From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: [maintainer update] net/icinga/icingadb: 1.5.1, pledge/unveil patch
To: Alvar Penning <post@0x21.biz>, <ports@openbsd.org>
Cc: Stuart Henderson <stu.ports@spacehopper.org>
Date: Fri, 27 Mar 2026 20:16:32 +0000

thanks - just checking, are you happy this is ok with the most recent 
pledge commits?

-- 
  Sent from a phone, apologies for poor formatting.

On 27 March 2026 19:42:29 "Alvar Penning" <post@0x21.biz> wrote:

> Hi ports@,
> Hi Stuart,
>
> A diff to update net/icinga/icingadb to its latest release 1.5.1
> together with a small patch for pledge(2) and unveil(2) support follows.
>
> Best,
> Alvar
>
>
> diff --git Makefile Makefile
> index 204ee608d41..8e970d1d741 100644
> --- Makefile
> +++ Makefile
> @@ -1,7 +1,7 @@
> COMMENT= configuration and state database for Icinga
>
> GH_PROJECT= icingadb
> -GH_TAGNAME= v1.5.0
> +GH_TAGNAME= v1.5.1
>
> MODGO_MODNAME= github.com/icinga/icingadb
> MODGO_VERSION= ${GH_TAGNAME}
> @@ -18,6 +18,9 @@ MODULES= lang/go
>
> .include "modules.inc"
>
> +# for patches to apply
> +WRKDIST = ${WRKSRC}
> +
> post-install:
>  ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/icingadb/markdown
>  ${INSTALL_DATA} ${WRKSRC}/{AUTHORS,LICENSE,*.md} ${PREFIX}/share/doc/icingadb
> diff --git distinfo distinfo
> index 89bca181e4f..35d7cce3e8d 100644
> --- distinfo
> +++ distinfo
> @@ -38,8 +38,8 @@ SHA256 
> (go_modules/github.com/google/go-cmp/@v/v0.7.0.mod) = Mch0odKhjmKwVQ+CPOe
> SHA256 (go_modules/github.com/google/go-cmp/@v/v0.7.0.zip) = 
> ZKnOBG8sMg43g/ug0fShX4oY8LAJtnvyf3YwkZ2z9Tk=
> SHA256 (go_modules/github.com/google/uuid/@v/v1.6.0.mod) = 
> c9pHtjOLAKCC/UUao1oyc9OtwJuOm7qY2rAQkeQCr24=
> SHA256 (go_modules/github.com/google/uuid/@v/v1.6.0.zip) = 
> 0PAvN3IX9CcC4lloTgZEHtv1FA3dzDS6m+pWA4s4pu0=
> -SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.mod) = 
> TuBy+Tlxexr7Zaw8o3K8RRWunQx3rkzixq9qDRaDTeQ=
> -SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.zip) = 
> FgJRtm+KhVjJsmXmzllXmh45ZvPh6fSnmaVRrIuIxCU=
> +SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.mod) = 
> 62kZelhlLe0QB3ERRyX7e2NIxWW2FbX/t4YsfgvbBwU=
> +SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.zip) = 
> fyA6SxKRwcqi0ezK8q8uG9XaBgPV6m65fGhdg4lAcYc=
> SHA256 (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.mod) = 
> XXfNPd0IYZ25q3vITtJAlbDicioz7d4iGzJlEMKwH/w=
> SHA256 (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.zip) = 
> I97Ou1pRFK8aaH++1k1qZ08el25wsrTNwn9S0LAgy0s=
> SHA256 (go_modules/github.com/jmoiron/sqlx/@v/v1.4.0.mod) = 
> TK1YPczEsJNGdNt/yFycLDIu5YeTNmhgqupYL2WRmU0=
> @@ -66,8 +66,8 @@ SHA256 (go_modules/github.com/pkg/errors/@v/v0.9.1.mod) = 
> 3yjGqCPxgddheWlxd8DFlD
> SHA256 (go_modules/github.com/pkg/errors/@v/v0.9.1.zip) = 
> 1MNri80GFikKORMhXg9TuTG9bgBnBZbylg3xtEryvQc=
> SHA256 (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.mod) = 
> dLLnZushU3eGTVh7rfV+lVIfaS0qeGCzx3WQk/nJvsI=
> SHA256 (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.zip) = 
> 3gTOzBpLjVPkNXBRAmeUvLxU8uaiYM+sUIzmnV1kV6A=
> -SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.mod) = 
