From 858815bf3cce608666339a5aea850f4406052118 Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 10:29:57 +0000 Subject: [PATCH 01/13] pledge --- daemon/Daemon.cpp | 40 ++++++++++++++++++++++++++++++++++++++++ libi2pd/Config.cpp | 11 +++++++++++ 2 files changed, 51 insertions(+) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index 022b59f2..7f43dd00 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -10,6 +10,10 @@ #include #include +#ifdef __OpenBSD__ +# include +#endif + #include "Daemon.h" #include "Config.h" @@ -103,6 +107,42 @@ namespace util i2p::config::ParseConfig(config); i2p::config::Finalize(); +#ifdef __OpenBSD__ + auto init_pledge = []() { + std::string pledge_file; i2p::config::GetOption("openbsd.pledge_file"); + if (pledge_file == "") + { + LogPrint(eLogDebug, "Use default pledge values"); + pledge("inet dns unix sendfd recvfd error",nullptr); + } else { + std::ifstream f(pledge_file); + if(!f) { + std::cerr << "Can't open pledge file " << pledge_file< rules; + while(std::getline(f, line)){ + rules.push_back(line); + } + if(f.bad()) { + std::cerr << "IO error with pledge file" << std::endl; + } + std::ostringstream out; + for(auto r : rules) + out << r << " "; + pledge(out.str().c_str()); + } + + + }; + auto init_unevil = []() { + std::string unevil_file; i2p::config::GetOption("openbsd.unevil_file"); + } + init_pledge(); + init_unevil(); +#endif + i2p::config::GetOption("daemon", isDaemon); std::string certsdir; i2p::config::GetOption("certsdir", certsdir); diff --git a/libi2pd/Config.cpp b/libi2pd/Config.cpp index d6274828..c788a4d5 100644 --- a/libi2pd/Config.cpp +++ b/libi2pd/Config.cpp @@ -391,6 +391,14 @@ namespace config { ; #endif +#ifdef __OpenBSD__ + options_description openbsd_specific("OpenBSD specific options"); + openbsd_specific.add_options() + ("openbsd.pledge_file", value()->default_value(""), "OpenbSD file with pledge rules") + ("openbsd.unevil_file", value()->default_value(""), "OpenBSD file with unevil rules") + ; +#endif + m_OptionsDesc .add(general) .add(limits) @@ -417,6 +425,9 @@ namespace config { .add(meshnets) #ifdef __linux__ .add(unix_specific) +#endif +#ifdef __OpenBSD__ + .add(openbsd_specific) #endif ; } From 1d1067a455fa63a265f6fde4efc7857126539106 Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 11:12:00 +0000 Subject: [PATCH 02/13] openbsd unevil/pledge fix compilation --- daemon/Daemon.cpp | 40 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 36 insertions(+), 4 deletions(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index 7f43dd00..e18ac9cd 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -109,7 +109,7 @@ namespace util #ifdef __OpenBSD__ auto init_pledge = []() { - std::string pledge_file; i2p::config::GetOption("openbsd.pledge_file"); + std::string pledge_file; i2p::config::GetOption("openbsd.pledge_file", pledge_file); if (pledge_file == "") { LogPrint(eLogDebug, "Use default pledge values"); @@ -131,14 +131,46 @@ namespace util std::ostringstream out; for(auto r : rules) out << r << " "; - pledge(out.str().c_str()); + pledge(out.str().c_str(), nullptr); } }; auto init_unevil = []() { - std::string unevil_file; i2p::config::GetOption("openbsd.unevil_file"); - } + #define UNEVIL_DIR(dir) unevil(dir.c_str(), "rwc") + + std::string unevil_file; i2p::config::GetOption("openbsd.unevil_file",unevil_file); + UNEVIL_DIR(unevil_file); + std::string tunnelsdir, certsdir, logfile, datadir, reseed_file, openbsd_pledge_file; + i2p::config::GetOption("tunnelsdir", tunnelsdir); + UNEVIL_DIR(tunnelsdir); + i2p::config::GetOption("certsdir", certsdir); + UNEVIL_DIR(certsdir); + i2p::config::GetOption("datadir", datadir); + UNEVIL_DIR(datadir); + i2p::config::GetOption("reseed.file", reseed_file); + UNEVIL_DIR(reseed_file); + i2p::config::GetOption("openbsd.pledge_file", openbsd_pledge_file); + UNEVIL_DIR(openbsd_pledge_file); + if(unevil_file != "") + { + std::ifstream f(unevil_file); + if (!f) { + std::cerr << "Can't open unevil file" << std::endl; + exit(1); + } + //using dir_pair = struct { + // std::string path; + // std::string perms; + //}; + std::string line; + //std::vector<> dirs; + while(std::getline(f, line)){ + UNEVIL_DIR(line); + } + } + #unedf UNEVIL_DIR + }; init_pledge(); init_unevil(); #endif From acb144f7ff176f2363763215782f97734104d4d7 Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 11:14:41 +0000 Subject: [PATCH 03/13] unevil logic --- daemon/Daemon.