Skip to content

storage: pledge "stdio rpath inet dns"; with unveil too#5

Draft
omar-polo wants to merge 1 commit into
mainfrom
op/pledge
Draft

storage: pledge "stdio rpath inet dns"; with unveil too#5
omar-polo wants to merge 1 commit into
mainfrom
op/pledge

Conversation

@omar-polo
Copy link
Copy Markdown
Contributor

@omar-polo omar-polo commented Oct 7, 2025

The s3 storage ideally only needs to do stdio and open sockets. Since there's TLS in the mix we also need the golang stdlib to access the right cert.pem.

Here the thing gets a little bit more complicated. The stdlib tries to open cert.pem at "well-known" locations, including paths that don't make sense on OpenBSD (e.g. /usr/local/etc/ssl/cert.pem).

To prevent that, set SSL_CERT_FILE to /etc/ssl/cert.pem, but only if it's not already set, and unveil that path.

This is just to give an idea. If we like it I can do the same for the importer and exporter. (in this precise moment I don't have a good setup for an s3 importer, that's why it's not in the diff.)

@omar-polo
storage: pledge "stdio rpath inet dns"; with unveil too
b4808f6 
The s3 storage ideally only needs to do stdio and open sockets.  Since
there's TLS in the mix we also need the golang stdlib to access the
right cert.pem.

Here the thing gets a little bit more complicated.  The stdlib tries
to open cert.pem at "well-known" locations, including paths that don't
make sense on OpenBSD (e.g. /usr/local/etc/ssl/cert.pem).

To prevent that, set SSL_CERT_FILE to /etc/ssl/cert.pem, but only if
it's not already set, and unveil that path.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@omar-polo