use pledge in various monitoring-plugins checks; from Alvar Penning

net/monitoring-plugins/Makefile

@@ -9,6 +9,7 @@ COMMENT-snmp=	monitoring plugins using snmp
 COMMENT-radius=	RADIUS monitoring plugin
 
 V=		3.0.0rc2pl1
+REVISION-main=	0
 #SITES=		https://www.monitoring-plugins.org/download/
 GH_ACCOUNT=	monitoring-plugins
 GH_PROJECT=	monitoring-plugins
@@ -35,6 +36,7 @@ MAINTAINER=	Stuart Henderson <stu.ports@spacehopper.org>
 # GPLv2
 PERMIT_PACKAGE=	Yes
 
+# uses pledge()
 WANTLIB=	c crypto pthread
 
 COMPILER=	base-clang ports-gcc

net/monitoring-plugins/patches/patch-plugins-root_check_icmp_c

@@ -1,12 +1,52 @@
-https://github.com/monitoring-plugins/monitoring-plugins/pull/2211
+- https://github.com/monitoring-plugins/monitoring-plugins/pull/2225
+add pledge()
 
+- https://github.com/monitoring-plugins/monitoring-plugins/pull/2211
 on OpenBSD, time_t is always 64-bit, even on 32-bit archs.
 %lld format string with a cast is portable (as long as %lld is supported).
 
 Index: plugins-root/check_icmp.c
 --- plugins-root/check_icmp.c.orig
 +++ plugins-root/check_icmp.c
-@@ -940,15 +940,15 @@ int main(int argc, char **argv) {
+@@ -812,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr
+ }
+ 
+ int main(int argc, char **argv) {
++#ifdef __OpenBSD__
++	/* - rpath is required to read --extra-opts (given up later)
++	 * - inet is required for sockets
++	 * - dns is required for name lookups (given up later)
++	 * - id is required for temporary privilege drops in configparsing and for
++	 *   permanent privilege dropping after opening the socket (given up later) */
++	pledge("stdio rpath inet dns id", NULL);
++#endif // __OpenBSD__
++
+ 	setlocale(LC_ALL, "");
+ 	bindtextdomain(PACKAGE, LOCALEDIR);
+ 	textdomain(PACKAGE);
+@@ -836,6 +845,10 @@ int main(int argc, char **argv) {
+ 		crash("failed to parse config");
+ 	}
+ 
++#ifdef __OpenBSD__
++	pledge("stdio inet dns id", NULL);
++#endif // __OpenBSD__
++
+ 	const check_icmp_config config = tmp_config.config;
+ 
+ 	if (config.output_format_is_set) {
+@@ -898,6 +911,10 @@ int main(int argc, char **argv) {
+ 		return 1;
+ 	}
+ 
++#ifdef __OpenBSD__
++	pledge("stdio inet", NULL);
++#endif // __OpenBSD__
++
+ 	if (sockset.socket4) {
+ 		int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl));
+ 		if (debug) {
+@@ -940,15 +957,15 @@ int main(int argc, char **argv) {
  
  	if (debug) {
  		if (max_completion_time > (timeout * 1000000)) {
@@ -27,7 +67,7 @@ Index: plugins-root/check_icmp.c
  		printf("icmp_pkt_size: %u  timeout: %u\n", config.icmp_data_size + ICMP_MINLEN, timeout);
  	}
  
-@@ -1049,8 +1049,8 @@ static void run_checks(unsigned short icmp_pkt_size, t
+@@ -1049,8 +1066,8 @@ static void run_checks(unsigned short icmp_pkt_size, t
  		time_t final_wait = max_completion_time - time_passed;
  
  		if (debug) {
@@ -38,7 +78,7 @@ Index: plugins-root/check_icmp.c
  		}
  		if (time_passed > max_completion_time) {
  			if (debug) {
-@@ -1062,7 +1062,7 @@ static void run_checks(unsigned short icmp_pkt_size, t
+@@ -1062,7 +1079,7 @@ static void run_checks(unsigned short icmp_pkt_size, t
  		/* catch the packets that might come in within the timeframe, but
  		 * haven't yet */
  		if (debug) {
@@ -47,7 +87,7 @@ Index: plugins-root/check_icmp.c
  				   (float)final_wait / 1000);
  		}
  		if (targets_alive(number_of_targets, program_state->targets_down) ||
-@@ -1125,7 +1125,7 @@ static int wait_for_reply(check_icmp_socket_set sockse
+@@ -1125,7 +1142,7 @@ static int wait_for_reply(check_icmp_socket_set sockse
  						 &loop_time_interval, &packet_received_timestamp);
  		if (!recv_foo.received) {
  			if (debug > 1) {

net/monitoring-plugins/patches/patch-plugins_check_curl_c

@@ -0,0 +1,37 @@
+- https://github.com/monitoring-plugins/monitoring-plugins/pull/2225
+add pledge()
+
+Index: plugins/check_curl.c
+--- plugins/check_curl.c.orig
++++ plugins/check_curl.c
+@@ -120,6 +120,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certi
+ #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
+ 
+ int main(int argc, char **argv) {
++#ifdef __OpenBSD__
++	/* - rpath is required to read --extra-opts, CA and/or client certs
++	 * - wpath is required to write --cookie-jar (possibly given up later)
++	 * - inet is required for sockets
++	 * - dns is required for name lookups */
++	pledge("stdio rpath wpath inet dns", NULL);
++#endif // __OpenBSD__
++
+ 	setlocale(LC_ALL, "");
+ 	bindtextdomain(PACKAGE, LOCALEDIR);
+ 	textdomain(PACKAGE);
+@@ -134,6 +142,15 @@ int main(int argc, char **argv) {
+ 	}
+ 
+ 	const check_curl_config config = tmp_config.config;
++
++#ifdef __OpenBSD__
++	if (!config.curl_config.cookie_jar_file) {
++		if (verbose >= 2) {
++			printf(_("* No \"--cookie-jar\" is used, giving up \"wpath\" pledge(2)\n"));
++		}
++		pledge("stdio rpath inet dns", NULL);
++	}
++#endif // __OpenBSD__
+ 
+ 	if (config.output_format_is_set) {
+ 		mp_set_format(config.output_format);

net/monitoring-plugins/patches/patch-plugins_check_ntp_time_c

@@ -0,0 +1,32 @@
+- https://github.com/monitoring-plugins/monitoring-plugins/pull/2225
+add pledge()
+
+Index: plugins/check_ntp_time.c
+--- plugins/check_ntp_time.c.orig
++++ plugins/check_ntp_time.c
+@@ -661,6 +661,14 @@ static check_ntp_time_config_wrapper process_arguments
+ }
+ 
+ int main(int argc, char *argv[]) {
++#ifdef __OpenBSD__
++	/* - rpath is required to read --extra-opts (given up later)
++	 * - inet is required for sockets
++	 * - unix is required for Unix domain sockets
++	 * - dns is required for name lookups */
++	pledge("stdio rpath inet unix dns", NULL);
++#endif // __OpenBSD__
++
+ 	setlocale(LC_ALL, "");
+ 	bindtextdomain(PACKAGE, LOCALEDIR);
+ 	textdomain(PACKAGE);
+@@ -673,6 +681,10 @@ int main(int argc, char *argv[]) {
+ 	if (tmp_config.errorcode == ERROR) {
+ 		usage4(_("Could not parse arguments"));
+ 	}
++
++#ifdef __OpenBSD__
++	pledge("stdio inet unix dns", NULL);
++#endif // __OpenBSD__
+ 
+ 	const check_ntp_time_config config = tmp_config.config;
+ 

net/monitoring-plugins/patches/patch-plugins_check_smtp_c

@@ -0,0 +1,32 @@
+- https://github.com/monitoring-plugins/monitoring-plugins/pull/2225
+add pledge()
+
+Index: plugins/check_smtp.c
+--- plugins/check_smtp.c.orig
++++ plugins/check_smtp.c
+@@ -100,6 +100,14 @@ static int my_close(int /*socket_descriptor*/);
+ static int verbose = 0;
+ 
+ int main(int argc, char **argv) {
++#ifdef __OpenBSD__
++	/* - rpath is required to read --extra-opts (given up later)
++	 * - inet is required for sockets
++	 * - unix is required for Unix domain sockets
++	 * - dns is required for name lookups */
++	pledge("stdio rpath inet unix dns", NULL);
++#endif // __OpenBSD__
++
+ 	setlocale(LC_ALL, "");
+ 	bindtextdomain(PACKAGE, LOCALEDIR);
+ 	textdomain(PACKAGE);
+@@ -112,6 +120,10 @@ int main(int argc, char **argv) {
+ 	if (tmp_config.errorcode == ERROR) {
+ 		usage4(_("Could not parse arguments"));
+ 	}
++
++#ifdef __OpenBSD__
++	pledge("stdio inet unix dns", NULL);
++#endif // __OpenBSD__
+ 
+ 	const check_smtp_config config = tmp_config.config;
+ 

net/monitoring-plugins/patches/patch-plugins_check_ssh_c

@@ -0,0 +1,32 @@
+- https://github.com/monitoring-plugins/monitoring-plugins/pull/2225
+add pledge()
+
+Index: plugins/check_ssh.c
+--- plugins/check_ssh.c.orig
++++ plugins/check_ssh.c
+@@ -61,6 +61,14 @@ static int ssh_connect(mp_check *overall, char *haddr,
+ 					   char *remote_protocol);
+ 
+ int main(int argc, char **argv) {
++#ifdef __OpenBSD__
++	/* - rpath is required to read --extra-opts (given up later)
++	 * - inet is required for sockets
++	 * - unix is required for Unix domain sockets
++	 * - dns is required for name lookups */
++	pledge("stdio rpath inet unix dns", NULL);
++#endif // __OpenBSD__
++
+ 	setlocale(LC_ALL, "");
+ 	bindtextdomain(PACKAGE, LOCALEDIR);
+ 	textdomain(PACKAGE);
+@@ -73,6 +81,10 @@ int main(int argc, char **argv) {
+ 	if (tmp_config.errorcode == ERROR) {
+ 		usage4(_("Could not parse arguments"));
+ 	}
++
++#ifdef __OpenBSD__
++	pledge("stdio inet unix dns", NULL);
++#endif // __OpenBSD__
+ 
+ 	check_ssh_config config = tmp_config.config;
+ 

net/monitoring-plugins/patches/patch-plugins_check_tcp_c

@@ -0,0 +1,32 @@
+- https://github.com/monitoring-plugins/monitoring-plugins/pull/2225
+add pledge()
+
+Index: plugins/check_tcp.c
+--- plugins/check_tcp.c.orig
++++ plugins/check_tcp.c
+@@ -89,6 +89,14 @@ const int DEFAULT_NNTPS_PORT = 563;
+ const int DEFAULT_CLAMD_PORT = 3310;
+ 
+ int main(int argc, char **argv) {
++#ifdef __OpenBSD__
++	/* - rpath is required to read --extra-opts (given up later)
++	 * - inet is required for sockets
++	 * - unix is required for Unix domain sockets
++	 * - dns is required for name lookups */
++	pledge("stdio rpath inet unix dns", NULL);
++#endif // __OpenBSD__
++
+ 	setlocale(LC_ALL, "");
+ 	bindtextdomain(PACKAGE, LOCALEDIR);
+ 	textdomain(PACKAGE);
+@@ -215,6 +223,10 @@ int main(int argc, char **argv) {
+ 	if (paw.errorcode == ERROR) {
+ 		usage4(_("Could not parse arguments"));
+ 	}
++
++#ifdef __OpenBSD__
++	pledge("stdio inet unix dns", NULL);
++#endif // __OpenBSD__
+ 
+ 	config = paw.config;
+