Skip to content

pledge: DNS in Go program without CGO fails on setsockopt #627

New issue
New issue
Closed
Closed
pledge: DNS in Go program without CGO fails on setsockopt#627
Labels
acceptedWe intend to address this issue.
@shoenig

Description

@shoenig
shoenig
opened on Sep 17, 2022

I've been messing around with pledge.com (amazing by the way, thank you!), and ran into a case where AFAICT no promise is enough to enable DNS in a Go program compiled without CGO enabled. Ran into this while trying to run the traefik webserver, but here's a toy example for reproduction.

program

package main

import (
	"fmt"	
	"net"
)

func main() {
	addrs, err := net.LookupHost("example.com")
	fmt.Println("addrs:", addrs, "err", err)
}

building

CGO_ENABLED=0 go build

run normally

./dnstest 
addrs: [93.184.216.34 2606:2800:220:1:248:1893:25c8:1946] err <nil>

run with minimal(?) promises

pledge-1.7.com -p 'stdio rpath inet unix dns' ./dnstest
SIGSYS: bad system call
PC=0x4026ae m=3 sigcode=1

goroutine 6 [syscall]:
syscall.Syscall6(0xc0000c4120?, 0x47f58b?, 0x7f7367b12800?, 0xc0000c4138?, 0x4128c6?, 0x7f7367b12a00?, 0x7f736796abb8?)
	/opt/google/go/src/syscall/syscall_linux.go:90 +0x36 fp=0xc0000c40e8 sp=0xc0000c4060 pc=0x47fcd6
syscall.setsockopt(0xc0000c41a0?, 0x4133f0?, 0xc0000c4180?, 0x4bbacb?, 0x7f7367d09fff?)
	/opt/google/go/src/syscall/zsyscall_linux_amd64.go:1470 +0x39 fp=0xc0000c4138 sp=0xc0000c40e8 pc=0x47f499
syscall.SetsockoptInt(...)
	/opt/google/go/src/syscall/syscall_unix.go:458
net.setDefaultSockopts(0x7f7367b12b00?, 0x7f7367b12a00?, 0xc0000c41e8?, 0x6b?)
	/opt/google/go/src/net/sockopt_linux.go:21 +0xb3 fp=0xc0000c4190 sp=0xc0000c4138 pc=0x4bda13
net.socket({0x510348, 0xc000108000}, {0x4e89ef, 0x3}, 0x2, 0x2, 0x7f736796aaa8?, 0x10?, {0x5104b8, 0x0}, ...)
	/opt/google/go/src/net/sock_posix.go:23 +0x99 fp=0xc0000c4240 sp=0xc0000c4190 pc=0x4bc119
net.internetSocket({0x510348, 0xc000108000}, {0x4e89ef, 0x3}, {0x5104b8, 0x0}, {0x5104b8, 0xc000102060}, 0x4d24a0?, 0x0, ...)
	/opt/google/go/src/net/ipsock_posix.go:142 +0xf8 fp=0xc0000c42c0 sp=0xc0000c4240 pc=0x4b5cf8
net.(*sysDialer).dialUDP(0x5d4c97?, {0x510348?, 0xc000108000?}, 0xc0000c4380?, 0x464825?)
	/opt/google/go/src/net/udpsock_posix.go:206 +0x7d fp=0xc0000c4340 sp=0xc0000c42c0 pc=0x4bf5bd
net.(*sysDialer).dialSingle(0xc000112000, {0x510348, 0xc000108000}, {0x510198?, 0xc000102060})
	/opt/google/go/src/net/dial.go:585 +0x2f4 fp=0xc0000c4410 sp=0xc0000c4340 pc=0x4a64b4
net.(*sysDialer).dialSerial(0xc000112000, {0x510348, 0xc000108000}, {0xc00010a020?, 0x1, 0x7f7367b12900?})
	/opt/google/go/src/net/dial.go:550 +0x312 fp=0xc0000c4518 sp=0xc0000c4410 pc=0x4a5d92
net.(*sysDialer).dialParallel(0x0?, {0x510348?, 0xc000108000?}, {0xc00010a020?, 0xc000108000?, 0x4e8ad8?}, {0x0?, 0x4e89ef?, 0x1?})
	/opt/google/go/src/net/dial.go:451 +0x413 fp=0xc0000c4770 sp=0xc0000c4518 pc=0x4a5333
net.(*Dialer).DialContext(0xc0000c4908, {0x510348, 0xc000108000}, {0x4e89ef, 0x3}, {0xc000018340, 0xd})
	/opt/google/go/src/net/dial.go:428 +0x705 fp=0xc0000c48c0 sp=0xc0000c4770 pc=0x4a4c05
net.(*Resolver).dial(0xc00010a010?, {0x510348?, 0xc000108000?}, {0x4e89ef?, 0x5a6300?}, {0xc000018340?, 0x0?})
	/opt/google/go/src/net/lookup.go:686 +0xa5 fp=0xc0000c4978 sp=0xc0000c48c0 pc=0x4b7d25
net.(*Resolver).exchange(_, {_, _}, {_, _}, {{{0x65, 0x78, 0x61, 0x6d, 0x70, ...}, ...}, ...}, ...)
	/opt/google/go/src/net/dnsclient_unix.go:177 +0x445 fp=0xc0000c5008 sp=0xc0000c4978 pc=0x4a83a5
net.(*Resolver).tryOneName(_, {_, _}, _, {_, _}, _)
	/opt/google/go/src/net/dnsclient_unix.go:277 +0x485 fp=0xc0000c5a38 sp=0xc0000c5008 pc=0x4a96e5
net.(*Resolver).goLookupIPCNAMEOrder.func3.1(0x1?)
	/opt/google/go/src/net/dnsclient_unix.go:638 +0x85 fp=0xc0000c5fc8 sp=0xc0000c5a38 pc=0x4ac565
net.(*Resolver).goLookupIPCNAMEOrder.func3.2()
	/opt/google/go/src/net/dnsclient_unix.go:641 +0x2a fp=0xc0000c5fe0 sp=0xc0000c5fc8 pc=0x4ac4aa
runtime.goexit()
	/opt/google/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc0000c5fe8 sp=0xc0000c5fe0 pc=0x461401
created by net.(*Resolver).goLookupIPCNAMEOrder.func3
	/opt/google/go/src/net/dnsclient_unix.go:637 +0x16c

run with all the promises

pledge-1.7.com -p 'stdio rpath inet unix dns wpath cpath dpath flock tty recvfd sendfd fattr proc id exec' ./dnstest
addrs: [] err lookup example.com on 127.0.0.53:53: dial udp 127.0.0.53:53: setsockopt: operation not permitted

pledge is assimilated

file $(which pledge-1.7.com)
/opt/bin/pledge-1.7.com: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for OpenBSD, statically linked, no section header

linux

uname -a
Linux orange 5.19.8-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Sep 8 19:02:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    acceptedWe intend to address this issue.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions