How about we delete LD_PRELOAD support from ld.so?
This concept of extending programs underneath is utterly retarded,
because it is fragile in precisely this way, and there is absolutely
nothing we can or should do to help it work.
Caspar Schutijser <caspar@schutijser.com> wrote:
> Hi all,
>
> Using socksify (from the security/dante port) in combination with
> pledged programs doesn't go very well. For those who don't know,
> socksify makes programs communicate through a SOCKS proxy by using
> LD_PRELOAD.
>
> Example:
> # pkg_add dante # No configuration necessary for this example
> $ socksify ftp -o /dev/null https://example.org/
> Trying 93.184.216.34...
> Abort trap (core dumped)
> $ dmesg | tail -1
> ftp[14267]: pledge "inet", syscall 118
>
> Using gdb and reading the code, I found that a call to getsockopt()
> related to multicast stuff in the dante code is to blame:
> lib/socket.c, line 699:
> 683 int
> 684 socks_socketisforlan(s)
> 685 const int s;
> 686 {
> ...
> 693 /*
> 694 * make an educated guess as to whether the socket is intended for
> 695 * lan-only use or not.
> 696 */
> 697
> 698 len = sizeof(addr);
> 699 if (getsockopt(s, IPPROTO_IP, IP_MULTICAST_IF, &addr, &len) != 0) {
> 700 slog(LOG_DEBUG, "%s: getsockopt(IP_MULTICAST_IF) failed: %s",
> 701 function, strerror(errno));
> 702
> 703 errno = errno_s;
> 704 return 0;
> 705 }
>
> (The socks_socketisforlan() function is called in Rconnect() located
> in lib/Rconnect.c.)
>
> What would be the best way forward here? Patch away the code that calls
> getsockopt(IP_MULTICAST_IF)? Something else? I don't have any good
> ideas, in part because I don't know enough about why dante cares about
> this, and because I'm not a multicast expert.
>
> Caspar
>
No comments:
Post a Comment