Hello,This is a small patch to try to add a basic pledge() to exim. It also avoids exim from calling some "inappropriate" ioctls. This seems to run fine on my server, but I would like a wider testing and bug reporting if possible.
Thank you
Index: Makefile =================================================================== RCS file: /cvs/ports/mail/exim/Makefile,v retrieving revision 1.131 diff -u -p -r1.131 Makefile --- Makefile 2 Jun 2020 12:44:19 -0000 1.131 +++ Makefile 16 Mar 2021 15:03:18 -0000 @@ -9,6 +9,8 @@ PKGNAME-main = exim-${VERSION} FULLPKGNAME-eximon = exim-eximon-${VERSION} FULLPKGPATH-eximon = ${PKGPATH},-eximon +REVISION = 0 + CATEGORIES = mail HOMEPAGE = https://www.exim.org/ @@ -18,6 +20,7 @@ MAINTAINER = Renaud Allard <renaud@alla # GPLv2+, with OpenSSL exemption PERMIT_PACKAGE = Yes +# use pledge() cWANTLIB = c m WANTLIB-main = ${cWANTLIB} crypto iconv perl pcre spf2 ssl WANTLIB-eximon = ${cWANTLIB} X11 Xaw Xext Xmu Xt pcre Index: patches/patch-OS_os_h-OpenBSD =================================================================== RCS file: patches/patch-OS_os_h-OpenBSD diff -N patches/patch-OS_os_h-OpenBSD --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-OS_os_h-OpenBSD 16 Mar 2021 15:03:18 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: OS/os.h-OpenBSD +--- OS/os.h-OpenBSD.orig ++++ OS/os.h-OpenBSD +@@ -6,7 +6,7 @@ + #define HAVE_BSD_GETLOADAVG + #define HAVE_MMAP + #define HAVE_SYS_MOUNT_H +-#define SIOCGIFCONF_GIVES_ADDR ++#define HAVE_GETIFADDRS + #define HAVE_ARC4RANDOM + /* In May 2014, OpenBSD 5.5 was released which cleaned up the arc4random_* API + which removed the arc4random_stir() function. Set NOT_HAVE_ARC4RANDOM_STIR Index: patches/patch-src_exim_c =================================================================== RCS file: patches/patch-src_exim_c diff -N patches/patch-src_exim_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_exim_c 16 Mar 2021 15:03:18 -0000 @@ -0,0 +1,22 @@ +$OpenBSD$ + +Index: src/exim.c +--- src/exim.c.orig ++++ src/exim.c +@@ -1705,6 +1705,16 @@ if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_g + CONFIGURE_GROUPNAME); + #endif + ++// OpenBSD specific protections ++ ++#ifdef __OpenBSD__ ++ if (pledge("stdio rpath wpath cpath inet fattr id proc" ++ " tty exec flock unix dns getpw", NULL) == -1) { ++ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); ++ exit(1); ++ } ++#endif ++ + /* In the Cygwin environment, some initialization used to need doing. + It was fudged in by means of this macro; now no longer but we'll leave + it in case of others. */
smime.p7s
Description: S/MIME Cryptographic Signature