This breaks iperf3 in my setup.
root@ot50:.../~# iperf3 -sD
Abort trap (core dumped)
iperf3[72726]: pledge "proc", syscall 2
Program terminated with signal SIGABRT, Aborted.
#0 _thread_sys_fork () at /tmp/-:2
2 /tmp/-: No such file or directory.
(gdb) bt
#0 _thread_sys_fork () at /tmp/-:2
#1 0x6b01f3ff9bf18acf in ?? ()
#2 0x000004b673981f86 in daemon (nochdir=0, noclose=0)
at /usr/src/lib/libc/gen/daemon.c:41
#3 0x000004b3c8078629 in ?? ()
#4 0x000004b3c8078423 in ?? ()
#5 0x000004b3c8078131 in ?? ()
#6 0x0000000000000000 in ?? ()
Pledge should be done after initialization, but before running phase.
Call it after daemon(3).
bluhm
On Sat, Oct 21, 2023 at 07:28:06PM +0100, Stuart Henderson wrote:
> ...also as was as syscalls, socket options could do with checking over too.
>
> If everything is in order then there's not much point adding a configure
> flag really, just check for pledge
>
> --
> Sent from a phone, apologies for poor formatting.
>
> On 21 October 2023 19:01:33 Stuart Henderson <s...@spacehopper.org> wrote:
>
> > It hasn't been properly reviewed to check if there are any syscalls which
> > aren't covered by the pledge. I found the diskfile one which you missed,
> > but haven't checked over nm output to look for more.
> >
> > --
> > Sent from a phone, apologies for poor formatting.
> >
> > On 21 October 2023 18:57:55 Mikhail <mp39...@gmail.com> wrote:
> >
> >> On Sat, Oct 21, 2023 at 06:38:57PM +0100, Stuart Henderson wrote:
> >>> Err, sending that upstream is a bit premature.
> >>
> >> Reasons? It works fine in my testing, also it's enabled only with
> >> --enable-openbsd-sandbox, so if something arise it's very easy for the
> >> users to check without this code. And during review the devs can point
> >> to improvements.
> >>
> >> I can close the PR, it's not a problem.