> bVq+RIntf4jVi2SnFPH2zfBcKeRzKyNMMocJK0LzJrg=
> -SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.zip) = 
> 6/q95nlTIIKBKBCdXNiwrhNvyTnzNSYbFgK725Mhalw=
> +SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.mod) = 
> bVq+RIntf4jVi2SnFPH2zfBcKeRzKyNMMocJK0LzJrg=
> +SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.zip) = 
> tu9N6wgWD5rO+KrMK3g47iQkBFzRyrGq0oZoT4/b+wE=
> SHA256 (go_modules/github.com/rivo/uniseg/@v/v0.1.0.mod) = 
> bHMYonqNVHOo62YedfsAUoF24O/FkxDtJ3yhO9EqU/E=
> SHA256 (go_modules/github.com/rivo/uniseg/@v/v0.2.0.mod) = 
> bHMYonqNVHOo62YedfsAUoF24O/FkxDtJ3yhO9EqU/E=
> SHA256 (go_modules/github.com/rivo/uniseg/@v/v0.2.0.zip) = 
> MZnZS+UChBQiIGYso7AOGd3R3r5OgN3HRf9CA+y2AcA=
> @@ -86,8 +86,8 @@ SHA256 (go_modules/go.uber.org/goleak/@v/v1.3.0.zip) = 
> cO3vDOfYMNmS8CTlJ/00Ugabi
> SHA256 (go_modules/go.uber.org/multierr/@v/v1.10.0.mod) = 
> WKMN3nMKuldXZxXZCEF3T2NEqHn+xWM6LGazfsMMEfA=
> SHA256 (go_modules/go.uber.org/multierr/@v/v1.11.0.mod) = 
> WKMN3nMKuldXZxXZCEF3T2NEqHn+xWM6LGazfsMMEfA=
> SHA256 (go_modules/go.uber.org/multierr/@v/v1.11.0.zip) = 
> Ikm10v3OYfbuZhpnnYVSWZrwhKdhy7yHHad2Qb3c4MM=
> -SHA256 (go_modules/go.uber.org/zap/@v/v1.27.0.mod) = 
> rYBZREWaFDYO6wZ3t8b8T/ep2oD7A3ZK+n2RzwLihcc=
> -SHA256 (go_modules/go.uber.org/zap/@v/v1.27.0.zip) = 
> uZS5b/C7UEo9WCiKuIufPGYEaJ6hr7adJbUJdpcFpsI=
> +SHA256 (go_modules/go.uber.org/zap/@v/v1.27.1.mod) = 
> rYBZREWaFDYO6wZ3t8b8T/ep2oD7A3ZK+n2RzwLihcc=
> +SHA256 (go_modules/go.uber.org/zap/@v/v1.27.1.zip) = 
> OHYCJxQtODaQaTdMAFcHvGs8Jwp180+j8XxIyGMUPNw=
> SHA256 (go_modules/golang.org/x/crypto/@v/v0.28.0.mod) = 
> hn0KUX9LRzf6NCERYOtqiNt+Qjne9HIYFrA+dB2+rPU=
> SHA256 (go_modules/golang.org/x/crypto/@v/v0.28.0.zip) = 
> lZrL41FEMMLACdyT8n5B3a1P7heKTGgMdTvAm10ud9A=
> SHA256 
> (go_modules/golang.org/x/exp/@v/v0.0.0-20240506185415-9bf2ced13842.mod) = 
> 5Bjsbat5ooeOZoZlE8Yfh7+BePhfy3h1Zwjv1jVYDKA=
> @@ -96,8 +96,8 @@ SHA256 (go_modules/golang.org/x/mod/@v/v0.17.0.mod) = 
> XErAMQolMwdXA5zPOpjnX+/by3
> SHA256 (go_modules/golang.org/x/mod/@v/v0.17.0.zip) = 
> py/lt5VUqJk9+VEtBeI3kI060LSAAcGrkrf6Uzns9EA=
> SHA256 (go_modules/golang.org/x/net/@v/v0.30.0.mod) = 
> cyMeKp5Xhgaj/n4ODJP/qWMavCAh96v6RCWGA4ZpCW8=
> SHA256 (go_modules/golang.org/x/net/@v/v0.30.0.zip) = 
> w1e3ec3AjQlS97rUxFzoQiO3xgBdd1gioXkBro9lu7o=
> -SHA256 (go_modules/golang.org/x/sync/@v/v0.18.0.mod) = 
> 0zPFS3SviguOx0jTfFly0nudCIueRci/XDq1INIRMJA=
> -SHA256 (go_modules/golang.org/x/sync/@v/v0.18.0.zip) = 
> k5oaVzzYPfVoNrY3BSpF9qYPeLhqWjdfwMbCmKhooU0=
> +SHA256 (go_modules/golang.org/x/sync/@v/v0.19.0.mod) = 
> 0zPFS3SviguOx0jTfFly0nudCIueRci/XDq1INIRMJA=
> +SHA256 (go_modules/golang.org/x/sync/@v/v0.19.0.zip) = 
> JSEf4s/9gCC7QFua23qQ9eBnYPKBi4+y50qqohpm7Z4=
> SHA256 (go_modules/golang.org/x/sync/@v/v0.7.0.mod) = 
> cA5dsA3SaqGaF9zl/FUkNtYPaMVgbIW4IfJMPWByoVE=
> SHA256 
> (go_modules/golang.org/x/sys/@v/v0.0.0-20210514084401-e8d321eab015.mod) = 
> 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ=
> SHA256 
> (go_modules/golang.org/x/sys/@v/v0.0.0-20220811171246-fbc7d0a398ab.mod) = 
