net/syncthing: use unveil(2) to limit execution

Sun, 27 Oct 2024 06:52:41 -0700 

Dropping "proc exec" isn't possible since this thing can restart itself and,
by default or via --browser-only, opens its web interface via xdg-open(1).

Restrict +x to those to files.

Works without issues for me.
Tests?
Feedback? Objection? OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/syncthing/Makefile,v
diff -u -p -r1.67 Makefile
--- Makefile    4 Oct 2024 07:55:43 -0000       1.67
+++ Makefile    27 Oct 2024 12:11:25 -0000
@@ -3,6 +3,7 @@ COMMENT =       open decentralized synchroniza
 V =            1.27.12
 DISTNAME =     syncthing-${V}
 DISTFILES =    syncthing-source-v${V}${EXTRACT_SUFX}
+REVISION =     0
 
 CATEGORIES =   net
 HOMEPAGE =     https://syncthing.net/
@@ -11,6 +12,7 @@ MAINTAINER =  Edd Barrett <e...@openbsd.or
 # MPL 2.0
 PERMIT_PACKAGE = Yes
 
+# uses unveil()
 WANTLIB += c pthread
 
 SITES = https://github.com/syncthing/syncthing/releases/download/v${V}/
Index: patches/patch-cmd_syncthing_main_go
===================================================================
RCS file: patches/patch-cmd_syncthing_main_go
diff -N patches/patch-cmd_syncthing_main_go
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-cmd_syncthing_main_go 27 Oct 2024 13:35:59 -0000
@@ -0,0 +1,36 @@
+use unveil(2) to limit execution to
+- restarting itself
+- xdg-open(1) aka. to open the web interface
+
+Index: cmd/syncthing/main.go
+--- cmd/syncthing/main.go.orig
++++ cmd/syncthing/main.go
+@@ -29,6 +29,8 @@ import (
+       "syscall"
+       "time"
+ 
++      "golang.org/x/sys/unix"
++
+       "github.com/alecthomas/kong"
+       _ "github.com/syncthing/syncthing/lib/automaxprocs"
+       "github.com/thejerf/suture/v4"
+@@ -206,6 +208,19 @@ func defaultVars() kong.Vars {
+ }
+ 
+ func main() {
++      if err := unix.Unveil("/", "rwc"); err != nil {
++              panic(err)
++      }
++      if err := unix.Unveil("/usr/local/bin/syncthing", "rx"); err != nil {
++              panic(err)
++      }
++      if err := unix.Unveil("/usr/local/bin/xdg-open", "rx"); err != nil {
++              panic(err)
++      }
++      if err := unix.UnveilBlock(); err != nil {
++              panic(err)
++      }
++
+       // First some massaging of the raw command line to fit the new model.
+       // Basically this means adding the default command at the front, and
+       // converting -options to --options.

Reply via email to