From 37cce42042e78c44b37cde4443810717b74f6e26 Mon Sep 17 00:00:00 2001
From: Klemens Nanni <kn@openbsd.org>
Date: Thu, 12 Dec 2024 22:27:21 +0300
Subject: [PATCH] Use pledge(2) on OpenBSD

Straight forward thanks to all privileged operations being done early
enough during startup.

Basically forbid all groups of syscalls except for networking, so
no fileystem access, signals, process management, etc.
---
 cmd/yggdrasil/main.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/cmd/yggdrasil/main.go b/cmd/yggdrasil/main.go
index b3cbecf03..5223be52e 100644
--- a/cmd/yggdrasil/main.go
+++ b/cmd/yggdrasil/main.go
@@ -312,6 +312,22 @@ func main() {
 		}
 	}
 
+	// Promise final modes of operation.  At this point, if at all:
+	// - raw socket is created/open
+	// - admin socket is created/open
+	// - privileges are dropped to non-root user
+	promises := []string{"stdio", "inet", "dns"}
+	if strings.HasPrefix(cfg.AdminListen, "unix://") {
+		// Go's net.Listen.Close() itself will delete the file on shutdown.
+		promises = append(promises, "cpath")
+	}
+	if len(cfg.MulticastInterfaces) > 0 {
+		promises = append(promises, "mcast")
+	}
+	if err := protect.Pledge(strings.Join(promises, " ")); err != nil {
+		panic(fmt.Sprintf("pledge: %v: %v", promises, err))
+	}
+
 	// Block until we are told to shut down.
 	<-ctx.Done()