Re: pledge(2) unbound-checkconf(8)

Thu, 23 May 2019 03:55:26 -0700 

bonkers my brain must have farted :\ rpath should be dropped after loading the
certs. I just tested it with remote-control with certificates, could you
please let me know if it works for you now?

Index: unbound-checkconf.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
retrieving revision 1.11
diff -u -p -u -r1.11 unbound-checkconf.c
--- unbound-checkconf.c 8 Feb 2019 10:29:08 -0000       1.11
+++ unbound-checkconf.c 23 May 2019 10:45:48 -0000
@@ -602,6 +602,9 @@ morechecks(struct config_file* cfg)
                                cfg->control_cert_file);
        }
 
+       if (pledge("stdio", NULL) == -1)
+               fatal_exit("Could not pledge");
+
        localzonechecks(cfg);
        view_and_respipchecks(cfg);
 #ifdef CLIENT_SUBNET
@@ -724,6 +727,10 @@ int main(int argc, char* argv[])
        if(argc == 1)
                f = argv[0];
        else    f = cfgfile;
+
+       if (pledge("stdio rpath getpw", NULL) == -1)
+               fatal_exit("Could not pledge");
+
        checkconf(f, opt, final);
        checklock_stop();
        return 0;

On 10:29 Thu 23 May     , Stuart Henderson wrote:
> Not ok - if you're using remote-control with certificates (for example,
> to control remote unbound instances over a network connection) it hits the
> following:
> 
> unbound-checkcon[21086]: pledge "rpath", syscall 38
> 
> (gdb) bt
> #0  stat () at -:3
> #1  0x000004da8ddd61dc in is_file (fname=0x4dd11e9e3c0 
> "/var/unbound/etc/unbound_server.key")
>     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:278
> #2  0x000004da8ddd5f10 in check_chroot_string (desc=0x4da8dda7c5d 
> "server-key-file", ss=0x4dca3ee33d0, 
>     chrootdir=0x0, cfg=0x4dca3ee3000) at 
> /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:335
> #3  0x000004da8ddd5114 in morechecks (cfg=0x4dca3ee3000)
>     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:597
> #4  0x000004da8ddd4776 in checkconf (cfgfile=0x4da8dda9506 
> "/var/unbound/etc/unbound.conf", opt=0x0, final=0)
>     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:674
> #5  0x000004da8ddd44e2 in main (argc=0, argv=0x7f7ffffd1850)
>     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:735
>

Reply via email to