Start with "rpath inet dns", drop "rpath" after config file is read.
No files are created/written/modified, nothing is executed.
dict.c first builds a list of commands and then works through it,
meaning there is no up-front connection setup and network happens
ouf of the processing loop, so no trivial way of dropping "inet dns"
earlier.
'nm ./dict' shows 'U popen', but that comes from dictd(8) code in
the common parse.c; removing it from parse.c and rebuilding dict
works as expected and the symbol disappear, i.e. it isn't used.
Feedback? OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dictd/Makefile,v
diff -u -p -r1.23 Makefile
--- Makefile 1 Nov 2023 17:05:21 -0000 1.23
+++ Makefile 1 Nov 2023 17:06:12 -0000
@@ -6,7 +6,7 @@ DISTNAME= dictd-$V
PKGNAME-main= dictd-client-$V
PKGNAME-server= dictd-server-$V
-REVISION-main= 3
+REVISION-main= 4
REVISION-server=3
CATEGORIES= net education
Index: patches/patch-dict_c
===================================================================
RCS file: patches/patch-dict_c
diff -N patches/patch-dict_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-dict_c 1 Nov 2023 17:33:14 -0000
@@ -0,0 +1,39 @@
+pledge dict(1)
+
+Index: dict.c
+--- dict.c.orig
++++ dict.c
+@@ -22,6 +22,8 @@
+ #include "parse.h"
+ #include "md5.h"
+ #include <stdarg.h>
++#include <unistd.h>
++#include <err.h>
+
+ extern int yy_flex_debug;
+ lst_List dict_Servers;
+@@ -1375,6 +1377,11 @@ int main( int argc, char **argv )
+ dict_output = stdout;
+ dict_error = stderr;
+
++#ifdef __OpenBSD__
++ if (pledge("stdio rpath inet dns", NULL) == -1)
++ err_fatal_errno(__func__, "pledge");
++
No comments:
Post a Comment