Hi,
dhcrelay drops privs but isn't pledged yet - here it is.
It is simpler than dhclient: it only needs stdio and route because it
pre-opens all file descriptors (UDP, bpf), does the bpf ioctls before,
and only needs "route" for interface status ioctls on runtime.
OK?
Reyk
Index: usr.sbin/dhcrelay/dhcrelay.c
===================================================================
RCS file: /cvs/src/usr.sbin/dhcrelay/dhcrelay.c,v
retrieving revision 1.44
diff -u -p -u -p -r1.44 dhcrelay.c
--- usr.sbin/dhcrelay/dhcrelay.c 7 Dec 2016 13:19:18 -0000 1.44
+++ usr.sbin/dhcrelay/dhcrelay.c 7 Dec 2016 13:42:07 -0000
@@ -248,6 +248,9 @@ main(int argc, char *argv[])
log_perror = 0;
}
+ if (pledge("stdio route", NULL) == -1)
+ error("pledge");
+
dispatch();
/* not reached */
