/usr/sbin/dhcpd -u pledge failure.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

/usr/sbin/dhcpd -u pledge failure.

Philip Higgins-2
Hi,

When using 'udpsockmode' in dhcpd (-u flag), it first calls
pledge("stdio rpath inet sendfd proc id", NULL) (in udpsock.c)

then tries
pledge("stdio inet route sendfd", NULL) (back in dhcpd.c)

The "route" causes it to fail.

eg.
$ doas dhcpd -u -fd pppx0
Listening on 255.255.255.255:67/udp.
dhcpd: pledge: Operation not permitted

"route" isn't defined in the pledge(2) man page,
but testing seems to indicate it is necessary.

Index: udpsock.c
===================================================================
RCS file: /cvs/src/usr.sbin/dhcpd/udpsock.c,v
retrieving revision 1.5
diff -u -p -r1.5 udpsock.c
--- udpsock.c   8 Feb 2016 02:06:07 -0000       1.5
+++ udpsock.c   4 Apr 2016 04:09:14 -0000
@@ -65,7 +65,7 @@ udpsock_startup(struct in_addr bindaddr)
                error("setsocketopt IP_RECVIF failed for udp: %s",
                    strerror(errno));

-       if (pledge("stdio rpath inet sendfd proc id", NULL) == -1)
+       if (pledge("stdio rpath inet sendfd proc id route", NULL) == -1)
                error("pledge: %s", strerror(errno));

        sin4.sin_family = AF_INET;


--
-Phil

Reply | Threaded
Open this post in threaded view
|

Re: /usr/sbin/dhcpd -u pledge failure.

Theo Buehler
On Mon, Apr 04, 2016 at 04:12:26AM +0000, Philip Higgins wrote:

> Hi,
>
> When using 'udpsockmode' in dhcpd (-u flag), it first calls
> pledge("stdio rpath inet sendfd proc id", NULL) (in udpsock.c)
>
> then tries
> pledge("stdio inet route sendfd", NULL) (back in dhcpd.c)
>
> The "route" causes it to fail.
>
> eg.
> $ doas dhcpd -u -fd pppx0
> Listening on 255.255.255.255:67/udp.
> dhcpd: pledge: Operation not permitted

Thanks a lot for the report and the patch!
(for next time: bugs@ or tech@ would be better suited for this).

> "route" isn't defined in the pledge(2) man page,

Yes, the pledge man page is a bit out of sync with the actual system
call. The latter is still a moving target, so this is to be expected.

You can grep for PLEDGE_ROUTE in /sys/kern/kern_pledge.c
to see where it is used.

> but testing seems to indicate it is necessary.

Yes, it is needed, e.g. for the SIOCGIFADDR ioctl(2) in the
udpsock_handler().


> Index: udpsock.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/dhcpd/udpsock.c,v
> retrieving revision 1.5
> diff -u -p -r1.5 udpsock.c
> --- udpsock.c   8 Feb 2016 02:06:07 -0000       1.5
> +++ udpsock.c   4 Apr 2016 04:09:14 -0000
> @@ -65,7 +65,7 @@ udpsock_startup(struct in_addr bindaddr)
>                 error("setsocketopt IP_RECVIF failed for udp: %s",
>                     strerror(errno));
>
> -       if (pledge("stdio rpath inet sendfd proc id", NULL) == -1)
> +       if (pledge("stdio rpath inet sendfd proc id route", NULL) == -1)

this is the correct fix, up to the order of the promises.
"route" belongs between "inet" and "sendfd".

With that, this patch is ok tb@

>                 error("pledge: %s", strerror(errno));
>
>         sin4.sin_family = AF_INET;
>
>
> --
> -Phil

Reply | Threaded
Open this post in threaded view
|

Re: /usr/sbin/dhcpd -u pledge failure.

Héctor Luis Gimbatti
In reply to this post by Philip Higgins-2
A couple of programs are passing "route" to pledge (bgpd.c; iked.c; ...)

We have to document the route syscall in pledge (2)

> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf
> Of Philip Higgins
> Sent: Monday, April 04, 2016 01:12
> To: [hidden email]
> Subject: /usr/sbin/dhcpd -u pledge failure.
>
> Hi,
>
> When using 'udpsockmode' in dhcpd (-u flag), it first calls pledge("stdio
rpath

> inet sendfd proc id", NULL) (in udpsock.c)
>
> then tries
> pledge("stdio inet route sendfd", NULL) (back in dhcpd.c)
>
> The "route" causes it to fail.
>
> eg.
> $ doas dhcpd -u -fd pppx0
> Listening on 255.255.255.255:67/udp.
> dhcpd: pledge: Operation not permitted
>
> "route" isn't defined in the pledge(2) man page, but testing seems to
indicate it is

> necessary.
>
> Index: udpsock.c
> =================================================================
> ==
> RCS file: /cvs/src/usr.sbin/dhcpd/udpsock.c,v
> retrieving revision 1.5
> diff -u -p -r1.5 udpsock.c
> --- udpsock.c   8 Feb 2016 02:06:07 -0000       1.5
> +++ udpsock.c   4 Apr 2016 04:09:14 -0000
> @@ -65,7 +65,7 @@ udpsock_startup(struct in_addr bindaddr)
>                 error("setsocketopt IP_RECVIF failed for udp: %s",
>                     strerror(errno));
>
> -       if (pledge("stdio rpath inet sendfd proc id", NULL) == -1)
> +       if (pledge("stdio rpath inet sendfd proc id route", NULL) == -1)
>                 error("pledge: %s", strerror(errno));
>
>         sin4.sin_family = AF_INET;
>
>
> --
> -Phil

[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]