From: Klemens Nanni <kn@openbsd.org>
Subject: net/syncthing: use unveil(2) to limit execution
To: ports <ports@openbsd.org>, Edd Barrett <edd@openbsd.org>
Date: Sun, 27 Oct 2024 13:52:06 +0000

Dropping "proc exec" isn't possible since this thing can restart itself and,
by default or via --browser-only, opens its web interface via xdg-open(1).

Restrict +x to those to files.

Works without issues for me.
Tests?
Feedback? Objection? OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/syncthing/Makefile,v
diff -u -p -r1.67 Makefile
--- Makefile	4 Oct 2024 07:55:43 -0000	1.67
+++ Makefile	27 Oct 2024 12:11:25 -0000
@@ -3,6 +3,7 @@ COMMENT =	open decentralized synchroniza
 V =		1.27.12
 DISTNAME =	syncthing-${V}
 DISTFILES =	syncthing-source-v${V}${EXTRACT_SUFX}
+REVISION =	0
 
 CATEGORIES =	net
 HOMEPAGE =	https://syncthing.net/
@@ -11,6 +12,7 @@ MAINTAINER =	Edd Barrett <edd@openbsd.or
 # MPL 2.0
 PERMIT_PACKAGE = Yes
 
+# uses unveil()
 WANTLIB += c pthread
 
 SITES = https://github.com/syncthing/syncthing/releases/download/v${V}/
Index: patches/patch-cmd_syncthing_main_go
===================================================================
RCS file: patches/patch-cmd_syncthing_main_go
diff -N patches/patch-cmd_syncthing_main_go
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-cmd_syncthing_main_go	27 Oct 2024 13:35:59 -0000
@@ -0,0 +1,36 @@
+use unveil(2) to limit execution to
+- restarting itself
+- xdg-open(1) aka. to open the web interface
+
+Index: cmd/syncthing/main.go
+--- cmd/syncthing/main.go.orig
++++ cmd/syncthing/main.go
+@@ -29,6 +29,8 @@ import (
+ 	"syscall"
+ 	"time"
+ 
++	"golang.org/x/sys/unix"
++
+ 	"github.com/alecthomas/kong"
+ 	_ "github.com/syncthing/syncthing/lib/automaxprocs"
+ 	"github.com/thejerf/suture/v4"
+@@ -206,6 +208,19 @@ func defaultVars() kong.Vars {
+ }
+ 
+ func main() {
++	if err := unix.Unveil("/", "rwc"); err != nil {
++		panic(err)
++	}
++	if err := unix.Unveil("/usr/local/bin/syncthing", "rx"); err != nil {
++		panic(err)
++	}
++	if err := unix.Unveil("/usr/local/bin/xdg-open", "rx"); err != nil {
++		panic(err)
++	}
++	if err := unix.UnveilBlock(); err != nil {
++		panic(err)
++	}
++
+ 	// First some massaging of the raw command line to fit the new model.
+ 	// Basically this means adding the default command at the front, and
+ 	// converting -options to --options.