From cef40299a93233f043f5b0821a9ad2c69dd612f7 Mon Sep 17 00:00:00 2001 From: Alvar Date: Fri, 6 Feb 2026 11:58:38 +0000 Subject: OpenBSD: pledge(2) some network-facing checks (#2225) OpenBSD's pledge(2) system call allows the current process to self-restrict itself, being reduced to promised pledges. For example, unless a process says it wants to write to files, it is not allowed to do so any longer. This change starts by calling pledge(2) in some network-facing checks, removing the more dangerous privileges, such as executing other files. My initial motivation came from check_icmp, being installed as a setuid binary and (temporarily) running with root privileges. There, the pledge(2) calls result in check_icmp to only being allowed to interact with the network and to setuid(2) to the calling user later on. Afterwards, I went through my most commonly used monitoring plugins directly interacting with the network. Thus, I continued with pledge(2)-ing check_curl - having a huge codebase and all -, check_ntp_time, check_smtp, check_ssh, and check_tcp. For most of those, the changes were quite similar: start with network-friendly promises, parse the configuration, give up file access, and proceed with the actual check. --- plugins-root/check_icmp.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'plugins-root') diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c index e536e31c..1390a03e 100644 --- a/plugins-root/check_icmp.c +++ b/plugins-root/check_icmp.c @@ -812,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr, char *dst, socklen_t siz } int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - dns is required for name lookups (given up later) + * - id is required for temporary privilege drops in configparsing and for + * permanent privilege dropping after opening the socket (given up later) */ + pledge("stdio rpath inet dns id", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -836,6 +845,10 @@ int main(int argc, char **argv) { crash("failed to parse config"); } +#ifdef __OpenBSD__ + pledge("stdio inet dns id", NULL); +#endif // __OpenBSD__ + const check_icmp_config config = tmp_config.config; if (config.output_format_is_set) { @@ -898,6 +911,10 @@ int main(int argc, char **argv) { return 1; } +#ifdef __OpenBSD__ + pledge("stdio inet", NULL); +#endif // __OpenBSD__ + if (sockset.socket4) { int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl)); if (debug) { -- cgit v1.2.3-74-g34f1