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index e18ac9cd..4864597c 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -149,9 +149,11 @@ namespace util i2p::config::GetOption("datadir", datadir); UNEVIL_DIR(datadir); i2p::config::GetOption("reseed.file", reseed_file); - UNEVIL_DIR(reseed_file); + unevil(reseed_file.c_str(), "r"); i2p::config::GetOption("openbsd.pledge_file", openbsd_pledge_file); - UNEVIL_DIR(openbsd_pledge_file); + unevil(openbsd_pledge_file.c_str(), "r"); + std::string tunconf ;i2p::config::GetOption("tunconf", tunconf); unevil(tunconf.c_str(), "r"); + std::string conf ;i2p::config::GetOption("tunconf", conf); unevil(conf.c_str(), "r"); if(unevil_file != "") { std::ifstream f(unevil_file); From a5f7c646a3e38c4854933fdd917135cff102c211 Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 11:25:21 +0000 Subject: [PATCH 04/13] fix: fix compilation --- daemon/Daemon.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index 4864597c..a7050f0e 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -137,7 +137,7 @@ namespace util }; auto init_unevil = []() { - #define UNEVIL_DIR(dir) unevil(dir.c_str(), "rwc") + #define UNEVIL_DIR(dir) unveil(dir.c_str(), "rwc") std::string unevil_file; i2p::config::GetOption("openbsd.unevil_file",unevil_file); UNEVIL_DIR(unevil_file); @@ -149,11 +149,11 @@ namespace util i2p::config::GetOption("datadir", datadir); UNEVIL_DIR(datadir); i2p::config::GetOption("reseed.file", reseed_file); - unevil(reseed_file.c_str(), "r"); + unveil(reseed_file.c_str(), "r"); i2p::config::GetOption("openbsd.pledge_file", openbsd_pledge_file); - unevil(openbsd_pledge_file.c_str(), "r"); - std::string tunconf ;i2p::config::GetOption("tunconf", tunconf); unevil(tunconf.c_str(), "r"); - std::string conf ;i2p::config::GetOption("tunconf", conf); unevil(conf.c_str(), "r"); + unveil(openbsd_pledge_file.c_str(), "r"); + std::string tunconf ;i2p::config::GetOption("tunconf", tunconf); unveil(tunconf.c_str(), "r"); + std::string conf ;i2p::config::GetOption("tunconf", conf); unveil(conf.c_str(), "r"); if(unevil_file != "") { std::ifstream f(unevil_file); @@ -171,7 +171,7 @@ namespace util UNEVIL_DIR(line); } } - #unedf UNEVIL_DIR + #undef UNEVIL_DIR }; init_pledge(); init_unevil(); From 2aef71fda0422254d3cb6fdd5332e2f12577a035 Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 12:37:55 +0000 Subject: [PATCH 05/13] openbsd: unveil pidfile --- daemon/Daemon.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index a7050f0e..c0cbe651 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -154,6 +154,7 @@ namespace util unveil(openbsd_pledge_file.c_str(), "r"); std::string tunconf ;i2p::config::GetOption("tunconf", tunconf); unveil(tunconf.c_str(), "r"); std::string conf ;i2p::config::GetOption("tunconf", conf); unveil(conf.c_str(), "r"); + std::string pidfile ;i2p::config::GetOption("pidfile", pidfile); unveil(pidfile.c_str(), "r"); if(unevil_file != "") { std::ifstream f(unevil_file); From a49e80f9e8cae8c7bb145394fe654c04aa4fbdef Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 12:45:14 +0000 Subject: [PATCH 06/13] fix typing openbsd unveil --- daemon/Daemon.cpp | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index c0cbe651..497fda45 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -137,17 +137,17 @@ namespace util }; auto init_unevil = []() { - #define UNEVIL_DIR(dir) unveil(dir.c_str(), "rwc") + #define UNVEIL_DIR(dir) unveil(dir.c_str(), "rwc") std::string unevil_file; i2p::config::GetOption("openbsd.unevil_file",unevil_file); - UNEVIL_DIR(unevil_file); + UNVEIL_DIR(unevil_file); std::string