OpenBSD Mail Box: Re: [maintainer update] net/icinga/icingadb: 1.5.1, pledge/unveil patch

thanks - just checking, are you happy this is ok with the most recent pledge commits?

Sent from a phone, apologies for poor formatting.

On 27 March 2026 19:42:29 "Alvar Penning" <post@0x21.biz> wrote:

Hi ports@,

Hi Stuart,

A diff to update net/icinga/icingadb to its latest release 1.5.1

together with a small patch for pledge(2) and unveil(2) support follows.

Best,

Alvar

diff --git Makefile Makefile

index 204ee608d41..8e970d1d741 100644

--- Makefile

+++ Makefile

@@ -1,7 +1,7 @@

COMMENT= configuration and state database for Icinga

GH_PROJECT= icingadb

-GH_TAGNAME= v1.5.0

+GH_TAGNAME= v1.5.1

MODGO_MODNAME= github.com/icinga/icingadb

MODGO_VERSION= ${GH_TAGNAME}

@@ -18,6 +18,9 @@ MODULES= lang/go

.include "modules.inc"

+# for patches to apply

+WRKDIST = ${WRKSRC}

+

post-install:

${INSTALL_DATA_DIR} ${PREFIX}/share/doc/icingadb/markdown

${INSTALL_DATA} ${WRKSRC}/{AUTHORS,LICENSE,*.md} ${PREFIX}/share/doc/icingadb

diff --git distinfo distinfo

index 89bca181e4f..35d7cce3e8d 100644

--- distinfo

+++ distinfo

@@ -38,8 +38,8 @@ SHA256 (go_modules/github.com/google/go-cmp/@v/v0.7.0.mod) = Mch0odKhjmKwVQ+CPOe

SHA256 (go_modules/github.com/google/go-cmp/@v/v0.7.0.zip) = ZKnOBG8sMg43g/ug0fShX4oY8LAJtnvyf3YwkZ2z9Tk=

SHA256 (go_modules/github.com/google/uuid/@v/v1.6.0.mod) = c9pHtjOLAKCC/UUao1oyc9OtwJuOm7qY2rAQkeQCr24=

SHA256 (go_modules/github.com/google/uuid/@v/v1.6.0.zip) = 0PAvN3IX9CcC4lloTgZEHtv1FA3dzDS6m+pWA4s4pu0=

-SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.mod) = TuBy+Tlxexr7Zaw8o3K8RRWunQx3rkzixq9qDRaDTeQ=

-SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.zip) = FgJRtm+KhVjJsmXmzllXmh45ZvPh6fSnmaVRrIuIxCU=

+SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.mod) = 62kZelhlLe0QB3ERRyX7e2NIxWW2FbX/t4YsfgvbBwU=

+SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.zip) = fyA6SxKRwcqi0ezK8q8uG9XaBgPV6m65fGhdg4lAcYc=

SHA256 (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.mod) = XXfNPd0IYZ25q3vITtJAlbDicioz7d4iGzJlEMKwH/w=

SHA256 (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.zip) = I97Ou1pRFK8aaH++1k1qZ08el25wsrTNwn9S0LAgy0s=

SHA256 (go_modules/github.com/jmoiron/sqlx/@v/v1.4.0.mod) = TK1YPczEsJNGdNt/yFycLDIu5YeTNmhgqupYL2WRmU0=

@@ -66,8 +66,8 @@ SHA256 (go_modules/github.com/pkg/errors/@v/v0.9.1.mod) = 3yjGqCPxgddheWlxd8DFlD

SHA256 (go_modules/github.com/pkg/errors/@v/v0.9.1.zip) = 1MNri80GFikKORMhXg9TuTG9bgBnBZbylg3xtEryvQc=

SHA256 (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.mod) = dLLnZushU3eGTVh7rfV+lVIfaS0qeGCzx3WQk/nJvsI=

SHA256 (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.zip) = 3gTOzBpLjVPkNXBRAmeUvLxU8uaiYM+sUIzmnV1kV6A=

-SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.mod) = bVq+RIntf4jVi2SnFPH2zfBcKeRzKyNMMocJK0LzJrg=

-SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.zip) = 6/q95nlTIIKBKBCdXNiwrhNvyTnzNSYbFgK725Mhalw=

+SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.mod) = bVq+RIntf4jVi2SnFPH2zfBcKeRzKyNMMocJK0LzJrg=

+SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.zip) = tu9N6wgWD5rO+KrMK3g47iQkBFzRyrGq0oZoT4/b+wE=

SHA256 (go_modules/github.com/rivo/uniseg/@v/v0.1.0.mod) = bHMYonqNVHOo62YedfsAUoF24O/FkxDtJ3yhO9EqU/E=

SHA256 (go_modules/github.com/rivo/uniseg/@v/v0.2.0.mod) = bHMYonqNVHOo62YedfsAUoF24O/FkxDtJ3yhO9EqU/E=

SHA256 (go_modules/github.com/rivo/uniseg/@v/v0.2.0.zip) = MZnZS+UChBQiIGYso7AOGd3R3r5OgN3HRf9CA+y2AcA=

@@ -86,8 +86,8 @@ SHA256 (go_modules/go.uber.org/goleak/@v/v1.3.0.zip) = cO3vDOfYMNmS8CTlJ/00Ugabi

SHA256 (go_modules/go.uber.org/multierr/@v/v1.10.0.mod) = WKMN3nMKuldXZxXZCEF3T2NEqHn+xWM6LGazfsMMEfA=

SHA256 (go_modules/go.uber.org/multierr/@v/v1.11.0.mod) = WKMN3nMKuldXZxXZCEF3T2NEqHn+xWM6LGazfsMMEfA=

SHA256 (go_modules/go.uber.org/multierr/@v/v1.11.0.zip) = Ikm10v3OYfbuZhpnnYVSWZrwhKdhy7yHHad2Qb3c4MM=

-SHA256 (go_modules/go.uber.org/zap/@v/v1.27.0.mod) = rYBZREWaFDYO6wZ3t8b8T/ep2oD7A3ZK+n2RzwLihcc=

-SHA256 (go_modules/go.uber.org/zap/@v/v1.27.0.zip) = uZS5b/C7UEo9WCiKuIufPGYEaJ6hr7adJbUJdpcFpsI=

+SHA256 (go_modules/go.uber.org/zap/@v/v1.27.1.mod) = rYBZREWaFDYO6wZ3t8b8T/ep2oD7A3ZK+n2RzwLihcc=

+SHA256 (go_modules/go.uber.org/zap/@v/v1.27.1.zip) = OHYCJxQtODaQaTdMAFcHvGs8Jwp180+j8XxIyGMUPNw=

SHA256 (go_modules/golang.org/x/crypto/@v/v0.28.0.mod) = hn0KUX9LRzf6NCERYOtqiNt+Qjne9HIYFrA+dB2+rPU=

SHA256 (go_modules/golang.org/x/crypto/@v/v0.28.0.zip) = lZrL41FEMMLACdyT8n5B3a1P7heKTGgMdTvAm10ud9A=

SHA256 (go_modules/golang.org/x/exp/@v/v0.0.0-20240506185415-9bf2ced13842.mod) = 5Bjsbat5ooeOZoZlE8Yfh7+BePhfy3h1Zwjv1jVYDKA=

@@ -96,8 +96,8 @@ SHA256 (go_modules/golang.org/x/mod/@v/v0.17.0.mod) = XErAMQolMwdXA5zPOpjnX+/by3

SHA256 (go_modules/golang.org/x/mod/@v/v0.17.0.zip) = py/lt5VUqJk9+VEtBeI3kI060LSAAcGrkrf6Uzns9EA=

SHA256 (go_modules/golang.org/x/net/@v/v0.30.0.mod) = cyMeKp5Xhgaj/n4ODJP/qWMavCAh96v6RCWGA4ZpCW8=

SHA256 (go_modules/golang.org/x/net/@v/v0.30.0.zip) = w1e3ec3AjQlS97rUxFzoQiO3xgBdd1gioXkBro9lu7o=

-SHA256 (go_modules/golang.org/x/sync/@v/v0.18.0.mod) = 0zPFS3SviguOx0jTfFly0nudCIueRci/XDq1INIRMJA=

-SHA256 (go_modules/golang.org/x/sync/@v/v0.18.0.zip) = k5oaVzzYPfVoNrY3BSpF9qYPeLhqWjdfwMbCmKhooU0=

