Re: CVS: cvs.openbsd.org: src

Tue, 04 Jul 2017 09:22:45 -0700 

What about applying the pledge early on only if snaplen is not being defined,
but if it is then call pledge as well but only after the filter is applied
(this is where the offending ioctl is called)?

A better strategy probably would involve something similar to tcpdump to check
if PRIV_INIT_DONE was reached and only apply the single pledge there, but that
involves quite some restructure. So is the below OK? If not then the best for
now is to put back the pledge inside #if 0.

Index: pflogd.c
===================================================================
RCS file: /cvs/src/sbin/pflogd/pflogd.c,v
retrieving revision 1.53
diff -u -p -u -r1.53 pflogd.c
--- pflogd.c    16 Jan 2016 03:17:48 -0000      1.53
+++ pflogd.c    4 Jul 2017 16:10:51 -0000
@@ -557,6 +557,7 @@ main(int argc, char **argv)
        const char *errstr = NULL;
 
        ret = 0;
+       setsnaplen = 0;
 
        closefrom(STDERR_FILENO + 1);
 
@@ -583,6 +584,7 @@ main(int argc, char **argv)
                                snaplen = DEF_SNAPLEN;
                        if (errstr)
                                snaplen = PFLOGD_MAXSNAPLEN;
+                       setsnaplen = 1;
                        break;
                case 'x':
                        Xflag = 1;
Index: pflogd.h
===================================================================
RCS file: /cvs/src/sbin/pflogd/pflogd.h,v
retrieving revision 1.5
diff -u -p -u -r1.5 pflogd.h
--- pflogd.h    10 Oct 2015 22:36:06 -0000      1.5
+++ pflogd.h    4 Jul 2017 16:10:51 -0000
@@ -47,3 +47,4 @@ void send_fd(int, int);
 int  receive_fd(int);
 
 extern int Debug;
+int setsnaplen;
Index: privsep.c
===================================================================
RCS file: /cvs/src/sbin/pflogd/privsep.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 privsep.c
--- privsep.c   12 Jun 2017 23:37:44 -0000      1.25
+++ privsep.c   4 Jul 2017 16:10:51 -0000
@@ -118,8 +118,10 @@ priv_init(void)
        setproctitle("[priv]");
        close(socks[1]);
 
-       if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1)
-               err(1, "pledge");
+       if (setsnaplen == 0) {
+               if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == 
-1)
+                       err(1, "pledge");
+       }
 
        while (!gotsig_chld) {
                if (may_read(socks[0], &cmd, sizeof(int)))
@@ -185,6 +187,9 @@ set_snaplen(int snap)
 
        hpcap->snapshot = snap;
        set_pcap_filter();
+
+       if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1)
+               err(1, "pledge");
 
        return 0;
 }

Reply via email to