Hello,This is a small patch to try to add a basic pledge() to exim. It also avoids exim from calling some "inappropriate" ioctls. This seems to run fine on my server, but I would like a wider testing and bug reporting if possible.
Thank you
Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/exim/Makefile,v
retrieving revision 1.131
diff -u -p -r1.131 Makefile
--- Makefile 2 Jun 2020 12:44:19 -0000 1.131
+++ Makefile 16 Mar 2021 15:03:18 -0000
@@ -9,6 +9,8 @@ PKGNAME-main = exim-${VERSION}
FULLPKGNAME-eximon = exim-eximon-${VERSION}
FULLPKGPATH-eximon = ${PKGPATH},-eximon
+REVISION = 0
+
CATEGORIES = mail
HOMEPAGE = https://www.exim.org/
@@ -18,6 +20,7 @@ MAINTAINER = Renaud Allard <renaud@alla
# GPLv2+, with OpenSSL exemption
PERMIT_PACKAGE = Yes
+# use pledge()
cWANTLIB = c m
WANTLIB-main = ${cWANTLIB} crypto iconv perl pcre spf2 ssl
WANTLIB-eximon = ${cWANTLIB} X11 Xaw Xext Xmu Xt pcre
Index: patches/patch-OS_os_h-OpenBSD
===================================================================
RCS file: patches/patch-OS_os_h-OpenBSD
diff -N patches/patch-OS_os_h-OpenBSD
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-OS_os_h-OpenBSD 16 Mar 2021 15:03:18 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: OS/os.h-OpenBSD
+--- OS/os.h-OpenBSD.orig
++++ OS/os.h-OpenBSD
+@@ -6,7 +6,7 @@
+ #define HAVE_BSD_GETLOADAVG
+ #define HAVE_MMAP
+ #define HAVE_SYS_MOUNT_H
+-#define SIOCGIFCONF_GIVES_ADDR
++#define HAVE_GETIFADDRS
+ #define HAVE_ARC4RANDOM
+ /* In May 2014, OpenBSD 5.5 was released which cleaned up the arc4random_* API
+ which removed the arc4random_stir() function. Set NOT_HAVE_ARC4RANDOM_STIR
Index: patches/patch-src_exim_c
===================================================================
RCS file: patches/patch-src_exim_c
diff -N patches/patch-src_exim_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_exim_c 16 Mar 2021 15:03:18 -0000
@@ -0,0 +1,22 @@
+$OpenBSD$
+
+Index: src/exim.c
+--- src/exim.c.orig
++++ src/exim.c
+@@ -1705,6 +1705,16 @@ if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_g
+ CONFIGURE_GROUPNAME);
+ #endif
+
++// OpenBSD specific protections
++
++#ifdef __OpenBSD__
++ if (pledge("stdio rpath wpath cpath inet fattr id proc"
++ " tty exec flock unix dns getpw", NULL) == -1) {
++ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno));
++ exit(1);
++ }
++#endif
++
+ /* In the Cygwin environment, some initialization used to need doing.
+ It was fudged in by means of this macro; now no longer but we'll leave
+ it in case of others. */
smime.p7s
Description: S/MIME Cryptographic Signature