+SHA256 (go_modules/golang.org/x/sync/@v/v0.19.0.mod) = 0zPFS3SviguOx0jTfFly0nudCIueRci/XDq1INIRMJA=

+SHA256 (go_modules/golang.org/x/sync/@v/v0.19.0.zip) = JSEf4s/9gCC7QFua23qQ9eBnYPKBi4+y50qqohpm7Z4=

SHA256 (go_modules/golang.org/x/sync/@v/v0.7.0.mod) = cA5dsA3SaqGaF9zl/FUkNtYPaMVgbIW4IfJMPWByoVE=

SHA256 (go_modules/golang.org/x/sys/@v/v0.0.0-20210514084401-e8d321eab015.mod) = 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ=

SHA256 (go_modules/golang.org/x/sys/@v/v0.0.0-20220811171246-fbc7d0a398ab.mod) = 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ=

@@ -114,7 +114,7 @@ SHA256 (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.mod)

SHA256 (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.zip) = ThgX+WTKNOVFuBr9oDJaXonPWN4uQT2CB8Cv3dD9wVw=

SHA256 (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.mod) = IVeYYKIDBvz0OxvSNNH7oxlJnHdhG3HAX5vzupDauTk=

SHA256 (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.zip) = qrj7xOYwDqCOav4crqGKIckMefSJ9SxT4vIEMfGpoBU=

-SHA256 (icingadb-1.5.0.zip) = sXqboDonPhhP1sNA9p9sIxdzAHa4cPjzPs/zet8Vtr4=

+SHA256 (icingadb-1.5.1.zip) = tDQbm5nIRuP21PS8J9VwvbN1gxdLHSOpEpF957IWOlI=

SIZE (go_modules/filippo.io/edwards25519/@v/v1.1.0.mod) = 40

SIZE (go_modules/filippo.io/edwards25519/@v/v1.1.0.zip) = 55809

SIZE (go_modules/github.com/!vivid!cortex/ewma/@v/v1.2.0.mod) = 44

@@ -155,8 +155,8 @@ SIZE (go_modules/github.com/google/go-cmp/@v/v0.7.0.mod) = 41

SIZE (go_modules/github.com/google/go-cmp/@v/v0.7.0.zip) = 130179

SIZE (go_modules/github.com/google/uuid/@v/v1.6.0.mod) = 30

SIZE (go_modules/github.com/google/uuid/@v/v1.6.0.zip) = 31981

-SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.mod) = 1245

-SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.zip) = 130783

+SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.mod) = 1245

+SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.zip) = 130821

SIZE (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.mod) = 79

SIZE (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.zip) = 78585

SIZE (go_modules/github.com/jmoiron/sqlx/@v/v1.4.0.mod) = 157

@@ -183,8 +183,8 @@ SIZE (go_modules/github.com/pkg/errors/@v/v0.9.1.mod) = 29

SIZE (go_modules/github.com/pkg/errors/@v/v0.9.1.zip) = 17866

SIZE (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.mod) = 37

SIZE (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.zip) = 12433

-SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.mod) = 635

-SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.zip) = 584449

+SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.mod) = 635

+SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.zip) = 5104265

SIZE (go_modules/github.com/rivo/uniseg/@v/v0.1.0.mod) = 39

SIZE (go_modules/github.com/rivo/uniseg/@v/v0.2.0.mod) = 39

SIZE (go_modules/github.com/rivo/uniseg/@v/v0.2.0.zip) = 45731

@@ -203,8 +203,8 @@ SIZE (go_modules/go.uber.org/goleak/@v/v1.3.0.zip) = 37573

SIZE (go_modules/go.uber.org/multierr/@v/v1.10.0.mod) = 228

SIZE (go_modules/go.uber.org/multierr/@v/v1.11.0.mod) = 228

SIZE (go_modules/go.uber.org/multierr/@v/v1.11.0.zip) = 25681

-SIZE (go_modules/go.uber.org/zap/@v/v1.27.0.mod) = 312

-SIZE (go_modules/go.uber.org/zap/@v/v1.27.0.zip) = 287887

+SIZE (go_modules/go.uber.org/zap/@v/v1.27.1.mod) = 312

+SIZE (go_modules/go.uber.org/zap/@v/v1.27.1.zip) = 289619

SIZE (go_modules/golang.org/x/crypto/@v/v0.28.0.mod) = 190

SIZE (go_modules/golang.org/x/crypto/@v/v0.28.0.zip) = 1790287

SIZE (go_modules/golang.org/x/exp/@v/v0.0.0-20240506185415-9bf2ced13842.mod) = 179

