Theo de Raadt <dera...@openbsd.org> wrote:
> Stuart Henderson <s...@spacehopper.org> wrote:
>
> > On 2024/05/08 01:14, Volker Schlecht wrote:
> > > aisha@ identified a rather recent problem with lang/node, as in the
> > > following
> > > would immediately crash (nevermind the node version. It's 100%
> > > reproducible
> > > in 7.5 and -current):
> > >
> > > $ node
> > > Welcome to Node.js v20.12.2.
> > > Type ".help" for more information.
> > > > require('dns').resolve4('openbsd.org','A',(err, records) =>
> > > > {console.log(records);});
> > >
> > > I tracked this back to the following pull request in libcares:
> > >
> > > https://github.com/c-ares/c-ares/pull/659
> >
> > So, specifically, this patch is setting SOCK_DNS for the situation where
> > somebody using this library _might_ use pledge, but node is not using
> > pledge.
>
> That is just plain dumb.
>
> If a socket is marked SOCK_DNS then it is *just for DNS*, and only the
> very narrow set of operations used by libc/asr are supported.
>
> Actually it is dumb, because it wasn't tested at all.
BTW, this use case in OpenBSD is *DEAD*.
If you want to use pledge, you must sign up for the DNS-sockets-are-special
protocol. There are no options. If you don't sign up for that, then you
cannot use pledge. This will not be negotiated. This design is deliberate.
I could have instead created a completely parallel set of system calls for
doing DNS, and also blocked port 53 on regular sockets. It would have worked
the same way. The goal is CLEAR, you cannot accidentally perform DNS except
via the published API. Yes, this means non-libc API for doing DNS are dead
in the water. This should not be surprising; it is impossible for a non-system
DNS "library" to behave identical to other software running on the machine
since it will not have all the configuration policy / details embeddeed in
resolv.conf or other similar changes we've made.
Well you can stil use it. You just cannot use any of the POSIX-subsets provided
by pledge, which is also not surprising. pledge was not designed to interop
with billions of lines of foreign code that we don't know, it was only designed
to interop with code that we do know. I'm human, I cannot anticipate
everything.
So I drew a line: You can't just throw pledge around a random bag of garbage
software and expect it to work, you must USE YOUR BRAIN, and if you don't, the
node/c-ares outcome is exactly what you can expect.
