diff options
| author | Alvar <post@0x21.biz> | 2026-02-06 11:58:38 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-02-06 12:58:38 +0100 |
| commit | cef40299a93233f043f5b0821a9ad2c69dd612f7 (patch) | |
| tree | b95f8b83f49cf3fc811c19d5bf9e02f2f4e232c2 | |
| parent | fe4c82ea6fe37ef24d1726ebe83fac3e2bd581fe (diff) | |
| download | monitoring-plugins-cef40299a93233f043f5b0821a9ad2c69dd612f7.tar.gz | |
OpenBSD: pledge(2) some network-facing checks (#2225)
OpenBSD's pledge(2) system call allows the current process to
self-restrict itself, being reduced to promised pledges. For example,
unless a process says it wants to write to files, it is not allowed to
do so any longer.
This change starts by calling pledge(2) in some network-facing checks,
removing the more dangerous privileges, such as executing other files.
My initial motivation came from check_icmp, being installed as a setuid
binary and (temporarily) running with root privileges. There, the
pledge(2) calls result in check_icmp to only being allowed to interact
with the network and to setuid(2) to the calling user later on.
Afterwards, I went through my most commonly used monitoring plugins
directly interacting with the network. Thus, I continued with
pledge(2)-ing check_curl - having a huge codebase and all -,
check_ntp_time, check_smtp, check_ssh, and check_tcp.
For most of those, the changes were quite similar: start with
network-friendly promises, parse the configuration, give up file access,
and proceed with the actual check.
| -rw-r--r-- | plugins-root/check_icmp.c | 17 | ||||
| -rw-r--r-- | plugins/check_curl.c | 17 | ||||
| -rw-r--r-- | plugins/check_ntp_time.c | 12 | ||||
| -rw-r--r-- | plugins/check_smtp.c | 12 | ||||
| -rw-r--r-- | plugins/check_ssh.c | 12 | ||||
| -rw-r--r-- | plugins/check_tcp.c | 12 |
6 files changed, 82 insertions, 0 deletions
diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c index e536e31c..1390a03e 100644 --- a/plugins-root/check_icmp.c +++ b/plugins-root/check_icmp.c | |||
| @@ -812,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr, char *dst, socklen_t siz | |||
| 812 | } | 812 | } |
| 813 | 813 | ||
| 814 | int main(int argc, char **argv) { | 814 | int main(int argc, char **argv) { |
| 815 | #ifdef __OpenBSD__ | ||
| 816 | /* - rpath is required to read --extra-opts (given up later) | ||
| 817 | * - inet is required for sockets | ||
| 818 | * - dns is required for name lookups (given up later) | ||
| 819 | * - id is required for temporary privilege drops in configparsing and for | ||
| 820 | * permanent privilege dropping after opening the socket (given up later) */ | ||
| 821 | pledge("stdio rpath inet dns id", NULL); | ||
| 822 | #endif // __OpenBSD__ | ||
| 823 | |||
| 815 | setlocale(LC_ALL, ""); | 824 | setlocale(LC_ALL, ""); |
| 816 | bindtextdomain(PACKAGE, LOCALEDIR); | 825 | bindtextdomain(PACKAGE, LOCALEDIR); |
| 817 | textdomain(PACKAGE); | 826 | textdomain(PACKAGE); |
| @@ -836,6 +845,10 @@ int main(int argc, char **argv) { | |||
| 836 | crash("failed to parse config"); | 845 | crash("failed to parse config"); |
| 837 | } | 846 | } |
| 838 | 847 | ||
| 848 | #ifdef __OpenBSD__ | ||
| 849 | pledge("stdio inet dns id", NULL); | ||
| 850 | #endif // __OpenBSD__ | ||
| 851 | |||
| 839 | const check_icmp_config config = tmp_config.config; | 852 | const check_icmp_config config = tmp_config.config; |
| 840 | 853 | ||
| 841 | if (config.output_format_is_set) { | 854 | if (config.output_format_is_set) { |
| @@ -898,6 +911,10 @@ int main(int argc, char **argv) { | |||
| 898 | return 1; | 911 | return 1; |
| 899 | } | 912 | } |
| 900 | 913 | ||
| 914 | #ifdef __OpenBSD__ | ||
| 915 | pledge("stdio inet", NULL); | ||
| 916 | #endif // __OpenBSD__ | ||
| 917 | |||
| 901 | if (sockset.socket4) { | 918 | if (sockset.socket4) { |
| 902 | int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl)); | 919 | int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl)); |