@@ -213,8 +213,8 @@ SIZE (go_modules/golang.org/x/mod/@v/v0.17.0.mod) = 84

SIZE (go_modules/golang.org/x/mod/@v/v0.17.0.zip) = 165172

SIZE (go_modules/golang.org/x/net/@v/v0.30.0.mod) = 155

SIZE (go_modules/golang.org/x/net/@v/v0.30.0.zip) = 1842318

-SIZE (go_modules/golang.org/x/sync/@v/v0.18.0.mod) = 36

-SIZE (go_modules/golang.org/x/sync/@v/v0.18.0.zip) = 25708

+SIZE (go_modules/golang.org/x/sync/@v/v0.19.0.mod) = 36

+SIZE (go_modules/golang.org/x/sync/@v/v0.19.0.zip) = 25714

SIZE (go_modules/golang.org/x/sync/@v/v0.7.0.mod) = 34

SIZE (go_modules/golang.org/x/sys/@v/v0.0.0-20210514084401-e8d321eab015.mod) = 33

SIZE (go_modules/golang.org/x/sys/@v/v0.0.0-20220811171246-fbc7d0a398ab.mod) = 33

@@ -231,4 +231,4 @@ SIZE (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.mod) =

SIZE (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.zip) = 39844

SIZE (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.mod) = 95

SIZE (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.zip) = 104623

-SIZE (icingadb-1.5.0.zip) = 3370896

+SIZE (icingadb-1.5.1.zip) = 3371200

diff --git modules.inc modules.inc

index b685a740c69..7d91dbdb84b 100644

--- modules.inc

+++ modules.inc

@@ -18,7 +18,7 @@ MODGO_MODULES = \

github.com/goccy/go-yaml v1.13.0 \

github.com/google/go-cmp v0.7.0 \

github.com/google/uuid v1.6.0 \

- github.com/icinga/icinga-go-library v0.8.1 \

+ github.com/icinga/icinga-go-library v0.8.2 \

github.com/jessevdk/go-flags v1.6.1 \

github.com/jmoiron/sqlx v1.4.0 \

github.com/kr/text v0.2.0 \

@@ -31,7 +31,7 @@ MODGO_MODULES = \

github.com/okzk/sdnotify v0.0.0-20180710141335-d9becc38acbd \

github.com/pkg/errors v0.9.1 \

github.com/pmezard/go-difflib v1.0.0 \

- github.com/redis/go-redis/v9 v9.16.0 \

+ github.com/redis/go-redis/v9 v9.17.2 \

github.com/rivo/uniseg v0.2.0 \

github.com/ssgreg/journald v1.0.0 \

github.com/stretchr/objx v0.5.2 \

@@ -39,12 +39,12 @@ MODGO_MODULES = \

github.com/vbauerster/mpb/v6 v6.0.4 \

go.uber.org/goleak v1.3.0 \

go.uber.org/multierr v1.11.0 \

- go.uber.org/zap v1.27.0 \

+ go.uber.org/zap v1.27.1 \

golang.org/x/crypto v0.28.0 \

golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 \

golang.org/x/mod v0.17.0 \

golang.org/x/net v0.30.0 \

- golang.org/x/sync v0.18.0 \

+ golang.org/x/sync v0.19.0 \

golang.org/x/sys v0.26.0 \

golang.org/x/text v0.19.0 \

golang.org/x/tools v0.21.0 \

diff --git patches/patch-cmd_icingadb_main_go patches/patch-cmd_icingadb_main_go

new file mode 100644

index 00000000000..846d0acbaab

--- /dev/null

+++ patches/patch-cmd_icingadb_main_go

@@ -0,0 +1,21 @@

+Index: cmd/icingadb/main.go

+--- cmd/icingadb/main.go.orig

++++ cmd/icingadb/main.go

+@@ -39,6 +39,8 @@ func main() {

+ }

+

+ func run() int {

++ initialPrivDrop()

++

+ cmd := command.New()

+

+ logs, err := logging.NewLoggingFromConfig(utils.AppName(), cmd.Config.Logging)

+@@ -54,6 +56,8 @@ func run() int {

+ defer func() { _ = logger.Sync() }()

+

+ logger.WithOptions(logs.ForceLog()).Infof("Starting Icinga DB daemon (%s)", internal.Version.Version)

++

++ privDrop(cmd, logger)

+

+ db, err := cmd.Database(logs.GetChildLogger("database"))

+ if err != nil {

diff --git patches/patch-cmd_icingadb_openbsd_go patches/patch-cmd_icingadb_openbsd_go

new file mode 100644

index 00000000000..839afae5168

--- /dev/null

+++ patches/patch-cmd_icingadb_openbsd_go

@@ -0,0 +1,87 @@

+Index: cmd/icingadb/openbsd.go

+--- cmd/icingadb/openbsd.go.orig

++++ cmd/icingadb/openbsd.go

+@@ -0,0 +1,83 @@

++package main

++

++import (

++ "fmt"

++ "maps"

++ "slices"

++ "strings"

++

++ "github.com/icinga/icinga-go-library/logging"

++ "github.com/icinga/icinga-go-library/utils"

++ "github.com/icinga/icingadb/internal/command"

++ "go.uber.org/zap"

++ "golang.org/x/sys/unix"

++)

++

++// initialPrivDrop applies a first pledge(2) promise.

++//

++// This function should be called first in main to start with restricted

++// privileges. After parsing the configuration, privDrop should be called to

++// perform further restrictions.

++func initialPrivDrop() {

++ // all possible promises which can be used later in privDrop, plus unveil.

++ promises := "stdio rpath inet unix dns unveil error"

++ if err := unix.PledgePromises(promises); err != nil {

++ panic(fmt.Sprintf("initial pledge(2) failed, %q: %v", promises, err))

++ }

++}

++

++// privDrop should be called after parsing command.Command.

++func privDrop(c *command.Command, l *logging.Logger) {

++ pledgePromises := map[string]struct{}{

++ "stdio": struct{}{},

++ "inet": struct{}{},

++ "dns": struct{}{},

++ "error": struct{}{},

++ }

++

++ unveilPaths := map[string]string{

++ // Special paths for the "dns" pledge promise from before OpenBSD 7.9.

++ "/etc/resolv.conf": "r",

++ "/etc/hosts": "r",

++ "/etc/services": "r",

++ "/etc/protocols": "r",

++ }

++

++ for _, host := range []string{c.Config.Database.Host, c.Config.Redis.Host} {

++ if !utils.IsUnixAddr(host) {

++ continue

++ }

++

++ pledgePromises["rpath"] = struct{}{}

++ pledgePromises["unix"] = struct{}{}

++ unveilPaths[host] = "rw"

++ }

++

++ if c.Flags.DatabaseAutoImport {

++ pledgePromises["rpath"] = struct{}{}

++ unveilPaths[c.Flags.DatabaseSchemaDir] = "r"

++ }

++

++ for path, permissions := range unveilPaths {

++ if err := unix.Unveil(path, permissions); err != nil {

++ l.Fatalw("Cannot unveil(2)",

++ zap.String("path", path),

++ zap.String("permissions", permissions),

++ zap.Error(err))

++ }

++ }

++ if err := unix.UnveilBlock(); err != nil {

++ l.Fatalw("Cannot block unveil(2)", zap.Error(err))

++ }

++

++ promises := strings.Join(slices.Collect(maps.Keys(pledgePromises)), " ")

++ if err := unix.PledgePromises(promises); err != nil {

++ l.Fatalw("Cannot pledge(2)",

++ zap.String("promises", promises),

++ zap.Error(err))

++ }

++

++ l.Infow("Dropped privileges with pledge(2) and unveil(2)",

++ zap.String("pledge", promises),

++ zap.Any("unveil", unveilPaths))

++}

OpenBSD Mail Box

Friday, March 27, 2026

Re: [maintainer update] net/icinga/icingadb: 1.5.1, pledge/unveil patch

No comments:

Post a Comment