From: deraadt Date: Sun, 18 Oct 2015 00:04:43 +0000 (+0000) Subject: Add two new system calls: dnssocket() and dnsconnect(). This creates a X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e29e7853b9819d33dfe8bbc5433ec3538624ec73;p=openbsd Add two new system calls: dnssocket() and dnsconnect(). This creates a SS_DNS tagged socket which has limited functionality (for example, you cannot accept on them...) The libc resolver will switch to using these, therefore pledge can identify a DNS transaction better. ok tedu guenther kettenis beck and others --- diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c index a3f8a09b14e..0779155354c 100644 --- a/sys/kern/kern_pledge.c +++ b/sys/kern/kern_pledge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_pledge.c,v 1.48 2015/10/17 23:50:04 deraadt Exp $ */ +/* $OpenBSD: kern_pledge.c,v 1.49 2015/10/18 00:04:43 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -141,10 +142,10 @@ const u_int pledge_syscalls[SYS_MAXSYSCALL] = { [SYS_socketpair] = PLEDGE_RW, [SYS_getdents] = PLEDGE_RW, - [SYS_sendto] = PLEDGE_RW | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE, + [SYS_sendto] = PLEDGE_RW | PLEDGE_YP_ACTIVE, [SYS_sendmsg] = PLEDGE_RW, [SYS_recvmsg] = PLEDGE_RW, - [SYS_recvfrom] = PLEDGE_RW | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE, + [SYS_recvfrom] = PLEDGE_RW | PLEDGE_YP_ACTIVE, [SYS_fork] = PLEDGE_PROC, [SYS_vfork] = PLEDGE_PROC, @@ -226,8 +227,12 @@ const u_int pledge_syscalls[SYS_MAXSYSCALL] = { [SYS_lchown] = PLEDGE_FATTR, [SYS_fchown] = PLEDGE_FATTR, - [SYS_socket] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE, - [SYS_connect] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE, + /* XXX remove PLEDGE_DNS from socket/connect in 1 week */ + [SYS_socket] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS | PLEDGE_YP_ACTIVE, + [SYS_connect] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS | PLEDGE_YP_ACTIVE, + + [SYS_dnssocket] = PLEDGE_DNS, + [SYS_dnsconnect] = PLEDGE_DNS, [SYS_listen] = PLEDGE_INET | PLEDGE_UNIX, [SYS_bind] = PLEDGE_INET | PLEDGE_UNIX, @@ -253,7 +258,7 @@ static const struct { { "tmppath", PLEDGE_SELF | PLEDGE_RW | PLEDGE_TMPPATH }, { "inet", PLEDGE_SELF | PLEDGE_RW | PLEDGE_INET }, { "unix", PLEDGE_SELF | PLEDGE_RW | PLEDGE_UNIX }, - { "dns", PLEDGE_SELF | PLEDGE_MALLOC | PLEDGE_DNSPATH }, + { "dns", PLEDGE_SELF | PLEDGE_MALLOC | PLEDGE_DNS }, { "getpw", PLEDGE_SELF | PLEDGE_MALLOC | PLEDGE_RW | PLEDGE_GETPW }, { "sendfd", PLEDGE_RW | PLEDGE_SENDFD }, { "recvfd", PLEDGE_RW | PLEDGE_RECVFD }, @@ -572,11 +577,9 @@ pledge_namei(struct proc *p, char *origpath) /* DNS needs /etc/{resolv.conf,hosts,services}. */ if ((p->p_pledgenote == TMN_RPATH) && - (p->p_p->ps_pledge & PLEDGE_DNSPATH)) { - if (strcmp(path, "/etc/resolv.conf") == 0) { - p->p_pledgeafter |= TMA_DNSRESOLV; + (p->p_p->ps_pledge & PLEDGE_DNS)) { + if (strcmp(path, "/etc/resolv.conf") == 0) return (0); - } if (strcmp(path, "/etc/hosts") == 0) return (0); if (strcmp(path, "/etc/services") == 0) @@ -617,12 +620,9 @@ pledge_namei(struct proc *p, char *origpath) case SYS_stat: /* DNS needs /etc/resolv.conf. */ if ((p->p_pledgenote == TMN_RPATH) && - (p->p_p->ps_pledge & PLEDGE_DNSPATH)) { - if (strcmp(path, "/etc/resolv.conf") == 0) { - p->p_pledgeafter |= TMA_DNSRESOLV; - return (0); - } - } + (p->p_p->ps_pledge & PLEDGE_DNS) && + strcmp(path, "/etc/resolv.conf") == 0) + return (0); break; } @@ -714,8 +714,6 @@ pledge_aftersyscall(struct proc *p, int code, int error) { if ((p->p_pledgeafter & TMA_YPLOCK) && error == 0) atomic_setbits_int(&p->p_p->ps_pledge, PLEDGE_YP_ACTIVE | PLEDGE_INET); - if ((p->p_pledgeafter & TMA_DNSRESOLV) && error == 0) - atomic_setbits_int(&p->p_p->ps_pledge, PLEDGE_DNS_ACTIVE); } /* @@ -939,6 +937,7 @@ pledge_chown_check(struct proc *p, uid_t uid, gid_t gid) { if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); + if (uid != -1 && uid != p->p_ucred->cr_uid) return (EPERM); if (gid != -1 && !groupmember(gid, p->p_ucred)) @@ -960,77 +959,44 @@ pledge_adjtime_check(struct proc *p, const void *v) } int -pledge_connect_check(struct proc *p) +pledge_recvit_check(struct proc *p, const void *from) { if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE)) - return (0); /* A port check happens inside sys_connect() */ - if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) - return (0); - return (EPERM); -} - -int -pledge_recvfrom_check(struct proc *p, void *v) -{ - struct sockaddr *from = v; - - if ((p->p_p->ps_flags & PS_PLEDGE) == 0) - return (0); - - if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && from == NULL) - return (0); - if (p->p_p->ps_pledge & PLEDGE_INET) - return (0); - if (p->p_p->ps_pledge & PLEDGE_UNIX) - return (0); + return (0); /* may use address */ if (from == NULL) - return (0); /* behaves just like write */ + return (0); /* behaves just like read */ return (EPERM); } int -pledge_sendto_check(struct proc *p, const void *v) +pledge_sendit_check(struct proc *p, const void *to) { - const struct sockaddr *to = v; - if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && to == NULL) - return (0); - - if ((p->p_p->ps_pledge & PLEDGE_INET)) - return (0); - if ((p->p_p->ps_pledge & PLEDGE_UNIX)) - return (0); + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) + return (0); /* may use address */ if (to == NULL) return (0); /* behaves just like write */ return (EPERM); } -int -pledge_socket_check(struct proc *p, int domain) -{ - if ((p->p_p->ps_flags & PS_PLEDGE) == 0) - return (0); - if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) - return (0); - if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && - (domain == AF_INET || domain == AF_INET6)) - return (0); - return (EPERM); -} - int pledge_ioctl_check(struct proc *p, long com, void *v) { struct file *fp = v; struct vnode *vp = NULL; + if (fp->f_type == DTYPE_SOCKET) { + struct socket *so = fp->f_data; + + if (so->so_state & SS_DNS) + return (EINVAL); + } + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); @@ -1231,7 +1197,7 @@ pledge_dns_check(struct proc *p, in_port_t port) if ((p->p_p->ps_pledge & PLEDGE_INET)) return (0); - if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && port == htons(53)) + if ((p->p_p->ps_pledge & PLEDGE_DNS) && port == htons(53)) return (0); /* Allow a DNS connect outbound */ return (EPERM); } @@ -1241,6 +1207,7 @@ pledge_flock_check(struct proc *p) { if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); + if ((p->p_p->ps_pledge & PLEDGE_FLOCK)) return (0); return (pledge_fail(p, EPERM, PLEDGE_FLOCK)); diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master index 31dfa063d50..5dfb3d5a563 100644 --- a/sys/kern/syscalls.master +++ b/sys/kern/syscalls.master @@ -1,4 +1,4 @@ -; $OpenBSD: syscalls.master,v 1.162 2015/10/09 01:10:27 deraadt Exp $ +; $OpenBSD: syscalls.master,v 1.163 2015/10/18 00:04:43 deraadt Exp $ ; $NetBSD: syscalls.master,v 1.32 1996/04/23 10:24:21 mycroft Exp $ ; @(#)syscalls.master 8.2 (Berkeley) 1/13/94 @@ -297,8 +297,9 @@ 156 OBSOL ogetdirentries 157 OBSOL statfs25 158 OBSOL fstatfs25 -159 UNIMPL -160 UNIMPL +159 STD { int sys_dnsconnect(int s, const struct sockaddr *name, \ + socklen_t namelen); } +160 STD { int