pledge bind(1), dig(1), and nslookup(1). This modifies the underlying

ISC library to use socket(2) with the SOCK_DNS flag.  As a result, the
port commands are disabled (such practice is rare in the wild these days,
and pretty incompatible with the DNS vs regular socket concept in pledge..)
ok bluhm phessler reyk, etc

diff --git a/usr.sbin/bind/bin/dig/dig.1 b/usr.sbin/bind/bin/dig/dig.1
index 52e423a..06180f0 100644 (file)
--- a/usr.sbin/bind/bin/dig/dig.1
+++ b/usr.sbin/bind/bin/dig/dig.1
@@ -33,7 +33,7 @@
 dig \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP 4
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
+\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
 .HP 4
 \fBdig\fR [\fB\-h\fR]
 .HP 4
@@ -122,7 +122,7 @@ will perform a lookup for an A record.
 The
 \fB\-b\fR
 option sets the source IP address of the query to
-\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
+\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::".
 .PP
 The default query class (IN for internet) is overridden by the
 \fB\-c\fR
@@ -139,14 +139,6 @@ operate in batch mode by reading a list of lookup requests to process from the f
 \fBdig\fR
 using the command\-line interface.
 .PP
-If a non\-standard port number is to be queried, the
-\fB\-p\fR
-option is used.
-\fIport#\fR
-is the port number that
-\fBdig\fR
-will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
-.PP
 The
 \fB\-4\fR
 option forces

diff --git a/usr.sbin/bind/bin/dig/dig.c b/usr.sbin/bind/bin/dig/dig.c
index 79402c6..156d1bc 100644 (file)
--- a/usr.sbin/bind/bin/dig/dig.c
+++ b/usr.sbin/bind/bin/dig/dig.c
@@ -21,6 +21,7 @@
 
 #include <config.h>
 #include <stdlib.h>
+#include <unistd.h>
 #include <time.h>
 #include <ctype.h>
 
@@ -1191,7 +1192,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
                strlcpy(keyfile, value, sizeof(keyfile));
                return (value_from_next);
        case 'p':
-               port = (in_port_t) parse_uint(value, "port number", MAXPORT);
+               fprintf(stderr, ";; Warning, -p option ignored\n");
+               /* port = (in_port_t) parse_uint(value, "port number", MAXPORT); */
                return (value_from_next);
        case 'q':
                if (!config_only) {
@@ -1753,6 +1755,9 @@ main(int argc, char **argv) {
        ISC_LIST_INIT(server_list);
        ISC_LIST_INIT(search_list);
 
+       if (pledge("stdio rpath dns", NULL) == -1)
+               perror("pledge");
+
        debug("main()");
        preparse_args(argc, argv);
        progname = argv[0];
@@ -1760,6 +1765,10 @@ main(int argc, char **argv) {
        check_result(result, "isc_app_start");
        setup_libs();
        parse_args(ISC_FALSE, ISC_FALSE, argc, argv);
+
+       if (pledge("stdio dns", NULL) == -1)
+               perror("pledge");
+
        setup_system();
        if (domainopt[0] != '\0') {
                set_search_domain(domainopt);

diff --git a/usr.sbin/bind/bin/dig/host.c b/usr.sbin/bind/bin/dig/host.c
index 329689c..c272f6c 100644 (file)
--- a/usr.sbin/bind/bin/dig/host.c
+++ b/usr.sbin/bind/bin/dig/host.c
@@ -21,6 +21,7 @@
 
 #include <config.h>
 #include <stdlib.h>
+#include <unistd.h>
 #include <limits.h>
 
 #ifdef HAVE_LOCALE_H
@@ -838,6 +839,9 @@ main(int argc, char **argv) {
        idnoptions = IDN_ASCCHECK;
 #endif
 
+       if (pledge("stdio rpath dns inet", NULL) == -1)
+               perror("pledge");
+
        debug("main()");
        progname = argv[0];
        pre_parse_args(argc, argv);
@@ -845,6 +849,10 @@ main(int argc, char **argv) {
        check_result(result, "isc_app_start");
        setup_libs();
        parse_args(ISC_FALSE, argc, argv);
+
+       if (pledge("stdio dns", NULL) == -1)
+               perror("pledge");
+
        setup_system();
        result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
        check_result(result, "isc_app_onrun");

