From a6fcdfca2a41d4b8a6ad7cf2b3e3719b2fe21dc5 Mon Sep 17 00:00:00 2001
From: Klemens Nanni <kn@openbsd.org>
Date: Sun, 20 Oct 2024 12:19:01 +0300
Subject: [PATCH] pledge yggdrasilctl

The CLI is simple, but parses config files and communicates over the network
with arbitrary endpoints.

Limit system operations to that is needed before doing anything and drop all
priviledges after config file and socket handling is done, i.e. do parse and
speak over the network completely unprivileged.
---
 cmd/yggdrasilctl/main.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cmd/yggdrasilctl/main.go b/cmd/yggdrasilctl/main.go
index 8a30f438..6a325282 100644
--- a/cmd/yggdrasilctl/main.go
+++ b/cmd/yggdrasilctl/main.go
@@ -13,6 +13,8 @@ import (
 	"strings"
 	"time"
 
+	"suah.dev/protect"
+
 	"github.com/olekukonko/tablewriter"
 	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
 	"github.com/yggdrasil-network/yggdrasil-go/src/core"
@@ -22,6 +24,11 @@ import (
 )
 
 func main() {
+	// read config, speak DNS/TCP and/or over a UNIX socket
+	if err := protect.Pledge("stdio rpath inet unix dns"); err != nil {
+		panic(err)
+	}
+
 	// makes sure we can use defer and still return an error code to the OS
 	os.Exit(run())
 }
@@ -78,6 +85,11 @@ func run() int {
 		panic(err)
 	}
 
+	// config and socket are done, work without unprivileges
+	if err := protect.Pledge("stdio"); err != nil {
+		panic(err)
+	}
+
 	logger.Println("Connected")
 	defer conn.Close()