- From:
- Stefan Sperling <stsp@stsp.name>
- Subject:
- gotwebd unix pledge
- To:
- gameoftrees@openbsd.org
- Date:
- Thu, 4 Sep 2025 16:03:40 +0200
Download raw body.
Thread
gotwebd unix pledge
Download raw body.
gotwebd unix pledge
Technically, gotwebd should be using the "unix" pledge in order to
handle connections on unix sockets. It we could get away with just
the "inet" pledge but it seems better to separate them out.
ok?
set gotwebd pledges according to address families of listening sockets
M gotwebd/sockets.c | 33+ 14-
1 file changed, 33 insertions(+), 14 deletions(-)
commit - 0f01ac5d813fe34a941ee33dbb19dba78ddbe966
commit + 4f9a4abfcfb2b9851f36cd66733f03bde9a3bf25
blob - 0ddf1e382eb72e1f455b15c2ed1acf5408748f83
blob + 3f08a56f0b9ca5a5fd22a10070173bdc336f570e
--- gotwebd/sockets.c
+++ gotwebd/sockets.c
@@ -114,7 +114,7 @@ sockets(struct gotwebd *env, int fd)
signal_add(&sigterm, NULL);
#ifndef PROFILE
- if (pledge("stdio inet recvfd sendfd", NULL) == -1)
+ if (pledge("stdio inet unix recvfd sendfd", NULL) == -1)
fatal("pledge");
#endif
@@ -188,6 +188,7 @@ static void
sockets_launch(struct gotwebd *env)
{
struct socket *sock;
+ int have_unix = 0, have_inet = 0;
if (env->iev_gotweb == NULL)
fatal("gotweb process not connected");
@@ -196,6 +197,27 @@ sockets_launch(struct gotwebd *env)
log_info("%s: configuring socket %d (%d)", __func__,
sock->conf.id, sock->fd);
+ switch (sock->conf.af_type) {
+ case AF_UNIX:
+ if (listen(sock->fd, SOCKS_BACKLOG) == -1) {
+ fatal("cannot listen on %s",
+ sock->conf.unix_socket_name);
+ }
+ have_unix = 1;
+ break;
+ case AF_INET:
+ case AF_INET6:
+ if (listen(sock->fd, SOMAXCONN) == -1) {
+ fatal("cannot listen on %s",
+ sock->conf.addr.ifname);
+ }
+ have_inet = 1;
+ break;
+ default:
+ fatalx("unsupported address family type %d",
+ sock->conf.af_type);
+ }
+
event_set(&sock->ev, sock->fd, EV_READ | EV_PERSIST,
sockets_socket_accept, sock);
@@ -209,8 +231,16 @@ sockets_launch(struct gotwebd *env)
}
#ifndef PROFILE
- if (pledge("stdio inet sendfd", NULL) == -1)
- fatal("pledge");
+ if (have_unix && have_inet) {
+ if (pledge("stdio inet unix sendfd", NULL) == -1)
+ fatal("pledge");
+ } else if (have_unix) {
+ if (pledge("stdio unix sendfd", NULL) == -1)
+ fatal("pledge");
+ } else if (have_inet) {
+ if (pledge("stdio inet sendfd", NULL) == -1)
+ fatal("pledge");
+ }
#endif
event_add(&env->iev_gotweb->ev, NULL);
@@ -481,11 +511,6 @@ sockets_unix_socket_listen(struct gotwebd *env, struct
return -1;
}
- if (listen(u_fd, SOCKS_BACKLOG) == -1) {
- log_warn("%s: listen", __func__);
- return -1;
- }
-
return u_fd;
}
@@ -523,12 +548,6 @@ sockets_create_socket(struct address *a)
return -1;
}
- if (listen(fd, SOMAXCONN) == -1) {
- log_warn("%s, unable to listen on socket", __func__);
- close(fd);
- return -1;
- }
-
return (fd);
}
gotwebd unix pledge