On Sun 01/06/2025 12:54, Christoph Liebender wrote:
> Am 24.05.25 um 18:18 schrieb Christoph Liebender:
> > Hello ports@,
> > 
> > this patch adds unveil restrictions to the server part of net/wstunnel.
> > It seems quite straightforward as the only files that are opened are
> > specified in the commandline. Additionally, the server may use the libc
> > resolver, therefore, /etc/{hosts, resolv.conf} are required as well.
> > Reason being that either the user has configured the usage of the libc
> > resolver, or the server falls back to it... At least that's what the
> > code seems to be doing.
> > 
> > I haven't added client restrictions as I'm not using that on OpenBSD
> > right now.
> > 
> > Fortunately, there is a crate that makes unveil(2) somewhat comforable
> > to use in rust, which is an additional dependency now.
> > 
> > Running with bad args gets you:
> > 
> > # wstunnel server ws://0.0.0.0:4444 --restrict-config /asdf/jk.l
> > 
> > thread 'main' panicked at wstunnel-cli/src/main.rs:122:69:
> > unveil(/asdf/jk.l, r) failed: No such file or directory (os error 2)
> > 
> > Otherwise, it works fine on my machine. :)
> > 
> > testers, comments, ok?
> > 
> > - Christoph
> 
> Pong!
> 

Lightly tested and seems to work fine for me. I am not too experienced
with Rust, so I would appreciate it if others who took a look at the
patch could chime in.