> 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ=
> @@ -114,7 +114,7 @@ SHA256 
> (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.mod)
> SHA256 
> (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.zip) = 
> ThgX+WTKNOVFuBr9oDJaXonPWN4uQT2CB8Cv3dD9wVw=
> SHA256 (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.mod) = 
> IVeYYKIDBvz0OxvSNNH7oxlJnHdhG3HAX5vzupDauTk=
> SHA256 (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.zip) = 
> qrj7xOYwDqCOav4crqGKIckMefSJ9SxT4vIEMfGpoBU=
> -SHA256 (icingadb-1.5.0.zip) = sXqboDonPhhP1sNA9p9sIxdzAHa4cPjzPs/zet8Vtr4=
> +SHA256 (icingadb-1.5.1.zip) = tDQbm5nIRuP21PS8J9VwvbN1gxdLHSOpEpF957IWOlI=
> SIZE (go_modules/filippo.io/edwards25519/@v/v1.1.0.mod) = 40
> SIZE (go_modules/filippo.io/edwards25519/@v/v1.1.0.zip) = 55809
> SIZE (go_modules/github.com/!vivid!cortex/ewma/@v/v1.2.0.mod) = 44
> @@ -155,8 +155,8 @@ SIZE 
> (go_modules/github.com/google/go-cmp/@v/v0.7.0.mod) = 41
> SIZE (go_modules/github.com/google/go-cmp/@v/v0.7.0.zip) = 130179
> SIZE (go_modules/github.com/google/uuid/@v/v1.6.0.mod) = 30
> SIZE (go_modules/github.com/google/uuid/@v/v1.6.0.zip) = 31981
> -SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.mod) = 1245
> -SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.zip) = 130783
> +SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.mod) = 1245
> +SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.zip) = 130821
> SIZE (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.mod) = 79
> SIZE (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.zip) = 78585
> SIZE (go_modules/github.com/jmoiron/sqlx/@v/v1.4.0.mod) = 157
> @@ -183,8 +183,8 @@ SIZE (go_modules/github.com/pkg/errors/@v/v0.9.1.mod) = 29
> SIZE (go_modules/github.com/pkg/errors/@v/v0.9.1.zip) = 17866
> SIZE (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.mod) = 37
> SIZE (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.zip) = 12433
> -SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.mod) = 635
> -SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.zip) = 584449
> +SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.mod) = 635
> +SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.zip) = 5104265
> SIZE (go_modules/github.com/rivo/uniseg/@v/v0.1.0.mod) = 39
> SIZE (go_modules/github.com/rivo/uniseg/@v/v0.2.0.mod) = 39
> SIZE (go_modules/github.com/rivo/uniseg/@v/v0.2.0.zip) = 45731
> @@ -203,8 +203,8 @@ SIZE (go_modules/go.uber.org/goleak/@v/v1.3.0.zip) = 37573
> SIZE (go_modules/go.uber.org/multierr/@v/v1.10.0.mod) = 228
> SIZE (go_modules/go.uber.org/multierr/@v/v1.11.0.mod) = 228
> SIZE (go_modules/go.uber.org/multierr/@v/v1.11.0.zip) = 25681
> -SIZE (go_modules/go.uber.org/zap/@v/v1.27.0.mod) = 312
> -SIZE (go_modules/go.uber.org/zap/@v/v1.27.0.zip) = 287887
> +SIZE (go_modules/go.uber.org/zap/@v/v1.27.1.mod) = 312
> +SIZE (go_modules/go.uber.org/zap/@v/v1.27.1.zip) = 289619
> SIZE (go_modules/golang.org/x/crypto/@v/v0.28.0.mod) = 190
> SIZE (go_modules/golang.org/x/crypto/@v/v0.28.0.zip) = 1790287
> SIZE 
> (go_modules/golang.org/x/exp/@v/v0.0.0-20240506185415-9bf2ced13842.mod) = 179
