Skip to content

OpenBSD hardening: implement unveil/pledge correctly in daemon init#2401

Closed
daviduhden wants to merge 2 commits into
PurpleI2P:opensslfrom
daviduhden:openbsd-pledge-unveil-correct
Closed

OpenBSD hardening: implement unveil/pledge correctly in daemon init#2401
daviduhden wants to merge 2 commits into
PurpleI2P:opensslfrom
daviduhden:openbsd-pledge-unveil-correct

Conversation

@daviduhden

@daviduhden daviduhden commented Jun 8, 2026

Copy link
Copy Markdown

This PR implements OpenBSD hardening (unveil(2) + pledge(2)) in Daemon::init, based on the intent of #2366, with runtime-path handling aligned to i2pd behavior.

What this changes

  • Adds OpenBSD-only hardening in daemon/Daemon.cpp (guarded by #ifdef __OpenBSD__).
  • Applies unveil() to effective i2pd runtime paths (resolved from config/defaults), including:
    • main config
    • datadir
    • certsdir
    • tunconf
    • tunnelsdir
    • pidfile
    • logfile
    • local reseed files
  • Locks unveil rules with unveil(nullptr, nullptr).
  • Applies pledge("stdio inet dns flock rpath wpath cpath", nullptr).
  • Handles hardening failures with explicit logging and clean init failure (return false).

Why this version

The implementation uses resolved runtime paths rather than only raw config keys, so defaults used by i2pd are covered consistently. It also avoids treating https:// reseed URLs as filesystem paths for unveil rules.

Copilot AI review requested due to automatic review settings June 8, 2026 03:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds OpenBSD-specific sandboxing to the daemon startup path by restricting filesystem access via unveil() and locking down permitted syscalls via pledge().

Changes:

  • Add OpenBSD-only includes and startup logic for unveil() rules and pledge()
  • Compute runtime paths from config/defaults and unveil only those paths
  • Lock unveil() and abort startup on sandbox init failure

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread daemon/Daemon.cpp
Comment thread daemon/Daemon.cpp Outdated
@daviduhden

daviduhden commented Jun 8, 2026

Copy link
Copy Markdown
Author

Verified on OpenBSD 7.9 with a clean build, unit tests, and a real runtime trace under ktrace.

Build and tests:

cmake -S build -B build-openbsd -G "Unix Makefiles" \
  -DCMAKE_BUILD_TYPE=RelWithDebInfo \
  -DBUILD_TESTING=ON

gmake -C build-openbsd -j "$(sysctl -n hw.ncpuonline 2>/dev/null || sysctl -n hw.ncpu || echo 4)"

ctest --test-dir build-openbsd --output-on-failure

Result:

13/13 tests passed

Runtime verification with a minimal config and kernel tracing:

  • ktrace showed multiple unveil(...) calls from i2pd.
  • kdump confirmed unveil(NULL, NULL) to lock the unveil table.
  • kdump confirmed pledge("stdio inet dns flock rpath wpath cpath", NULL).
  • All pledge(2) and unveil(2) calls returned 0.
  • kdump -t p showed no pledge violations.
  • The webconsole came up successfully on 127.0.0.1:7070.

In short: the OpenBSD hardening reaches the kernel correctly and does not break normal startup.

@daviduhden daviduhden closed this Jun 8, 2026
@daviduhden daviduhden deleted the openbsd-pledge-unveil-correct branch June 8, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants