Hi,
I'm in the process of building a program that adds IP addresses to a table,
from the network, It is HMAC'ed.
I was stopped by a pledge, it seems it was not configured. Here is the
ktrace snippet:
40051 table-server CALL open(0xbb705fb11f6,0x2<O_RDWR>)
40051 table-server NAMI "/dev/pf"
40051 table-server RET open 4
40051 table-server CALL kbind(0x7f7ffffa2b08,24,0x2de4af929c6b5090)
40051 table-server RET kbind 0
40051 table-server CALL ioctl(4,DIOCRADDTABLES,0x7f7ffffa32a8)
40051 table-server RET ioctl 0
40051 table-server CALL kbind(0x7f7ffffa2b08,24,0x2de4af929c6b5090)
40051 table-server RET kbind 0
40051 table-server CALL ioctl(4,DIOCRADDADDRS,0x7f7ffffa32a8)
40051 table-server PLDG ioctl, "tty", errno 1 Operation not permitted
40051 table-server PSIG SIGABRT SIG_DFL
40051 table-server NAMI "table-server.core"
Here is a patch to consider, it compiles but I haven't tested it yet because
I'm unsure if there is a reason why this DIOCR* was left out.
I'm guessing, if the patch is OK, I'll have to leave the pledge out for 6.6
which is what this is intended for. Sad, but OK, at least there is unveil.
Index: kern_pledge.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.256
diff -u -p -u -r1.256 kern_pledge.c
--- kern_pledge.c 8 Dec 2019 23:08:59 -0000 1.256
+++ kern_pledge.c 14 Jan 2020 17:51:19 -0000
@@ -1205,6 +1205,7 @@ pledge_ioctl(struct proc *p, long com, s
case DIOCADDRULE:
case DIOCGETSTATUS:
case DIOCNATLOOK:
+ case DIOCRADDADDRS:
case DIOCRADDTABLES:
case DIOCRCLRADDRS:
case DIOCRCLRTABLES:
Cheers,
-peter