tunnelsdir, certsdir, logfile, datadir, reseed_file, openbsd_pledge_file; i2p::config::GetOption("tunnelsdir", tunnelsdir); - UNEVIL_DIR(tunnelsdir); + UNVEIL_DIR(tunnelsdir); i2p::config::GetOption("certsdir", certsdir); - UNEVIL_DIR(certsdir); + UNVEIL_DIR(certsdir); i2p::config::GetOption("datadir", datadir); - UNEVIL_DIR(datadir); + UNVEIL_DIR(datadir); i2p::config::GetOption("reseed.file", reseed_file); unveil(reseed_file.c_str(), "r"); i2p::config::GetOption("openbsd.pledge_file", openbsd_pledge_file); @@ -162,17 +162,12 @@ namespace util std::cerr << "Can't open unevil file" << std::endl; exit(1); } - //using dir_pair = struct { - // std::string path; - // std::string perms; - //}; std::string line; - //std::vector<> dirs; while(std::getline(f, line)){ - UNEVIL_DIR(line); + UNVEIL_DIR(line); } } - #undef UNEVIL_DIR + #undef UNVEIL_DIR }; init_pledge(); init_unevil(); From e888070f079dfa5e8090cbacf3414d37d71130ff Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 13:02:57 +0000 Subject: [PATCH 07/13] pledge openbsd --- daemon/Daemon.cpp | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index 497fda45..f6173966 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -113,7 +113,8 @@ namespace util if (pledge_file == "") { LogPrint(eLogDebug, "Use default pledge values"); - pledge("inet dns unix sendfd recvfd error",nullptr); + // TODO: remove that not need + pledge("stdio rpath wpath cpath inet dns unix recvfd sendfd proc exec error tmppath mcast chown flock",nullptr); } else { std::ifstream f(pledge_file); if(!f) { @@ -137,6 +138,15 @@ namespace util }; auto init_unevil = []() { + unveil("/usr/lib", "rx"); + unveil("/usr/local/lib", "rx"); + unveil("/lib", "rx"); + unveil("/lib", "r"); + unveil("/usr/libexec", "rx"); + unveil("/dev/urandom", "r"); + unveil("/tmp", "rw"); + unveil("/etc/i2pd", "r"); + #define UNVEIL_DIR(dir) unveil(dir.c_str(), "rwc") std::string unevil_file; i2p::config::GetOption("openbsd.unevil_file",unevil_file); @@ -154,7 +164,8 @@ namespace util unveil(openbsd_pledge_file.c_str(), "r"); std::string tunconf ;i2p::config::GetOption("tunconf", tunconf); unveil(tunconf.c_str(), "r"); std::string conf ;i2p::config::GetOption("tunconf", conf); unveil(conf.c_str(), "r"); - std::string pidfile ;i2p::config::GetOption("pidfile", pidfile); unveil(pidfile.c_str(), "r"); + std::string pidfile ;i2p::config::GetOption("pidfile", pidfile); unveil(pidfile.c_str(), "rwc"); + i2p::config::GetOption("logfile", pidfile); unveil(logfile.c_str(), "rwc"); if(unevil_file != "") { std::ifstream f(unevil_file); @@ -168,9 +179,10 @@ namespace util } } #undef UNVEIL_DIR + unveil(NULL, NULL); }; - init_pledge(); init_unevil(); + init_pledge(); #endif i2p::config::GetOption("daemon", isDaemon); From 91e27623d517af101ee3e02a1f5ae0450b135991 Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 13:03:57 +0000 Subject: [PATCH 08/13] fix unveil option --- daemon/Daemon.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index f6173966..6c27bd6e 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -165,7 +165,7 @@ namespace util std::string tunconf ;i2p::config::GetOption("tunconf", tunconf); unveil(tunconf.c_str(), "r"); std::string conf ;i2p::config::GetOption("tunconf", conf); unveil(conf.c_str(), "r"); std::string pidfile ;i2p::config::GetOption("pidfile", pidfile); unveil(pidfile.c_str(), "rwc"); - i2p::config::GetOption("logfile", pidfile); unveil(logfile.c_str(), "rwc"); + i2p::config::GetOption("logfile", logfile); unveil(logfile.c_str(), "rwc"); if(unevil_file != "") { std::ifstream f(unevil_file); From 8c20c2263cf98c59da627936bd5219a946e7bda0 Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 13:20:02 +0000 Subject: [PATCH 09/13] remove pledge rule: exec --- daemon/Daemon.