Am 24.05.25 um 18:18 schrieb Christoph Liebender:
Hello ports@,
this patch adds unveil restrictions to the server part of net/wstunnel.
It seems quite straightforward as the only files that are opened are
specified in the commandline. Additionally, the server may use the libc
resolver, therefore, /etc/{hosts, resolv.conf} are required as well.
Reason being that either the user has configured the usage of the libc
resolver, or the server falls back to it... At least that's what the
code seems to be doing.
I haven't added client restrictions as I'm not using that on OpenBSD
right now.
Fortunately, there is a crate that makes unveil(2) somewhat comforable
to use in rust, which is an additional dependency now.
Running with bad args gets you:
# wstunnel server ws://0.0.0.0:4444 --restrict-config /asdf/jk.l
thread 'main' panicked at wstunnel-cli/src/main.rs:122:69:
unveil(/asdf/jk.l, r) failed: No such file or directory (os error 2)
Otherwise, it works fine on my machine. :)
testers, comments, ok?
- Christoph
Pong!