sys_dnssocket(int domain, int type, int protocol); } 161 STD { int sys_getfh(const char *fname, fhandle_t *fhp); } 162 OBSOL ogetdomainname 163 OBSOL osetdomainname diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index be46da89863..bd6793ded0f 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_syscalls.c,v 1.113 2015/10/16 14:04:11 semarie Exp $ */ +/* $OpenBSD: uipc_syscalls.c,v 1.114 2015/10/18 00:04:43 deraadt Exp $ */ /* $NetBSD: uipc_syscalls.c,v 1.19 1996/02/09 19:00:48 christos Exp $ */ /* @@ -64,9 +64,23 @@ extern struct fileops socketops; int copyaddrout(struct proc *, struct mbuf *, struct sockaddr *, socklen_t, socklen_t *); +int socketit(struct proc *p, void *v, register_t *retval, int); +int connectit(struct proc *p, void *v, register_t *retval, int); + +int +sys_dnssocket(struct proc *p, void *v, register_t *retval) +{ + return socketit(p, v, retval, 1); +} int sys_socket(struct proc *p, void *v, register_t *retval) +{ + return socketit(p, v, retval, 0); +} + +int +socketit(struct proc *p, void *v, register_t *retval, int dns) { struct sys_socket_args /* { syscallarg(int) domain; @@ -77,10 +91,11 @@ sys_socket(struct proc *p, void *v, register_t *retval) struct socket *so; struct file *fp; int type = SCARG(uap, type); + int domain = SCARG(uap, domain); int fd, error; - if (pledge_socket_check(p, SCARG(uap, domain))) - return (pledge_fail(p, EPERM, PLEDGE_UNIX)); + if (dns && !(domain == AF_INET || domain == AF_INET6)) + return (EINVAL); fdplock(fdp); error = falloc(p, &fp, &fd); @@ -104,6 +119,8 @@ sys_socket(struct proc *p, void *v, register_t *retval) fp->f_data = so; if (type & SOCK_NONBLOCK) (*fp->f_ops->fo_ioctl)(fp, FIONBIO, (caddr_t)&type, p); + if (dns) + so->so_state |= SS_DNS; FILE_SET_MATURE(fp, p); *retval = fd; } @@ -111,6 +128,13 @@ out: return (error); } +static inline int +isdnssocket(struct socket *so) +{ + return (so->so_state & SS_DNS); +} + + /* ARGSUSED */ int sys_bind(struct proc *p, void *v, register_t *retval) @@ -126,6 +150,10 @@ sys_bind(struct proc *p, void *v, register_t *retval) if ((error = getsock(p, SCARG(uap, s), &fp)) != 0) return (error); + if (isdnssocket((struct socket *)fp->f_data)) { + FRELE(fp, p); + return (EINVAL); + } error = sockargs(&nam, SCARG(uap, name), SCARG(uap, namelen), MT_SONAME); if (error == 0) { @@ -204,6 +232,10 @@ doaccept(struct proc *p, int sock, struct sockaddr *name, socklen_t *anamelen, return (error); if ((error = getsock(p, sock, &fp)) != 0) return (error); + if (isdnssocket((struct socket *)fp->f_data)) { + error = EINVAL; + goto bad; + } headfp = fp; s = splsoftnet(); head = fp->f_data; @@ -305,9 +337,22 @@ bad: return (error); } +/* ARGSUSED */ +int +sys_dnsconnect(struct proc *p, void *v, register_t *retval) +{ + return connectit(p, v, retval, 1); +} + /* ARGSUSED */ int sys_connect(struct proc *p, void *v, register_t *retval) +{ + return connectit(p, v, retval, 0); +} + +int +connectit(struct proc *p, void *v, register_t *retval, int dns) { struct sys_connect_args /* { syscallarg(int) s; @@ -319,12 +364,14 @@ sys_connect(struct proc *p, void *v, register_t *retval) struct mbuf *nam = NULL; int error, s; - if (pledge_connect_check(p)) - return (pledge_fail(p, EPERM, PLEDGE_UNIX)); - if ((error = getsock(p, SCARG(uap, s), &fp)) != 0) return (error); so = fp->f_data; + if ((dns && !isdnssocket(so)) || (!dns && isdnssocket(so))) { + FRELE(fp, p); + return EINVAL; + } + if ((so->so_state & SS_NBIO) && (so->so_state & SS_ISCONNECTING)) { FRELE(fp, p); return (EALREADY); @@ -462,9 +509,6 @@ sys_sendto(struct proc *p, void *v, register_t *retval) struct msghdr