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index 6c27bd6e..01a590c3 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -114,7 +114,7 @@ namespace util { LogPrint(eLogDebug, "Use default pledge values"); // TODO: remove that not need - pledge("stdio rpath wpath cpath inet dns unix recvfd sendfd proc exec error tmppath mcast chown flock",nullptr); + pledge("stdio rpath wpath cpath inet dns unix recvfd sendfd proc error mcast chown flock",nullptr); } else { std::ifstream f(pledge_file); if(!f) { From 3d3c8226da3421fb6d5a57a538b55b79b5d459da Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 13:30:01 +0000 Subject: [PATCH 10/13] =?UTF-8?q?fix=20rule.=20=D1=81=D0=BE=D0=BD=D1=8F=20?= =?UTF-8?q?=D1=81=D0=BA=D0=B0=D0=B7=D0=B0=D0=BB=D0=B0=20=D1=85=D0=B2=D0=B0?= =?UTF-8?q?=D1=82=D0=B8=D1=82=20=D0=BF=D1=80=D0=B0=D0=B2=20=D1=82=D0=B0?= =?UTF-8?q?=D0=BA=D0=B8=D1=85?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- daemon/Daemon.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index 01a590c3..0c2bf661 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -138,11 +138,11 @@ namespace util }; auto init_unevil = []() { - unveil("/usr/lib", "rx"); - unveil("/usr/local/lib", "rx"); - unveil("/lib", "rx"); + unveil("/usr/lib", "r"); + unveil("/usr/local/lib", "r"); unveil("/lib", "r"); - unveil("/usr/libexec", "rx"); + unveil("/lib", "r"); + unveil("/usr/libexec", "r"); unveil("/dev/urandom", "r"); unveil("/tmp", "rw"); unveil("/etc/i2pd", "r"); From dd3cc6feb6b772f01629f6416ba829f223baec25 Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 13:32:40 +0000 Subject: [PATCH 11/13] fix: fix daemon.cpp --- daemon/Daemon.cpp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index 0c2bf661..40049778 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -140,12 +140,10 @@ namespace util auto init_unevil = []() { unveil("/usr/lib", "r"); unveil("/usr/local/lib", "r"); - unveil("/lib", "r"); - unveil("/lib", "r"); unveil("/usr/libexec", "r"); unveil("/dev/urandom", "r"); unveil("/tmp", "rw"); - unveil("/etc/i2pd", "r"); + unveil("/etc/i2pd", "r"); // ваще не нужно вроде на весь прям каталог #define UNVEIL_DIR(dir) unveil(dir.c_str(), "rwc") From 1333c923de7c281e2a635b0a19e3c076a9efa844 Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 13:37:55 +0000 Subject: [PATCH 12/13] only ld.so from libexec --- daemon/Daemon.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index 40049778..37033f02 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -140,7 +140,7 @@ namespace util auto init_unevil = []() { unveil("/usr/lib", "r"); unveil("/usr/local/lib", "r"); - unveil("/usr/libexec", "r"); + unveil("/usr/libexec/ld.so", "r"); unveil("/dev/urandom", "r"); unveil("/tmp", "rw"); unveil("/etc/i2pd", "r"); // ваще не нужно вроде на весь прям каталог From dbe0aab063f003fe54edb5284586d844e418a74e Mon Sep 17 00:00:00 2001 From: user <60944239+wipedlifepotato@users.noreply.github.com> Date: Mon, 8 Jun 2026 14:29:04 +0000 Subject: [PATCH 13/13] option for disable unveil/pledge --- daemon/Daemon.cpp | 6 ++++-- libi2pd/Config.cpp | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/daemon/Daemon.cpp b/daemon/Daemon.cpp index 37033f02..ecb73965 100644 --- a/daemon/Daemon.cpp +++ b/daemon/Daemon.cpp @@ -179,8 +179,10 @@ namespace util #undef UNVEIL_DIR unveil(NULL, NULL); }; - init_unevil(); - init_pledge(); + bool openbsd_unevil_enabled; i2p::config::GetOption("openbsd.unevil_enabled", openbsd_unevil_enabled); + bool openbsd_pledge_enabled; i2p::config::GetOption("openbsd.pledge_enabled", openbsd_pledge_enabled); + if(openbsd_unevil_enabled) init_unevil(); + if(openbsd_pledge_enabled) init_pledge(); #endif i2p::config::GetOption("daemon", isDaemon); diff --git a/libi2pd/Config.cpp b/libi2pd/Config.cpp index c788a4d5..5ab97a0f 100644 --- a/libi2pd/Config.cpp +++ b/libi2pd/Config.cpp @@ -396,6 +396,8 @@ namespace config { openbsd_specific.add_options() ("openbsd.pledge_file", value()->default_value(""), "OpenbSD file with pledge rules") ("openbsd.unevil_file", value()->default_value(""), "OpenBSD file with unevil rules") + ("openbsd.unevil_enabled", value()->default_value(true), "use unevil rues") + ("openbsd.pledge_enabled", value()->default_value(true), "use pledge rules") ; #endif