Adding pledge(2) and unveil(2) support for OpenBSD-stable

[zacknewman]

I'm currently working on patching pledge(2) and unveil(2) functionality on a local clone of this repo to be run on OpenBSD-stable that is based on the priv_sep crate I maintain. Would a pull request of such be of any interest? If not, then I likely won't bother heavily testing it on a variety of configurations.

I realize a vast majority of people host vaultwarden on Linux-based OSes, so I understand if such platform-specific extensions are not welcome especially for such a "niche" OS. OpenBSD does have a vaultwarden port that is maintained that would benefit from such an extension though.

I would be more than happy to work with you all in deciding how such functionality could be added if you are interested. There are two paths forward that make the most sense to me:

1. Have two separate main functions one with the #[cfg(all(feature = "priv_sep", target_os = "openbsd"))] attribute and another with the #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))] attribute. Then have a priv_sep module that is hidden behind the #[cfg(all(feature = "priv_sep", target_os = "openbsd"))] attribute.
2. Have a priv_sep module that contains functions with the #[cfg(all(feature = "priv_sep", target_os = "openbsd"))] attribute and functions with compatible signatures that are just no-ops with the #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))] attribute. Then have a single main function that calls these functions.

[zacknewman]

As a very rough sketch on a completely self-serving example that works for my specific configuration (i.e., real code would obviously rely on reading the configuration values and perhaps have different Promises pledged based on said config values), here is what 1. would sort of look like:

#[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
use priv_sep::{Permissions, Promise, Promises};
#[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
use tokio::runtime::Builder;
#[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
fn main() -> Result<(), Error> {
    let mut promises = Promises::new([
        Promise::Cpath,
        Promise::Dns,
        Promise::Flock,
        Promise::Inet,
        Promise::Rpath,
        Promise::Stdio,
        Promise::Unveil,
        Promise::Wpath,
    ]);
    promises.pledge()?;
    Permissions::READ.unveil("/dev/urandom")?;
    Permissions::READ.unveil("/etc/ssl/pmd.philomathiclife.com.fullchain")?;
    Permissions::READ.unveil("/etc/ssl/pmd.philomathiclife.com.fullchain.key")?;
    Permissions::READ.unveil("/var/vaultwarden/")?;
    let mut perms = Permissions::ALL;
    perms.execute = false;
    perms.unveil("/var/vaultwarden/data/db.sqlite3")?;
    perms.unveil("/var/vaultwarden/data/db.sqlite3-shm")?;
    perms.unveil("/var/vaultwarden/data/db.sqlite3-wal")?;
    perms.unveil("/var/vaultwarden/data/tmp/")?;
    promises.remove(Promise::Unveil);
    promises.pledge()?;
    parse_args();
    launch_info();

    use log::LevelFilter as LF;
    let level = LF::from_str(&CONFIG.log_level()).expect("Valid log level");
    init_logging(level).ok();

    let extra_debug = matches!(level, LF::Trace | LF::Debug);
    Builder::new_multi_thread().enable_all().build().map_or_else(
        |e| Err(Error::from(e)),
        |runtime| {
            runtime.block_on(async {
                check_data_folder().await;
                check_rsa_keys().unwrap_or_else(|_| {
                    error!("Error creating keys, exiting...");
                    exit(1);
                });
                check_web_vault();

                create_dir(&CONFIG.icon_cache_folder(), "icon cache");
                create_dir(&CONFIG.tmp_folder(), "tmp folder");
                create_dir(&CONFIG.sends_folder(), "sends folder");
                create_dir(&CONFIG.attachments_folder(), "attachments folder");

                let pool = create_db_pool().await;
                schedule_jobs(pool.clone());
                crate::db::models::TwoFactor::migrate_u2f_to_webauthn(&mut pool.get().await.unwrap()).await.unwrap();

                launch_rocket(pool, extra_debug).await.map_err(Error::from) // Blocks until program termination.
            })
        },
    )
}

Cargo.toml would then have the feature priv_sep = ["dep:priv_sep"] and dependency priv_sep = { version = "0.8.0", default-features = false, features = ["openbsd"], optional = true }.

[dani-garcia]

I'm not against adding platform dependent functionality if it's self contained enough, which seems to be the case. I would definitely opt for option 2, and have a single function that is a noop in other platforms.

We'd need to read all the directories from the config instead of hardcoding them, but other than that I don't see any issues with this.

[zacknewman]

Yeah, my code was a "silly" example with a bunch of hard-coded paths and Promises that are specific to my case. There is a lot of work to be done to get this correct based on generic configuration, so this won't be something useful for a while.

I wasn't sure if such a drastic change to main would be accepted as it would go from relying on the #[rocket::main] attribute to manually constructing the tokio runtime. Regardless, as I said, there is quite some work to be done; but I will begin the discussion with other OpenBSD developers.

[BlackDex]

I would suggest to create a PR maybe even in WIP mode, that way we can track it and provide suggestions.