Use pledge(2) on OpenBSD

Straight forward thanks to all privileged operations being done early enough during startup. Basically forbid all groups of syscalls except for networking, so no fileystem access, signals, process management, etc.
yggdrasil-network · Dec 12, 2024 · 37cce42 · 37cce42
1 parent 7adf5f1
commit 37cce42
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/cmd/yggdrasil/main.go b/cmd/yggdrasil/main.go
@@ -312,6 +312,22 @@ func main() {
 		}
 	}
 
+	// Promise final modes of operation.  At this point, if at all:
+	// - raw socket is created/open
+	// - admin socket is created/open
+	// - privileges are dropped to non-root user
+	promises := []string{"stdio", "inet", "dns"}
+	if strings.HasPrefix(cfg.AdminListen, "unix://") {
+		// Go's net.Listen.Close() itself will delete the file on shutdown.
+		promises = append(promises, "cpath")
+	}
+	if len(cfg.MulticastInterfaces) > 0 {
+		promises = append(promises, "mcast")
+	}
+	if err := protect.Pledge(strings.Join(promises, " ")); err != nil {
+		panic(fmt.Sprintf("pledge: %v: %v", promises, err))
+	}
+
 	// Block until we are told to shut down.
 	<-ctx.Done()