On 2/24/21 2:44 PM, Stuart Henderson wrote:
The pledge isn't ready yet, it has "stdio getpw inet dns rpath proc id" but from a quick glance at docs, it writes files if configured (access_log, error_log, pidfile), and there are some things using unix sockets. Typically with a configurable program, pledge would be done (or ratcheted down) after parsing config and figuring out what is needed (I guess it can get rid of rpath in some cases too if you do that; one of the really big wins from pledge is denying file access to processes that also have internet access).
I released 0.6.4 to fix add wpath and unix to pledge. I still need to check whether it's really possible to remove wpath. rpath doesn't seem to be removable. It's not optimal yet, but this removes at least some rights.
It also fixes transparent proxying with ipv6
Index: Makefile =================================================================== RCS file: /cvs/ports/net/sniproxy/Makefile,v retrieving revision 1.2 diff -u -p -r1.2 Makefile --- Makefile 9 Feb 2021 15:06:50 -0000 1.2 +++ Makefile 1 Mar 2021 13:15:25 -0000 @@ -2,15 +2,13 @@ COMMENT = name-based proxying of HTTPS without decrypting traffic -GH_ACCOUNT = dlundquist +GH_ACCOUNT = renaudallard GH_PROJECT = sniproxy -GH_TAGNAME = 0.6.0 - -REVISION = 0 +GH_TAGNAME = 0.6.4 CATEGORIES = net -HOMEPAGE = https://github.com/dlundquist/sniproxy +HOMEPAGE = https://github.com/renaudallard/sniproxy MAINTAINER = Renaud Allard <[email protected]> Index: distinfo =================================================================== RCS file: /cvs/ports/net/sniproxy/distinfo,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 distinfo --- distinfo 8 Apr 2020 04:56:52 -0000 1.1.1.1 +++ distinfo 1 Mar 2021 13:15:25 -0000 @@ -1,2 +1,2 @@ -SHA256 (sniproxy-0.6.0.tar.gz) = 1zx3qfqBma56xVHAMy0+Cj/yNGI/U9ZTaaj6Vg2YgOI= -SIZE (sniproxy-0.6.0.tar.gz) = 78515 +SHA256 (sniproxy-0.6.4.tar.gz) = GKTr2n4V3PNXEc+4FpbTlSP33VoV1muZnjG8xSB4IVQ= +SIZE (sniproxy-0.6.4.tar.gz) = 79765 Index: patches/patch-sniproxy_conf =================================================================== RCS file: patches/patch-sniproxy_conf diff -N patches/patch-sniproxy_conf --- patches/patch-sniproxy_conf 8 Apr 2020 04:56:52 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-sniproxy_conf,v 1.1.1.1 2020/04/08 04:56:52 bket Exp $ - -Index: sniproxy.conf ---- sniproxy.conf.orig -+++ sniproxy.conf -@@ -2,8 +2,8 @@ - # lines that start with # are comments - # lines with only white space are ignored - --user nobody --group nogroup -+user _sniproxy -+group _sniproxy - - # PID file, needs to be placed in directory writable by user - pidfile /var/run/sniproxy.pid Index: patches/patch-src_config_c =================================================================== RCS file: patches/patch-src_config_c diff -N patches/patch-src_config_c --- patches/patch-src_config_c 9 Feb 2021 15:06:50 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-src_config_c,v 1.1 2021/02/09 15:06:50 tb Exp $ - -Fix incorrect format string - -Index: src/config.c ---- src/config.c.orig -+++ src/config.c -@@ -234,7 +234,7 @@ init_config(const char *filename, struct ev_loop *loop - err("error parsing %s at %jd near:", filename, whence); - fseek(file, -20, SEEK_CUR); - for (int i = 0; i < 5; i++) -- err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file)); -+ err(" %ld\t%s", ftell(file), fgets(line, sizeof(line), file)); - - free_config(config, loop); - config = NULL; Index: patches/patch-src_http_h =================================================================== RCS file: patches/patch-src_http_h diff -N patches/patch-src_http_h --- patches/patch-src_http_h 9 Feb 2021 15:06:50 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_http_h,v 1.1 2021/02/09 15:06:50 tb Exp $ - -https://github.com/dlundquist/sniproxy/pull/349 - -Index: src/http.h ---- src/http.h.orig -+++ src/http.h -@@ -29,6 +29,6 @@ - #include <stdio.h> - #include "protocol.h" - --const struct Protocol *const http_protocol; -+extern const struct Protocol *const http_protocol; - - #endif Index: patches/patch-src_tls_h =================================================================== RCS file: patches/patch-src_tls_h diff -N patches/patch-src_tls_h --- patches/patch-src_tls_h 9 Feb 2021 15:06:50 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_tls_h,v 1.1 2021/02/09 15:06:50 tb Exp $ - -https://github.com/dlundquist/sniproxy/pull/349 - -Index: src/tls.h ---- src/tls.h.orig -+++ src/tls.h -@@ -28,6 +28,6 @@ - - #include "protocol.h" - --const struct Protocol *const tls_protocol; -+extern const struct Protocol *const tls_protocol; - - #endif
smime.p7s
Description: S/MIME Cryptographic Signature