msg; struct iovec aiov; - if (pledge_sendto_check(p, SCARG(uap, to))) - return (pledge_fail(p, EPERM, PLEDGE_UNIX)); - msg.msg_name = (caddr_t)SCARG(uap, to); msg.msg_namelen = SCARG(uap, tolen); msg.msg_iov = &aiov; @@ -496,9 +540,6 @@ sys_sendmsg(struct proc *p, void *v, register_t *retval) ktrmsghdr(p, &msg); #endif - if (pledge_sendto_check(p, msg.msg_name)) - return (pledge_fail(p, EPERM, PLEDGE_UNIX)); - if (msg.msg_iovlen > IOV_MAX) return (EMSGSIZE); if (msg.msg_iovlen > UIO_SMALLIOV) @@ -542,6 +583,15 @@ sendit(struct proc *p, int s, struct msghdr *mp, int flags, register_t *retsize) if ((error = getsock(p, s, &fp)) != 0) return (error); + if (mp->msg_name && isdnssocket((struct socket *)fp->f_data)) { + error = EINVAL; + goto bad; + } + if (pledge_sendit_check(p, mp->msg_name)) { + error = pledge_fail(p, EPERM, PLEDGE_RW); + goto bad; + } + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; @@ -642,9 +692,6 @@ sys_recvfrom(struct proc *p, void *v, register_t *retval) struct iovec aiov; int error; - if (pledge_recvfrom_check(p, SCARG(uap, from))) - return (pledge_fail(p, EPERM, PLEDGE_UNIX)); - if (SCARG(uap, fromlenaddr)) { error = copyin(SCARG(uap, fromlenaddr), &msg.msg_namelen, sizeof (msg.msg_namelen)); @@ -679,9 +726,6 @@ sys_recvmsg(struct proc *p, void *v, register_t *retval) if (error) return (error); - if (pledge_recvfrom_check(p, msg.msg_name)) - return (pledge_fail(p, EPERM, PLEDGE_UNIX)); - if (msg.msg_iovlen > IOV_MAX) return (EMSGSIZE); if (msg.msg_iovlen > UIO_SMALLIOV) @@ -733,6 +777,15 @@ recvit(struct proc *p, int s, struct msghdr *mp, caddr_t namelenp, if ((error = getsock(p, s, &fp)) != 0) return (error); + if (mp->msg_name && isdnssocket((struct socket *)fp->f_data)) { + FRELE(fp, p); + return (EINVAL); + } + if (pledge_recvit_check(p, mp->msg_name)) { + FRELE(fp, p); + return (pledge_fail(p, EPERM, PLEDGE_RW)); + } + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; @@ -880,11 +933,17 @@ sys_setsockopt(struct proc *p, void *v, register_t *retval) struct mbuf *m = NULL; int error; - if (pledge_setsockopt_check(p, SCARG(uap, level), SCARG(uap, name))) - return (pledge_fail(p, EPERM, PLEDGE_INET)); if ((error = getsock(p, SCARG(uap, s), &fp)) != 0) return (error); + if (isdnssocket((struct socket *)fp->f_data)) { + error = EINVAL; + goto bad; + } + if (pledge_setsockopt_check(p, SCARG(uap, level), SCARG(uap, name))) { + error = pledge_fail(p, EPERM, PLEDGE_INET); + goto bad; + } if (SCARG(uap, valsize) > MCLBYTES) { error = EINVAL; goto bad; @@ -936,6 +995,10 @@ sys_getsockopt(struct proc *p, void *v, register_t *retval) if ((error = getsock(p, SCARG(uap, s), &fp)) != 0) return (error); + if (isdnssocket((struct socket *)fp->f_data)) { + error = EINVAL; + goto out; + } if (SCARG(uap, val)) { error = copyin(SCARG(uap, avalsize), &valsize, sizeof (valsize)); diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index ed4fd8b9a06..cbdae4dcfd6 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.181 2015/10/09 01:10:27 deraadt Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.182 2015/10/18 00:04:43 deraadt Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -456,7 +456,7 @@ in_pcbconnect(struct inpcb *inp, struct mbuf *nam) return (EADDRNOTAVAIL); if (pledge_dns_check(p, sin->sin_port)) - return (pledge_fail(p, EPERM, PLEDGE_DNSPATH)); + return (pledge_fail(p, EPERM, PLEDGE_DNS)); error = in_selectsrc(&ina, sin, inp->inp_moptions, &inp->inp_route, &inp->inp_laddr, inp->inp_rtableid); diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index efca7525384..e9e785035ad 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_pcb.c,v 