> @@ -213,8 +213,8 @@ SIZE (go_modules/golang.org/x/mod/@v/v0.17.0.mod) = 84
> SIZE (go_modules/golang.org/x/mod/@v/v0.17.0.zip) = 165172
> SIZE (go_modules/golang.org/x/net/@v/v0.30.0.mod) = 155
> SIZE (go_modules/golang.org/x/net/@v/v0.30.0.zip) = 1842318
> -SIZE (go_modules/golang.org/x/sync/@v/v0.18.0.mod) = 36
> -SIZE (go_modules/golang.org/x/sync/@v/v0.18.0.zip) = 25708
> +SIZE (go_modules/golang.org/x/sync/@v/v0.19.0.mod) = 36
> +SIZE (go_modules/golang.org/x/sync/@v/v0.19.0.zip) = 25714
> SIZE (go_modules/golang.org/x/sync/@v/v0.7.0.mod) = 34
> SIZE 
> (go_modules/golang.org/x/sys/@v/v0.0.0-20210514084401-e8d321eab015.mod) = 33
> SIZE 
> (go_modules/golang.org/x/sys/@v/v0.0.0-20220811171246-fbc7d0a398ab.mod) = 33
> @@ -231,4 +231,4 @@ SIZE 
> (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.mod) =
> SIZE 
> (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.zip) = 
> 39844
> SIZE (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.mod) = 95
> SIZE (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.zip) = 104623
> -SIZE (icingadb-1.5.0.zip) = 3370896
> +SIZE (icingadb-1.5.1.zip) = 3371200
> diff --git modules.inc modules.inc
> index b685a740c69..7d91dbdb84b 100644
> --- modules.inc
> +++ modules.inc
> @@ -18,7 +18,7 @@ MODGO_MODULES = \
>  github.com/goccy/go-yaml v1.13.0 \
>  github.com/google/go-cmp v0.7.0 \
>  github.com/google/uuid v1.6.0 \
> - github.com/icinga/icinga-go-library v0.8.1 \
> + github.com/icinga/icinga-go-library v0.8.2 \
>  github.com/jessevdk/go-flags v1.6.1 \
>  github.com/jmoiron/sqlx v1.4.0 \
>  github.com/kr/text v0.2.0 \
> @@ -31,7 +31,7 @@ MODGO_MODULES = \
>  github.com/okzk/sdnotify v0.0.0-20180710141335-d9becc38acbd \
>  github.com/pkg/errors v0.9.1 \
>  github.com/pmezard/go-difflib v1.0.0 \
> - github.com/redis/go-redis/v9 v9.16.0 \
> + github.com/redis/go-redis/v9 v9.17.2 \
>  github.com/rivo/uniseg v0.2.0 \
>  github.com/ssgreg/journald v1.0.0 \
>  github.com/stretchr/objx v0.5.2 \
> @@ -39,12 +39,12 @@ MODGO_MODULES = \
>  github.com/vbauerster/mpb/v6 v6.0.4 \
>  go.uber.org/goleak v1.3.0 \
>  go.uber.org/multierr v1.11.0 \
> - go.uber.org/zap v1.27.0 \
> + go.uber.org/zap v1.27.1 \
>  golang.org/x/crypto v0.28.0 \
>  golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 \
>  golang.org/x/mod v0.17.0 \
>  golang.org/x/net v0.30.0 \
> - golang.org/x/sync v0.18.0 \
> + golang.org/x/sync v0.19.0 \
>  golang.org/x/sys v0.26.0 \
>  golang.org/x/text v0.19.0 \
>  golang.org/x/tools v0.21.0 \
> diff --git patches/patch-cmd_icingadb_main_go 
> patches/patch-cmd_icingadb_main_go
> new file mode 100644
> index 00000000000..846d0acbaab
> --- /dev/null
> +++ patches/patch-cmd_icingadb_main_go
> @@ -0,0 +1,21 @@
> +Index: cmd/icingadb/main.go
> +--- cmd/icingadb/main.go.orig
> ++++ cmd/icingadb/main.go
> +@@ -39,6 +39,8 @@ func main() {
> + }
> +
> + func run() int {
> ++ initialPrivDrop()
> ++
> + cmd := command.New()
> +
> + logs, err := logging.NewLoggingFromConfig(utils.AppName(), 
> cmd.Config.Logging)
> +@@ -54,6 +56,8 @@ func run() int {
> + defer func() { _ = logger.Sync() }()
> +