| 903 | if (debug) { | 920 | if (debug) { |
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 1dec8a2a..19d36237 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
| @@ -120,6 +120,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_ | |||
| 120 | #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ | 120 | #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ |
| 121 | 121 | ||
| 122 | int main(int argc, char **argv) { | 122 | int main(int argc, char **argv) { |
| 123 | #ifdef __OpenBSD__ | ||
| 124 | /* - rpath is required to read --extra-opts, CA and/or client certs | ||
| 125 | * - wpath is required to write --cookie-jar (possibly given up later) | ||
| 126 | * - inet is required for sockets | ||
| 127 | * - dns is required for name lookups */ | ||
| 128 | pledge("stdio rpath wpath inet dns", NULL); | ||
| 129 | #endif // __OpenBSD__ | ||
| 130 | |||
| 123 | setlocale(LC_ALL, ""); | 131 | setlocale(LC_ALL, ""); |
| 124 | bindtextdomain(PACKAGE, LOCALEDIR); | 132 | bindtextdomain(PACKAGE, LOCALEDIR); |
| 125 | textdomain(PACKAGE); | 133 | textdomain(PACKAGE); |
| @@ -135,6 +143,15 @@ int main(int argc, char **argv) { | |||
| 135 | 143 | ||
| 136 | const check_curl_config config = tmp_config.config; | 144 | const check_curl_config config = tmp_config.config; |
| 137 | 145 | ||
| 146 | #ifdef __OpenBSD__ | ||
| 147 | if (!config.curl_config.cookie_jar_file) { | ||
| 148 | if (verbose >= 2) { | ||
| 149 | printf(_("* No \"--cookie-jar\" is used, giving up \"wpath\" pledge(2)\n")); | ||
| 150 | } | ||
| 151 | pledge("stdio rpath inet dns", NULL); | ||
| 152 | } | ||
| 153 | #endif // __OpenBSD__ | ||
| 154 | |||
| 138 | if (config.output_format_is_set) { | 155 | if (config.output_format_is_set) { |
| 139 | mp_set_format(config.output_format); | 156 | mp_set_format(config.output_format); |
| 140 | } | 157 | } |
diff --git a/plugins/check_ntp_time.c b/plugins/check_ntp_time.c index 9e0beb9c..afa6d16c 100644 --- a/plugins/check_ntp_time.c +++ b/plugins/check_ntp_time.c | |||
| @@ -661,6 +661,14 @@ static check_ntp_time_config_wrapper process_arguments(int argc, char **argv) { | |||
| 661 | } | 661 | } |
| 662 | 662 | ||
| 663 | int main(int argc, char *argv[]) { | 663 | int main(int argc, char *argv[]) { |
| 664 | #ifdef __OpenBSD__ | ||
| 665 | /* - rpath is required to read --extra-opts (given up later) | ||
| 666 | * - inet is required for sockets | ||
| 667 | * - unix is required for Unix domain sockets | ||
| 668 | * - dns is required for name lookups */ | ||
| 669 | pledge("stdio rpath inet unix dns", NULL); | ||
| 670 | #endif // __OpenBSD__ | ||
| 671 | |||
| 664 | setlocale(LC_ALL, ""); | 672 | setlocale(LC_ALL, ""); |
| 665 | bindtextdomain(PACKAGE, LOCALEDIR); | 673 | bindtextdomain(PACKAGE, LOCALEDIR); |
| 666 | textdomain(PACKAGE); | 674 | textdomain(PACKAGE); |
| @@ -674,6 +682,10 @@ int main(int argc, char *argv[]) { | |||
| 674 | usage4(_("Could not parse arguments")); | 682 | usage4(_("Could not parse arguments")); |
| 675 | } | 683 | } |
| 676 | 684 | ||
| 685 | #ifdef __OpenBSD__ | ||
| 686 | pledge("stdio inet unix dns", NULL); | ||
| 687 | #endif // __OpenBSD__ | ||
| 688 | |||
| 677 | const check_ntp_time_config config = tmp_config.config; | 689 | const check_ntp_time_config config = tmp_config.config; |
| 678 | 690 | ||
| 679 | if (config.output_format_is_set) { | 691 | if (config.output_format_is_set) { |
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index e8c35f58..03335665 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c | |||
| @@ -100,6 +100,14 @@ static int my_close(int /*socket_descriptor*/); | |||
| 100 | static int verbose = 0; | 100 | static int verbose = 0; |
| 101 | 101 | ||
| 102 | int main(int argc, char **argv) { | 102 | int main(int argc, char **argv) { |
| 103 | #ifdef __OpenBSD__ | ||
| 104 | /* - rpath is required to read --extra-opts (given up later) | ||
| 105 | * - inet is required for sockets | ||
