1 files changed, 30 insertions, 11 deletions
diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c
index 58d8a545..1390a03e 100644
--- a/plugins-root/check_icmp.c
+++ b/plugins-root/check_icmp.c
@@ -277,15 +277,6 @@ typedef struct {
        check_icmp_config config;
 } check_icmp_config_wrapper;
 check_icmp_config_wrapper process_arguments(int argc, char **argv) {
-        /* get calling name the old-fashioned way for portability instead
-         * of relying on the glibc-ism __progname */
-        char *ptr = strrchr(argv[0], '/');
-        if (ptr) {
-                progname = &ptr[1];
-        } else {
-                progname = argv[0];
-        }
        check_icmp_config_wrapper result = {
                .errorcode = OK,
                .config = check_icmp_config_init(),
@@ -821,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr, char *dst, socklen_t siz
 }
 int main(int argc, char **argv) {
+#ifdef __OpenBSD__
+        /* - rpath is required to read --extra-opts (given up later)
+         * - inet is required for sockets
+         * - dns is required for name lookups (given up later)
+         * - id is required for temporary privilege drops in configparsing and for
+         *   permanent privilege dropping after opening the socket (given up later) */
+        pledge("stdio rpath inet dns id", NULL);
+#endif // __OpenBSD__
        setlocale(LC_ALL, "");
        bindtextdomain(PACKAGE, LOCALEDIR);
        textdomain(PACKAGE);
@@ -828,6 +828,14 @@ int main(int argc, char **argv) {
        /* POSIXLY_CORRECT might break things, so unset it (the portable way) */
        environ = NULL;
+        /* determine program- and service-name quickly */
+        progname = strrchr(argv[0], '/');
+        if (progname != NULL) {
+                progname++;
+        } else {
+                progname = argv[0];
+        }
        /* Parse extra opts if any */
        argv = np_extra_opts(&argc, argv, progname);
@@ -837,6 +845,10 @@ int main(int argc, char **argv) {
                crash("failed to parse config");
        }
+#ifdef __OpenBSD__
+        pledge("stdio inet dns id", NULL);
+#endif // __OpenBSD__
        const check_icmp_config config = tmp_config.config;
        if (config.output_format_is_set) {
@@ -899,6 +911,10 @@ int main(int argc, char **argv) {
                return 1;
        }
+#ifdef __OpenBSD__
+        pledge("stdio inet", NULL);
+#endif // __OpenBSD__
        if (sockset.socket4) {
                int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl));
                if (debug) {
@@ -1470,10 +1486,13 @@ static recvfrom_wto_wrapper recvfrom_wto(const check_icmp_socket_set sockset, vo
        };
        ssize_t ret;
-        if (FD_ISSET(sockset.socket4, &read_fds)) {
+        // Test explicitly whether sockets are in use
+        // this is necessary at least on OpenBSD where FD_ISSET will segfault otherwise
+        if ((sockset.socket4 != -1) && FD_ISSET(sockset.socket4, &read_fds)) {
                ret = recvmsg(sockset.socket4, &hdr, 0);
                result.recv_proto = AF_INET;
-        } else if (FD_ISSET(sockset.socket6, &read_fds)) {
+        } else if ((sockset.socket6 != -1) && FD_ISSET(sockset.socket6, &read_fds)) {
                ret = recvmsg(sockset.socket6, &hdr, 0);
                result.recv_proto = AF_INET6;
        } else {

diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c index 58d8a545..1390a03e 100644 --- a/plugins-root/check_icmp.c +++ b/plugins-root/check_icmp.c
@@ -277,15 +277,6 @@ typedef struct {
277	check_icmp_config config;	277	check_icmp_config config;
278	} check_icmp_config_wrapper;	278	} check_icmp_config_wrapper;
279	check_icmp_config_wrapper process_arguments(int argc, char **argv) {	279	check_icmp_config_wrapper process_arguments(int argc, char **argv) {
