From d6e4895121b7ea1b0fd504e70367bd12dde8039d Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Wed, 9 Nov 2022 22:25:08 +0000
Subject: [PATCH] Some limited setsockopt/getsockopt are allowed in pledge
 "stdio". Also allow IPPROTO_TCP:TCP_NODELAY It is very small kernel code, and
 will allow some software to drop "inet" requested by djm

---
 sys/kern/kern_pledge.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index e78f941cb77..af2a80cd8d7 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.297 2022/11/08 19:17:58 robert Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.298 2022/11/09 22:25:08 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -1374,6 +1374,11 @@ pledge_sockopt(struct proc *p, int set, int level, int optname)
 			return (0);
 		}
 		break;
+	case IPPROTO_TCP:
+		switch (optname) {
+		case TCP_NODELAY:
+			return (0);
+		break;
 	}
 
 	if ((pledge & PLEDGE_WROUTE)) {
@@ -1426,7 +1431,6 @@ pledge_sockopt(struct proc *p, int set, int level, int optname)
 	switch (level) {
 	case IPPROTO_TCP:
 		switch (optname) {
-		case TCP_NODELAY:
 		case TCP_MD5SIG:
 		case TCP_SACK_ENABLE:
 		case TCP_MAXSEG:
-- 
2.20.1