From: Bjorn Ketelaars Subject: Re: net/wstunnel: add unveil(2) restrictions To: Christoph Liebender Cc: ports@openbsd.org Date: Sun, 1 Jun 2025 14:57:01 +0200 On Sun 01/06/2025 12:54, Christoph Liebender wrote: > Am 24.05.25 um 18:18 schrieb Christoph Liebender: > > Hello ports@, > > > > this patch adds unveil restrictions to the server part of net/wstunnel. > > It seems quite straightforward as the only files that are opened are > > specified in the commandline. Additionally, the server may use the libc > > resolver, therefore, /etc/{hosts, resolv.conf} are required as well. > > Reason being that either the user has configured the usage of the libc > > resolver, or the server falls back to it... At least that's what the > > code seems to be doing. > > > > I haven't added client restrictions as I'm not using that on OpenBSD > > right now. > > > > Fortunately, there is a crate that makes unveil(2) somewhat comforable > > to use in rust, which is an additional dependency now. > > > > Running with bad args gets you: > > > > # wstunnel server ws://0.0.0.0:4444 --restrict-config /asdf/jk.l > > > > thread 'main' panicked at wstunnel-cli/src/main.rs:122:69: > > unveil(/asdf/jk.l, r) failed: No such file or directory (os error 2) > > > > Otherwise, it works fine on my machine. :) > > > > testers, comments, ok? > > > > - Christoph > > Pong! > Lightly tested and seems to work fine for me. I am not too experienced with Rust, so I would appreciate it if others who took a look at the patch could chime in.