it must be one of those days...
it's ok mestre if you feel like commiting it and doesn't add any burden
for you when upgrading unbound.
On 13:18 Thu 23 May , Stuart Henderson wrote:
> check_mod(cfg, val_get_funcblock());
>
> - needs to read the DNSSEC root key,
>
> check_hints(cfg);
>
> - needs to read hints files,
>
> check_auth(cfg);
>
> - needs to read zones
>
> I think you could do this, though:
>
> Index: smallapp/unbound-checkconf.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
> retrieving revision 1.11
> diff -u -p -r1.11 unbound-checkconf.c
> --- smallapp/unbound-checkconf.c 8 Feb 2019 10:29:08 -0000 1.11
> +++ smallapp/unbound-checkconf.c 23 May 2019 12:17:03 -0000
> @@ -587,6 +587,10 @@ morechecks(struct config_file* cfg)
> endpwent();
> # endif
> }
> +
> + if (pledge("stdio rpath", NULL) == -1)
> + fatal_exit("Could not pledge");
> +
> #endif
> if(cfg->remote_control_enable && options_remote_is_address(cfg)
> && cfg->control_use_cert) {
> @@ -724,6 +728,10 @@ int main(int argc, char* argv[])
> if(argc == 1)
> f = argv[0];
> else f = cfgfile;
> +
> + if (pledge("stdio rpath getpw", NULL) == -1)
> + fatal_exit("Could not pledge");
> +
> checkconf(f, opt, final);
> checklock_stop();
> return 0;
>