| 106 | * - unix is required for Unix domain sockets | ||
| 107 | * - dns is required for name lookups */ | ||
| 108 | pledge("stdio rpath inet unix dns", NULL); | ||
| 109 | #endif // __OpenBSD__ | ||
| 110 | |||
| 103 | setlocale(LC_ALL, ""); | 111 | setlocale(LC_ALL, ""); |
| 104 | bindtextdomain(PACKAGE, LOCALEDIR); | 112 | bindtextdomain(PACKAGE, LOCALEDIR); |
| 105 | textdomain(PACKAGE); | 113 | textdomain(PACKAGE); |
| @@ -113,6 +121,10 @@ int main(int argc, char **argv) { | |||
| 113 | usage4(_("Could not parse arguments")); | 121 | usage4(_("Could not parse arguments")); |
| 114 | } | 122 | } |
| 115 | 123 | ||
| 124 | #ifdef __OpenBSD__ | ||
| 125 | pledge("stdio inet unix dns", NULL); | ||
| 126 | #endif // __OpenBSD__ | ||
| 127 | |||
| 116 | const check_smtp_config config = tmp_config.config; | 128 | const check_smtp_config config = tmp_config.config; |
| 117 | 129 | ||
| 118 | if (config.output_format_is_set) { | 130 | if (config.output_format_is_set) { |
diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c index f6c8d551..84b70a53 100644 --- a/plugins/check_ssh.c +++ b/plugins/check_ssh.c | |||
| @@ -61,6 +61,14 @@ static int ssh_connect(mp_check *overall, char *haddr, int hport, char *remote_v | |||
| 61 | char *remote_protocol); | 61 | char *remote_protocol); |
| 62 | 62 | ||
| 63 | int main(int argc, char **argv) { | 63 | int main(int argc, char **argv) { |
| 64 | #ifdef __OpenBSD__ | ||
| 65 | /* - rpath is required to read --extra-opts (given up later) | ||
| 66 | * - inet is required for sockets | ||
| 67 | * - unix is required for Unix domain sockets | ||
| 68 | * - dns is required for name lookups */ | ||
| 69 | pledge("stdio rpath inet unix dns", NULL); | ||
| 70 | #endif // __OpenBSD__ | ||
| 71 | |||
| 64 | setlocale(LC_ALL, ""); | 72 | setlocale(LC_ALL, ""); |
| 65 | bindtextdomain(PACKAGE, LOCALEDIR); | 73 | bindtextdomain(PACKAGE, LOCALEDIR); |
| 66 | textdomain(PACKAGE); | 74 | textdomain(PACKAGE); |
| @@ -74,6 +82,10 @@ int main(int argc, char **argv) { | |||
| 74 | usage4(_("Could not parse arguments")); | 82 | usage4(_("Could not parse arguments")); |
| 75 | } | 83 | } |
| 76 | 84 | ||
| 85 | #ifdef __OpenBSD__ | ||
| 86 | pledge("stdio inet unix dns", NULL); | ||
| 87 | #endif // __OpenBSD__ | ||
| 88 | |||
| 77 | check_ssh_config config = tmp_config.config; | 89 | check_ssh_config config = tmp_config.config; |
| 78 | 90 | ||
| 79 | mp_check overall = mp_check_init(); | 91 | mp_check overall = mp_check_init(); |
diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index 09806373..430f1218 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c | |||
| @@ -89,6 +89,14 @@ const int DEFAULT_NNTPS_PORT = 563; | |||
| 89 | const int DEFAULT_CLAMD_PORT = 3310; | 89 | const int DEFAULT_CLAMD_PORT = 3310; |
| 90 | 90 | ||
| 91 | int main(int argc, char **argv) { | 91 | int main(int argc, char **argv) { |
| 92 | #ifdef __OpenBSD__ | ||
| 93 | /* - rpath is required to read --extra-opts (given up later) | ||
| 94 | * - inet is required for sockets | ||
| 95 | * - unix is required for Unix domain sockets | ||
| 96 | * - dns is required for name lookups */ | ||
| 97 | pledge("stdio rpath inet unix dns", NULL); | ||
| 98 | #endif // __OpenBSD__ | ||
| 99 | |||
| 92 | setlocale(LC_ALL, ""); | 100 | setlocale(LC_ALL, ""); |
| 93 | bindtextdomain(PACKAGE, LOCALEDIR); | 101 | bindtextdomain(PACKAGE, LOCALEDIR); |
| 94 | textdomain(PACKAGE); | 102 | textdomain(PACKAGE); |
| @@ -216,6 +224,10 @@ int main(int argc, char **argv) { | |||
| 216 | usage4(_("Could not parse arguments")); | 224 | usage4(_("Could not parse arguments")); |
| 217 | } | 225 | } |
| 218 | 226 | ||
| 227 | #ifdef __OpenBSD__ | ||
| 228 | pledge("stdio inet unix dns", NULL); | ||
| 229 | #endif // __OpenBSD__ | ||
| 230 | |||
| 219 | config = paw.config; | 231 | config = paw.config; |
| 220 | 232 | ||
| 221 | if (verbosity > 0) { | 233 | if (verbosity > 0) { |