artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8fbc817) | patch
iked hereby pledges that it will run with restricted system
authorreyk <reyk@openbsd.org>
Thu, 22 Oct 2015 15:55:18 +0000 (15:55 +0000)
committerreyk <reyk@openbsd.org>
Thu, 22 Oct 2015 15:55:18 +0000 (15:55 +0000)
commitebfc369325d2c22f833acf029b45694846aba023
treeb1ce3b6fb1b0e0402b50495252c0b929d1992a81tree | snapshot
parent8fbc817b0246653533d86ed4e0a18ccb6c4d5d8bcommit | diff
iked hereby pledges that it will run with restricted system
operations.  This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability.  There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing).  The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@
sbin/iked/ca.c diff | blob | history
sbin/iked/control.c diff | blob | history
sbin/iked/iked.c diff | blob | history
sbin/iked/iked.h diff | blob | history
sbin/iked/ikev2.c diff | blob | history
sbin/iked/proc.c diff | blob | history
sbin/iked/types.h diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim