[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: unveil(2) makes libboost_date_time-mt.so.21.0 loadable, but not libbz2.so.10.4?
From:       Stuart Henderson <stu.lists () spacehopper ! org>
Date:       2022-12-23 12:22:49
Message-ID: slrntqb7cp.255n.stu.lists () naiad ! spacehopper ! org
[Download RAW message or body]

On 2022-12-23, Alexander Klimov <grandmaster@al2klimov.de> wrote:
> Grüzi!
>
> The ports already contain icinga2 which includes the `icinga2 console` 
> feature:
>
> $ icinga2 console
> Icinga 2 (version: r2.13.5-1)
> Type $help to view available commands.
><1> => 1 + 1
> 2.000000
><2> =>
>
> I'm building a (free) "icinga2 console as a service" via -long story
> short- JS, websocket, FastCGI and forkpty(3).
>
> To maximally sandbox each icinga2 console, I use pledge(2) and
> unveil(2). Unfortunately pledge(2) requires not only
> execpromises="stdio error", but also "rpath" for loading the libs. OK, I
> can live with it as I can unveil(2) across execvpe(3). To unveil(2) only
> as much as needed, I'm trying to unveil(2) only step-by-step until
> success. I use ld error messages as signposts, i.e.:
>
> Me: unveil("/usr/local/lib/icinga2/sbin/icinga2", "x"), unveil(0, 0)
> execve: cannot load /usr/libexec/ld.so
> Me: unveil("/usr/libexec/ld.so", "r")
> ld.so: icinga2: can't load library 'libcurses.so.14.0'
> Me: unveil("/usr/lib", "r")
> ld.so: icinga2: can't load library 'libboost_date_time-mt.so.21.0'
> Me: unveil("/usr/local/lib", "r")
> ld.so: icinga2: can't load library 'libbz2.so.10.4'
>
> That's interesting:
>
> /usr/local/lib/libboost_date_time-mt.so.21.0 and
> /usr/local/lib/libbz2.so.10.4 are in the same dir, but only one can be
> loaded.
>
> Has anyone an idea why? Btw. no unveil(2) at all works.

You may need /var/run/ld.so.hints. If that's not it, you can try running
with LD_DEBUG set in the environment to see if that gives more clues,
or run under ktrace (typically ktrace -di $whatever, kdump, searching
backwards for the error message and look at previous EACCES/ENOENT
returns).


[prev in list] [next in list] [prev in thread] [next in thread]