> + logger.WithOptions(logs.ForceLog()).Infof("Starting Icinga DB daemon 
> (%s)", internal.Version.Version)
> ++
> ++ privDrop(cmd, logger)
> +
> + db, err := cmd.Database(logs.GetChildLogger("database"))
> + if err != nil {
> diff --git patches/patch-cmd_icingadb_openbsd_go 
> patches/patch-cmd_icingadb_openbsd_go
> new file mode 100644
> index 00000000000..839afae5168
> --- /dev/null
> +++ patches/patch-cmd_icingadb_openbsd_go
> @@ -0,0 +1,87 @@
> +Index: cmd/icingadb/openbsd.go
> +--- cmd/icingadb/openbsd.go.orig
> ++++ cmd/icingadb/openbsd.go
> +@@ -0,0 +1,83 @@
> ++package main
> ++
> ++import (
> ++ "fmt"
> ++ "maps"
> ++ "slices"
> ++ "strings"
> ++
> ++ "github.com/icinga/icinga-go-library/logging"
> ++ "github.com/icinga/icinga-go-library/utils"
> ++ "github.com/icinga/icingadb/internal/command"
> ++ "go.uber.org/zap"
> ++ "golang.org/x/sys/unix"
> ++)
> ++
> ++// initialPrivDrop applies a first pledge(2) promise.
> ++//
> ++// This function should be called first in main to start with restricted
> ++// privileges. After parsing the configuration, privDrop should be called to
> ++// perform further restrictions.
> ++func initialPrivDrop() {
> ++ // all possible promises which can be used later in privDrop, plus unveil.
> ++ promises := "stdio rpath inet unix dns unveil error"
> ++ if err := unix.PledgePromises(promises); err != nil {
> ++ panic(fmt.Sprintf("initial pledge(2) failed, %q: %v", promises, err))
> ++ }
> ++}
> ++
> ++// privDrop should be called after parsing command.Command.
> ++func privDrop(c *command.Command, l *logging.Logger) {
> ++ pledgePromises := map[string]struct{}{
> ++ "stdio": struct{}{},
> ++ "inet":  struct{}{},
> ++ "dns":   struct{}{},
> ++ "error": struct{}{},
> ++ }
> ++
> ++ unveilPaths := map[string]string{
> ++ // Special paths for the "dns" pledge promise from before OpenBSD 7.9.
> ++ "/etc/resolv.conf": "r",
> ++ "/etc/hosts":       "r",
> ++ "/etc/services":    "r",
> ++ "/etc/protocols":   "r",
> ++ }
> ++
> ++ for _, host := range []string{c.Config.Database.Host, c.Config.Redis.Host} {
> ++ if !utils.IsUnixAddr(host) {
> ++ continue
> ++ }
> ++
> ++ pledgePromises["rpath"] = struct{}{}
> ++ pledgePromises["unix"] = struct{}{}
> ++ unveilPaths[host] = "rw"
> ++ }
> ++
> ++ if c.Flags.DatabaseAutoImport {
> ++ pledgePromises["rpath"] = struct{}{}
> ++ unveilPaths[c.Flags.DatabaseSchemaDir] = "r"
> ++ }
> ++
> ++ for path, permissions := range unveilPaths {
> ++ if err := unix.Unveil(path, permissions); err != nil {
> ++ l.Fatalw("Cannot unveil(2)",
> ++ zap.String("path", path),
> ++ zap.String("permissions", permissions),
> ++ zap.Error(err))
> ++ }
> ++ }
> ++ if err := unix.UnveilBlock(); err != nil {
> ++ l.Fatalw("Cannot block unveil(2)", zap.Error(err))
> ++ }
> ++
> ++ promises := strings.Join(slices.Collect(maps.Keys(pledgePromises)), " ")
> ++ if err := unix.PledgePromises(promises); err != nil {
> ++ l.Fatalw("Cannot pledge(2)",
> ++ zap.String("promises", promises),
> ++ zap.Error(err))
> ++ }
> ++
> ++ l.Infow("Dropped privileges with pledge(2) and unveil(2)",
> ++ zap.String("pledge", promises),
> ++ zap.Any("unveil", unveilPaths))
> ++}