From: "Theo de Raadt" Subject: Re: [patch] allow IP_RECVIF setsockopt with inet pledge To: Matthew Luckie , tech@openbsd.org Date: Fri, 17 Apr 2026 09:25:41 -0600 Stuart Henderson wrote: > On 2026/04/16 08:25, Matthew Luckie wrote: > > Hi, > > > > I have written a small program that runs unpriviledged that uses > > IP_RECVIF to obtain the interface a UDP datagram arrives on. I would > > like to be able to pledge("inet stdio") but pledge does not allow > > IP_RECVIF. I think it should be able to -- pledge_sockopt() allows > > the equivalent functionality provided by IPV6_RECVPKTINFO. > > Adding this makes sense to me. While some software using this is able > to do it during init before pledging (e.g. ripd) that doesn't really > make sense for simpler software where this might be wanted, and as you > say, IPV6_RECVPKTINFO is allowed already. > > Does anyone disagree? If not, any thoughts on timing before/after > release? I thought IPV6_RECVPKTINFO was allowed to permit privsep of some dns tools. It is always tricky. pledge is trying to do TWO things. 1. limit the kernel API that a program can do, by creating a line which satisfies MOST programs, not ALL programs. 2. limit the internal kernel code that is reachable by an external program. This proposal is that all pledge "inet" programs should be able to do that sockopt operation. The line keeps being pushed so that "inet" means doing more and more and more. Secondly, kernel code does run when that happens. So the line protecting the kernel keeps being pushed so that more and more kernel code is reachable. I am not thrilled by this scope creep. I never said all programs could be pledged. There is a seperate concern that the sockopt function is a mess. It is a sequence of special cases that are almost impossible to reason about, so it allows things it should not. I have a draft rewriting it using a collection of white-list table entries but it will take a while before I can show it.