On 2015/12/02 12:14, Ricardo Mestre wrote:
> Hi tech@
> 
> This is a revised version of pledging dhcpd(8) with earler pledging.
> 
> Hoist up sync_init() due to a multicast setsockopt(2) (IP_MULTICAST_TTL) that
> pledge doesn't allow, also hoist up the daemon(3) section, getpwnam(3) and the
> check if arguments -A, -C or -L were used (pf table handling) since it calls
> 2 ioctl(2)'s that pledge pf doesn't allow.
> 
> After this if !udpsockmode then apply the following annotations:
> 
> "rpath":
>       icmp_startup()->getprotobyname(3)->read /etc/protocols
> "inet":
>       icmp_startup()->socket(2)
> "sendfd":
>       for sendmsg(2) in ICMP echo request
> "proc/id"
>       chroot(2) and privdrop section
>       
> If in udpsockmode then the pledge needs to happen inside udpsock_startup()
> instead of main() since setsockopt(2) IP_RECVIF is not allowed by pledge. 
> After
> that happens then apply the same pledge with the annotations above, although
> additionally this code path also needs "route" for ioctl(2) SIOCGIFADDR.
> 
> Just before the main loop of the program then it can drop to "stdio inet route
> sendfd" if in udpsockmode or else just to "stdio inet sendfd".
> 
> Any comments with this implementation? Specifically for the UDP code path 
> since
> I don't have at the moment a way to test DHCPINFORM requests on non Ethernet 
> packets?

Works for me in normal usage, and I've tested the UDP code path using
dhcping to localhost.

I haven't tested -y/-Y or the PF table support.

Reply via email to