This change is OK with me.
The mdns.allow stuff should be fixed by go recognizing that it doesn't
exist in OpenBSD, and not attempting the open.
Ted Unangst <t...@tedunangst.com> wrote:
> A go program that uses pledge("dns") mostly works except for two
> incompatibilities with the way golang's dns library works. Otherwise
> pledge("rpath") is required.
>
> 1. go likes to stat /etc/hosts to check for changes. I think this is
> reasonable behavior. Patch below adds a whitelist to the kernel to permit
> this. (libc does not currently cache results, but it could..?)
>
> 2. go tries to look a file called mdns.allow which does not exist on openbsd.
> There are several platform dependent branches in go/src/net/conf.go, trying to
> read this file should be avoided on openbsd. Patch left as an exercise.
>
> Point 2 is also trivially worked around by performing a dummy lookup of
> localhost before enabling pledge, so no urgency, but point 1 requires a code
> change somewhere.
>
>
> Index: kern_pledge.c
> ===================================================================
> RCS file: /cvs/src/sys/kern/kern_pledge.c,v
> retrieving revision 1.278
> diff -u -p -r1.278 kern_pledge.c
> --- kern_pledge.c 20 Jan 2022 03:43:30 -0000 1.278
> +++ kern_pledge.c 30 Jan 2022 21:01:43 -0000
> @@ -733,12 +733,17 @@ pledge_namei(struct proc *p, struct name
>
> break;
> case SYS_stat:
> - /* DNS needs /etc/resolv.conf. */
> + /* DNS needs /etc/{resolv.conf,hosts}. */
> if ((ni->ni_pledge == PLEDGE_RPATH) &&
> - (pledge & PLEDGE_DNS) &&
> - strcmp(path, "/etc/resolv.conf") == 0) {
> - ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
> - return (0);
> + (pledge & PLEDGE_DNS)) {
> + if (strcmp(path, "/etc/resolv.conf") == 0) {
> + ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
> + return (0);
> + }
> + if (strcmp(path, "/etc/hosts") == 0) {
> + ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
> + return (0);
> + }
> }
> break;
> }
>
