OpenBSD hardening: implement unveil/pledge correctly in daemon init#2401
Closed
daviduhden wants to merge 2 commits into
Closed
OpenBSD hardening: implement unveil/pledge correctly in daemon init#2401daviduhden wants to merge 2 commits into
daviduhden wants to merge 2 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds OpenBSD-specific sandboxing to the daemon startup path by restricting filesystem access via unveil() and locking down permitted syscalls via pledge().
Changes:
- Add OpenBSD-only includes and startup logic for
unveil()rules andpledge() - Compute runtime paths from config/defaults and unveil only those paths
- Lock
unveil()and abort startup on sandbox init failure
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Author
|
Verified on OpenBSD 7.9 with a clean build, unit tests, and a real runtime trace under Build and tests: cmake -S build -B build-openbsd -G "Unix Makefiles" \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DBUILD_TESTING=ON
gmake -C build-openbsd -j "$(sysctl -n hw.ncpuonline 2>/dev/null || sysctl -n hw.ncpu || echo 4)"
ctest --test-dir build-openbsd --output-on-failureResult: Runtime verification with a minimal config and kernel tracing:
In short: the OpenBSD hardening reaches the kernel correctly and does not break normal startup. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR implements OpenBSD hardening (
unveil(2)+pledge(2)) inDaemon::init, based on the intent of #2366, with runtime-path handling aligned to i2pd behavior.What this changes
daemon/Daemon.cpp(guarded by#ifdef __OpenBSD__).unveil()to effective i2pd runtime paths (resolved from config/defaults), including:unveil(nullptr, nullptr).pledge("stdio inet dns flock rpath wpath cpath", nullptr).return false).Why this version
The implementation uses resolved runtime paths rather than only raw config keys, so defaults used by i2pd are covered consistently. It also avoids treating
https://reseed URLs as filesystem paths for unveil rules.