pledge bind(1), dig(1), and nslookup(1). This modifies the underlying

ISC library to use socket(2) with the SOCK_DNS flag.  As a result, the
port commands are disabled (such practice is rare in the wild these days,
and pretty incompatible with the DNS vs regular socket concept in pledge..)
ok bluhm phessler reyk, etc

1 files changed, 4 insertions, 4 deletions

diff --git a/usr.sbin/bind/lib/isc/unix/net.c b/usr.sbin/bind/lib/isc/unix/net.c
index f974ab5752b..f5e27938944 100644
--- a/usr.sbin/bind/lib/isc/unix/net.c
+++ b/usr.sbin/bind/lib/isc/unix/net.c
@@ -62,7 +62,7 @@ try_proto(int domain) {
 	isc_result_t result = ISC_R_SUCCESS;
 	char strbuf[ISC_STRERRORSIZE];
 
-	s = socket(domain, SOCK_STREAM, 0);
+	s = socket(domain, SOCK_STREAM | SOCK_DNS, 0);
 	if (s == -1) {
 		switch (errno) {
 #ifdef EAFNOSUPPORT
@@ -196,7 +196,7 @@ try_ipv6only(void) {
 	return;
 #else
 	/* check for TCP sockets */
-	s = socket(PF_INET6, SOCK_STREAM, 0);
+	s = socket(PF_INET6, SOCK_STREAM | SOCK_DNS, 0);
 	if (s == -1) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -219,7 +219,7 @@ try_ipv6only(void) {
 	close(s);
 
 	/* check for UDP sockets */
-	s = socket(PF_INET6, SOCK_DGRAM, 0);
+	s = socket(PF_INET6, SOCK_DGRAM | SOCK_DNS, 0);
 	if (s == -1) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -271,7 +271,7 @@ try_ipv6pktinfo(void) {
 	}
 
 	/* we only use this for UDP sockets */
-	s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+	s = socket(PF_INET6, SOCK_DGRAM | SOCK_DNS, IPPROTO_UDP);
 	if (s == -1) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,