Re: dig may need an inet pledge?

Thu, 16 Jan 2020 11:26:12 -0800 

On Thu, Jan 16, 2020 at 12:13:27PM -0700, Theo de Raadt wrote:
> Your example is vaguely inprecise enough that I cannot reproduce the
> failure.  If I could, I would ktrace it.

Here is more (precise) data:

----->
beta$ cd /tmp
beta$ ktrace -i dig @rhombus.centroid.eu +tcp delphinusdns.org aaaa
Abort trap (core dumped) 
beta$ kdump | grep -4 PLDG 
 83401 dig      RET   kbind 0
 83401 dig      CALL  setsockopt(20,41<ipv6>,42,0x7f7ffffdb1b0,4)
 83401 dig      RET   setsockopt 0
 83401 dig      CALL  setsockopt(20,6<tcp>,2,0x7f7ffffdb1b0,4)
 83401 dig      PLDG  setsockopt, "inet", errno 1 Operation not permitted
 83401 dig      PSIG  SIGABRT SIG_DFL
 83401 dig      NAMI  "dig.core"
beta$ sysctl kern.version
kern.version=OpenBSD 6.6-current (GENERIC.MP) #603: Mon Jan 13 13:21:42 MST 2020
    dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
<-----


> dig is supposed to use SOCK_DNS, and then not bother doing additional
> stuff.
> 
> 105 is setsockopt.  We would investigate if the setsockopt being done
> is required, or if it can be removed.  After all, the "bind as a library"
> code remaining no longer needs to serve "daemon functionality".

Thanks for that hint, that makes it easier, with the kdump and some grepping
I have located it (it's the only tcp setsockopt in dig's lib):

------->
beta$ grep -R setsockopt * | grep IPPROTO_TCP
grep: obj: Permission denied
lib/isc/unix/socket.c:          (void)setsockopt(sock->fd, IPPROTO_TCP, 
TCP_MAXSEG,
beta$ grep TCP_MAXSEG /usr/include/netinet/tcp.h
#define TCP_MAXSEG              0x02   /* set maximum segment size */
<------

I've not come across this setsockopt in my network programming, but I guess
the comment is good enough.  

Best Regards,
-peter

> Peter J. Philipp <p...@centroid.eu> wrote:
> 
> > I did a quick grep of dig's pledge:
> > 
> > ---->
> > beta$ grep pledge *
> > dig.c:  if (pledge("stdio rpath dns", NULL) == -1) {
> > dig.c:          perror("pledge");
> > dig.c:  if (pledge("stdio dns", NULL) == -1) {
> > dig.c:          perror("pledge");
> > <----
> > 
> > and noticed that there is no inet pledge.  The problem is when I do
> > a dig @server +tcp example.com, dig gets killed with an inet pledge
> > recomendation.
> > 
> > beta$ dmesg | tail -1 
> > dig[42760]: pledge "inet", syscall 105
> > 
> > I'm aware that dig was only recently upgraded and I don't want to step
> > on anyones toes.  Is there a fix for the dns pledge or an addition to
> > dig's pledges foreseen?
> > 
> > Best regards,
> > -peter
> >

Reply via email to