Theo de Raadt <dera...@openbsd.org> wrote: > Stuart Henderson <s...@spacehopper.org> wrote: > > > On 2024/05/08 01:14, Volker Schlecht wrote: > > > aisha@ identified a rather recent problem with lang/node, as in the > > > following > > > would immediately crash (nevermind the node version. It's 100% > > > reproducible > > > in 7.5 and -current): > > > > > > $ node > > > Welcome to Node.js v20.12.2. > > > Type ".help" for more information. > > > > require('dns').resolve4('openbsd.org','A',(err, records) => > > > > {console.log(records);}); > > > > > > I tracked this back to the following pull request in libcares: > > > > > > https://github.com/c-ares/c-ares/pull/659 > > > > So, specifically, this patch is setting SOCK_DNS for the situation where > > somebody using this library _might_ use pledge, but node is not using > > pledge. > > That is just plain dumb. > > If a socket is marked SOCK_DNS then it is *just for DNS*, and only the > very narrow set of operations used by libc/asr are supported. > > Actually it is dumb, because it wasn't tested at all.
BTW, this use case in OpenBSD is *DEAD*. If you want to use pledge, you must sign up for the DNS-sockets-are-special protocol. There are no options. If you don't sign up for that, then you cannot use pledge. This will not be negotiated. This design is deliberate. I could have instead created a completely parallel set of system calls for doing DNS, and also blocked port 53 on regular sockets. It would have worked the same way. The goal is CLEAR, you cannot accidentally perform DNS except via the published API. Yes, this means non-libc API for doing DNS are dead in the water. This should not be surprising; it is impossible for a non-system DNS "library" to behave identical to other software running on the machine since it will not have all the configuration policy / details embeddeed in resolv.conf or other similar changes we've made. Well you can stil use it. You just cannot use any of the POSIX-subsets provided by pledge, which is also not surprising. pledge was not designed to interop with billions of lines of foreign code that we don't know, it was only designed to interop with code that we do know. I'm human, I cannot anticipate everything. So I drew a line: You can't just throw pledge around a random bag of garbage software and expect it to work, you must USE YOUR BRAIN, and if you don't, the node/c-ares outcome is exactly what you can expect.