diff --git a/usr.sbin/bind/bin/dig/nslookup.1 b/usr.sbin/bind/bin/dig/nslookup.1
index b2d2147..dc611ab 100644 (file)
--- a/usr.sbin/bind/bin/dig/nslookup.1
+++ b/usr.sbin/bind/bin/dig/nslookup.1
@@ -189,14 +189,6 @@ If the lookup request contains at least one period but doesn't end with a traili
 (Default = search)
 .RE
 .PP
-\fBport=\fR\fIvalue\fR
-.RS 4
-Change the default TCP/UDP name server port to
-\fIvalue\fR.
-.sp
-(Default = 53; abbreviation = po)
-.RE
-.PP
 \fBquerytype=\fR\fIvalue\fR
 .RS 4
 .RE

diff --git a/usr.sbin/bind/bin/dig/nslookup.c b/usr.sbin/bind/bin/dig/nslookup.c
index f0d6c3d..d9a7085 100644 (file)
--- a/usr.sbin/bind/bin/dig/nslookup.c
+++ b/usr.sbin/bind/bin/dig/nslookup.c
@@ -20,6 +20,7 @@
 #include <config.h>
 
 #include <stdlib.h>
+#include <unistd.h>
 
 #include <arpa/nameser.h>
 
@@ -544,7 +545,8 @@ set_port(const char *value) {
        isc_uint32_t n;
        isc_result_t result = parse_uint(&n, value, 65535, "port");
        if (result == ISC_R_SUCCESS)
-               port = (isc_uint16_t) n;
+               port = 0; /* (isc_uint16_t) n;*/
+       printf("The port command has been disabled.\n");
 }
 
 static void
@@ -865,9 +867,15 @@ main(int argc, char **argv) {
        result = isc_app_start();
        check_result(result, "isc_app_start");
 
+       if (pledge("stdio rpath dns", NULL) == -1)
+               perror("pledge");
+
        setup_libs();
        progname = argv[0];
 
+       if (pledge("stdio dns", NULL) == -1)
+               perror("pledge");
+
        parse_args(argc, argv);
 
        setup_system();

diff --git a/usr.sbin/bind/lib/isc/unix/net.c b/usr.sbin/bind/lib/isc/unix/net.c
index f974ab5..f5e2793 100644 (file)
--- a/usr.sbin/bind/lib/isc/unix/net.c
+++ b/usr.sbin/bind/lib/isc/unix/net.c
@@ -62,7 +62,7 @@ try_proto(int domain) {
        isc_result_t result = ISC_R_SUCCESS;
        char strbuf[ISC_STRERRORSIZE];
 
-       s = socket(domain, SOCK_STREAM, 0);
+       s = socket(domain, SOCK_STREAM | SOCK_DNS, 0);
        if (s == -1) {
                switch (errno) {
 #ifdef EAFNOSUPPORT
@@ -196,7 +196,7 @@ try_ipv6only(void) {
        return;
 #else
        /* check for TCP sockets */
-       s = socket(PF_INET6, SOCK_STREAM, 0);
+       s = socket(PF_INET6, SOCK_STREAM | SOCK_DNS, 0);
        if (s == -1) {
                isc__strerror(errno, strbuf, sizeof(strbuf));
                UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -219,7 +219,7 @@ try_ipv6only(void) {
        close(s);
 
        /* check for UDP sockets */
-       s = socket(PF_INET6, SOCK_DGRAM, 0);
+       s = socket(PF_INET6, SOCK_DGRAM | SOCK_DNS, 0);
        if (s == -1) {
                isc__strerror(errno, strbuf, sizeof(strbuf));
                UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -271,7 +271,7 @@ try_ipv6pktinfo(void) {
        }
 
        /* we only use this for UDP sockets */
-       s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+       s = socket(PF_INET6, SOCK_DGRAM | SOCK_DNS, IPPROTO_UDP);
        if (s == -1) {
                isc__strerror(errno, strbuf, sizeof(strbuf));
                UNEXPECTED_ERROR(__FILE__, __LINE__,

diff --git a/usr.sbin/bind/lib/isc/unix/socket.c b/usr.sbin/bind/lib/isc/unix/socket.c
index fc300ba..98bf327 100644 (file)
--- a/usr.sbin/bind/lib/isc/unix/socket.c
+++ b/usr.sbin/bind/lib/isc/unix/socket.c
@@ -1503,10 +1503,10 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
  again:
        switch (type) {
        case isc_sockettype_udp:
-               sock->fd = socket(pf, SOCK_DGRAM, IPPROTO_UDP);
+               sock->fd = socket(pf, SOCK_DGRAM | SOCK_DNS, IPPROTO_UDP);
                break;
        case isc_sockettype_tcp:
-               sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
+               sock->fd = socket(pf, SOCK_STREAM | SOCK_DNS, IPPROTO_TCP);
                break;
        case isc_sockettype_unix:
                sock->fd = socket(pf, SOCK_STREAM, 0);