pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable

it also for pflogd(8)'s priv proc.

OK deraadt@

diff --git a/sbin/pflogd/privsep.c b/sbin/pflogd/privsep.c
index 9bef398..6b81bc6 100644 (file)
--- a/sbin/pflogd/privsep.c
+++ b/sbin/pflogd/privsep.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: privsep.c,v 1.24 2017/01/23 04:25:05 deraadt Exp $    */
+/*     $OpenBSD: privsep.c,v 1.25 2017/06/12 23:37:44 mestre Exp $     */
 
 /*
  * Copyright (c) 2003 Can Erkin Acar
@@ -118,12 +118,9 @@ priv_init(void)
        setproctitle("[priv]");
        close(socks[1]);
 
-
-#if notyet
-       /* This needs to do bpf ioctl */
        if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1)
                err(1, "pledge");
-#endif
+
        while (!gotsig_chld) {
                if (may_read(socks[0], &cmd, sizeof(int)))
                        break;