On Fri, Jun 16, 2017 at 03:53:09PM +0100, Ricardo Mestre wrote: > Hi tech@ > > rebound(8)'s parent proc doesn't seem to need much permissions to do what it > needs, here is the pledge for the parent for the following promises: > > rpath: reload the configuration at reexec time (see below) > proc/exec: needed to reexec itself and kill child if needed >
rebound will not be able to restore dnsjacking on exit. there is an atexit() call with resetport function. At exit, the function should be able to set { CTL_KERN, KERN_DNSJACKPORT }, and it will not be able to do that if pledged. -- Sebastien Marie