From: Christoph Liebender Subject: Re: net/wstunnel: add unveil(2) restrictions To: ports@openbsd.org Date: Sun, 1 Jun 2025 12:54:17 +0200 Am 24.05.25 um 18:18 schrieb Christoph Liebender: > Hello ports@, > > this patch adds unveil restrictions to the server part of net/wstunnel. > It seems quite straightforward as the only files that are opened are > specified in the commandline. Additionally, the server may use the libc > resolver, therefore, /etc/{hosts, resolv.conf} are required as well. > Reason being that either the user has configured the usage of the libc > resolver, or the server falls back to it... At least that's what the > code seems to be doing. > > I haven't added client restrictions as I'm not using that on OpenBSD > right now. > > Fortunately, there is a crate that makes unveil(2) somewhat comforable > to use in rust, which is an additional dependency now. > > Running with bad args gets you: > > # wstunnel server ws://0.0.0.0:4444 --restrict-config /asdf/jk.l > > thread 'main' panicked at wstunnel-cli/src/main.rs:122:69: > unveil(/asdf/jk.l, r) failed: No such file or directory (os error 2) > > Otherwise, it works fine on my machine. :) > > testers, comments, ok? > > - Christoph Pong!