From b4808f6a983850f82c9a8f6f2b9b6be5ad1efc81 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Tue, 7 Oct 2025 17:15:26 +0000
Subject: [PATCH] storage: pledge "stdio rpath inet dns"; with unveil too

The s3 storage ideally only needs to do stdio and open sockets.  Since
there's TLS in the mix we also need the golang stdlib to access the
right cert.pem.

Here the thing gets a little bit more complicated.  The stdlib tries
to open cert.pem at "well-known" locations, including paths that don't
make sense on OpenBSD (e.g. /usr/local/etc/ssl/cert.pem).

To prevent that, set SSL_CERT_FILE to /etc/ssl/cert.pem, but only if
it's not already set, and unveil that path.
---
 pledge.go              |  6 ++++++
 pledge_openbsd.go      | 13 +++++++++++++
 plugin/storage/main.go | 22 ++++++++++++++++++++++
 3 files changed, 41 insertions(+)
 create mode 100644 pledge.go
 create mode 100644 pledge_openbsd.go

diff --git a/pledge.go b/pledge.go
new file mode 100644
index 0000000..ef1d335
--- /dev/null
+++ b/pledge.go
@@ -0,0 +1,6 @@
+//go:build !openbsd
+
+package s3
+
+func Unveil(string, string) error { return nil }
+func Pledge(string) error         { return nil }
diff --git a/pledge_openbsd.go b/pledge_openbsd.go
new file mode 100644
index 0000000..ce0e63c
--- /dev/null
+++ b/pledge_openbsd.go
@@ -0,0 +1,13 @@
+//go:build openbsd
+
+package s3
+
+import "golang.org/x/sys/unix"
+
+func Unveil(path, perm string) error {
+	return unix.Unveil(path, perm)
+}
+
+func Pledge(promises string) error {
+	return unix.PledgePromises(promises)
+}
diff --git a/plugin/storage/main.go b/plugin/storage/main.go
index bd2c03e..6a2fa32 100644
--- a/plugin/storage/main.go
+++ b/plugin/storage/main.go
@@ -1,12 +1,34 @@
 package main
 
 import (
+	"log"
 	"os"
+	"runtime"
 
 	sdk "github.com/PlakarKorp/go-kloset-sdk"
+	s3 "github.com/PlakarKorp/integration-s3"
 	"github.com/PlakarKorp/integration-s3/storage"
 )
 
 func main() {
+	// golang stdlib tries to open cert files at "well known"
+	// locations.  On OpenBSD, we only really have
+	// /etc/ssl/cert.pem, so that's a safe guess, but attempt to
+	// respect SSL_CERT_FILE if set.
+	if runtime.GOOS == "openbsd" {
+		cert, ok := os.LookupEnv("SSL_CERT_FILE")
+		if !ok {
+			cert = "/etc/ssl/cert.pem"
+			os.Setenv("SSL_CERT_FILE", cert)
+		}
+
+		if err := s3.Unveil(cert, "r"); err != nil {
+			log.Fatalln("unveil /etc/ssl/cert.pem:", err)
+		}
+		if err := s3.Pledge("stdio rpath inet dns"); err != nil {
+			log.Fatalln("pledge:", err)
+		}
+	}
+
 	sdk.EntrypointStorage(os.Args, storage.NewStore)
 }