> On 18 Apr 2026, at 03:00, Matthew Luckie <mjl@luckie.org.nz> wrote:
> 
> On Fri, Apr 17, 2026 at 11:33:16AM +0100, Stuart Henderson wrote:
>> On 2026/04/16 08:25, Matthew Luckie wrote:
>>> Hi,
>>> 
>>> I have written a small program that runs unpriviledged that uses
>>> IP_RECVIF to obtain the interface a UDP datagram arrives on.  I would
>>> like to be able to pledge("inet stdio") but pledge does not allow
>>> IP_RECVIF.  I think it should be able to -- pledge_sockopt() allows
>>> the equivalent functionality provided by IPV6_RECVPKTINFO.
>> 
>> Adding this makes sense to me. While some software using this is able
>> to do it during init before pledging (e.g. ripd) that doesn't really
>> make sense for simpler software where this might be wanted, and as you
>> say, IPV6_RECVPKTINFO is allowed already.
> 
> The model of setting IP_RECVIF at init before pledging works for my
> current use case as well.  I should have thought more carefully about
> that.  So, I don't need the patch to kern_pledge.c given other concern
> in this thread.  Sorry for the noise (but hopefully the ip.4 patch is
> still useful)

my 2c reflects what you just figured out here.

IP_RECVIF makes the most sense on "listening" datagram sockets, so setting that up at bind time and before pledge is reasonable.