsockmode or else just to "stdio inet sendfd". > > Any comments with this implementation? Specifically for the UDP code path > since > I don't have at the moment a way to test DHCPINFORM requests on non Ethernet > packets?
Works for me in normal usage, and I've tested the UDP code path using dhcping to localhost. I haven't tested -y/-Y or the PF table support.