280	/* get calling name the old-fashioned way for portability instead
281	* of relying on the glibc-ism __progname */
282	char *ptr = strrchr(argv[0], '/');
283	if (ptr) {
284	progname = &ptr[1];
285	} else {
286	progname = argv[0];
287	}
288
289	check_icmp_config_wrapper result = {	280	check_icmp_config_wrapper result = {
290	.errorcode = OK,	281	.errorcode = OK,
291	.config = check_icmp_config_init(),	282	.config = check_icmp_config_init(),
@@ -821,6 +812,15 @@ void parse_address(const struct sockaddr_storage addr, char dst, socklen_t siz
821	}	812	}
822		813
823	int main(int argc, char **argv) {	814	int main(int argc, char **argv) {
		815	#ifdef __OpenBSD__
		816	/* - rpath is required to read --extra-opts (given up later)
		817	* - inet is required for sockets
		818	* - dns is required for name lookups (given up later)
		819	* - id is required for temporary privilege drops in configparsing and for
		820	* permanent privilege dropping after opening the socket (given up later) */
		821	pledge("stdio rpath inet dns id", NULL);
		822	#endif // __OpenBSD__
		823
824	setlocale(LC_ALL, "");	824	setlocale(LC_ALL, "");
825	bindtextdomain(PACKAGE, LOCALEDIR);	825	bindtextdomain(PACKAGE, LOCALEDIR);
826	textdomain(PACKAGE);	826	textdomain(PACKAGE);
@@ -828,6 +828,14 @@ int main(int argc, char **argv) {
828	/* POSIXLY_CORRECT might break things, so unset it (the portable way) */	828	/* POSIXLY_CORRECT might break things, so unset it (the portable way) */
829	environ = NULL;	829	environ = NULL;
830		830
		831	/* determine program- and service-name quickly */
		832	progname = strrchr(argv[0], '/');
		833	if (progname != NULL) {
		834	progname++;
		835	} else {
		836	progname = argv[0];
		837	}
		838
831	/* Parse extra opts if any */	839	/* Parse extra opts if any */
832	argv = np_extra_opts(&argc, argv, progname);	840	argv = np_extra_opts(&argc, argv, progname);
833		841
@@ -837,6 +845,10 @@ int main(int argc, char **argv) {
837	crash("failed to parse config");	845	crash("failed to parse config");
838	}	846	}
839		847
		848	#ifdef __OpenBSD__
		849	pledge("stdio inet dns id", NULL);
		850	#endif // __OpenBSD__
		851
840	const check_icmp_config config = tmp_config.config;	852	const check_icmp_config config = tmp_config.config;
841		853
842	if (config.output_format_is_set) {	854	if (config.output_format_is_set) {
@@ -899,6 +911,10 @@ int main(int argc, char **argv) {
899	return 1;	911	return 1;
900	}	912	}
901		913
		914	#ifdef __OpenBSD__
		915	pledge("stdio inet", NULL);
		916	#endif // __OpenBSD__
		917
902	if (sockset.socket4) {	918	if (sockset.socket4) {
903	int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl));	919	int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl));
904	if (debug) {	920	if (debug) {
@@ -1470,10 +1486,13 @@ static recvfrom_wto_wrapper recvfrom_wto(const check_icmp_socket_set sockset, vo
1470	};	1486	};
1471		1487
1472	ssize_t ret;	1488	ssize_t ret;
1473	if (FD_ISSET(sockset.socket4, &read_fds)) {	1489
		1490	// Test explicitly whether sockets are in use
		1491	// this is necessary at least on OpenBSD where FD_ISSET will segfault otherwise
		1492	if ((sockset.socket4 != -1) && FD_ISSET(sockset.socket4, &read_fds)) {
1474	ret = recvmsg(sockset.socket4, &hdr, 0);	1493	ret = recvmsg(sockset.socket4, &hdr, 0);
1475	result.recv_proto = AF_INET;	1494	result.recv_proto = AF_INET;
1476	} else if (FD_ISSET(sockset.socket6, &read_fds)) {	1495	} else if ((sockset.socket6 != -1) && FD_ISSET(sockset.socket6, &read_fds)) {
1477	ret = recvmsg(sockset.socket6, &hdr, 0);	1496	ret = recvmsg(sockset.socket6, &hdr, 0);
1478	result.recv_proto = AF_INET6;	1497	result.recv_proto = AF_INET6;
1479	} else {	1498	} else {