1.77 2015/10/15 10:27:18 vgross Exp $ */ +/* $OpenBSD: in6_pcb.c,v 1.78 2015/10/18 00:04:43 deraadt Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -404,7 +404,7 @@ in6_pcbconnect(struct inpcb *inp, struct mbuf *nam) return (EADDRNOTAVAIL); if (pledge_dns_check(p, sin6->sin6_port)) - return (pledge_fail(p, EPERM, PLEDGE_DNSPATH)); + return (pledge_fail(p, EPERM, PLEDGE_DNS)); /* reject IPv4 mapped address, we have no support for it */ if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) diff --git a/sys/sys/pledge.h b/sys/sys/pledge.h index e7b78b7acd0..7d2d46e5630 100644 --- a/sys/sys/pledge.h +++ b/sys/sys/pledge.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pledge.h,v 1.5 2015/10/17 04:31:07 deraadt Exp $ */ +/* $OpenBSD: pledge.h,v 1.6 2015/10/18 00:04:43 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -27,7 +27,7 @@ #define PLEDGE_SELF 0x00000001 /* operate on own pid */ #define PLEDGE_RW 0x00000002 /* basic io operations */ #define PLEDGE_MALLOC 0x00000004 /* enough for malloc */ -#define PLEDGE_DNSPATH 0x00000008 /* access to DNS pathnames */ +#define PLEDGE_DNS 0x00000008 /* DNS services */ #define PLEDGE_RPATH 0x00000010 /* allow open for read */ #define PLEDGE_WPATH 0x00000020 /* allow open for write */ #define PLEDGE_TMPPATH 0x00000040 /* for mk*temp() */ @@ -54,7 +54,6 @@ * Not user settable. Should be moved to a seperate variable */ #define PLEDGE_USERSET 0x0fffffff #define PLEDGE_YP_ACTIVE 0x10000000 /* YP use detected and allowed */ -#define PLEDGE_DNS_ACTIVE 0x20000000 /* DNS use detected and allowed */ int pledge_check(struct proc *, int); int pledge_fail(struct proc *, int, int); @@ -67,9 +66,8 @@ int pledge_cmsg_recv(struct proc *p, struct mbuf *control); int pledge_sysctl_check(struct proc *p, int namelen, int *name, void *new); int pledge_chown_check(struct proc *p, uid_t, gid_t); int pledge_adjtime_check(struct proc *p, const void *v); -int pledge_recvfrom_check(struct proc *p, void *from); -int pledge_sendto_check(struct proc *p, const void *to); -int pledge_connect_check(struct proc *p); +int pledge_recvit_check(struct proc *p, const void *from); +int pledge_sendit_check(struct proc *p, const void *to); int pledge_socket_check(struct proc *p, int domain); int pledge_setsockopt_check(struct proc *p, int level, int optname); int pledge_dns_check(struct proc *p, in_port_t port); diff --git a/sys/sys/proc.h b/sys/sys/proc.h index 831c43fff7f..b90021e7836 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.h,v 1.207 2015/10/10 14:46:15 deraadt Exp $ */ +/* $OpenBSD: proc.h,v 1.208 2015/10/18 00:04:43 deraadt Exp $ */ /* $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $ */ /*- @@ -336,7 +336,6 @@ struct proc { #define TMN_COREDUMP 0x00000020 int p_pledgeafter; #define TMA_YPLOCK 0x00000001 -#define TMA_DNSRESOLV 0x00000002 #ifndef __HAVE_MD_TCB void *p_tcb; /* user-space thread-control-block address */ diff --git a/sys/sys/socketvar.h b/sys/sys/socketvar.h index f1a4278a223..53981d6a965 100644 --- a/sys/sys/socketvar.h +++ b/sys/sys/socketvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: socketvar.h,v 1.58 2015/01/19 19:57:59 guenther Exp $ */ +/* $OpenBSD: socketvar.h,v 1.59 2015/10/18 00:04:43 deraadt Exp $ */ /* $NetBSD: socketvar.h,v 1.18 1996/02/09 18:25:38 christos Exp $ */ /*- @@ -146,6 +146,7 @@ struct socket { #define SS_ASYNC 0x200 /* async i/o notify */ #define SS_CONNECTOUT 0x1000 /* connect, not accept, at this end */ #define SS_ISSENDING 0x2000 /* hint for lower layer */ +#define SS_DNS 0x4000 /* created using dnssocket() */ #ifdef _KERNEL /*