On OpenBSD restrict access to system calls with pledge()

cmd/stayrtr/stayrtr.go

@@ -19,6 +19,7 @@ import (
 	"time"
 
 	rtr "github.com/bgp/stayrtr/lib"
+	"github.com/bgp/stayrtr/ossec"
 	"github.com/bgp/stayrtr/prefixfile"
 	"github.com/bgp/stayrtr/utils"
 	"github.com/prometheus/client_golang/prometheus"
@@ -587,6 +588,12 @@ func (m *metricsEvent) UpdateMetrics(numIPv4 int, numIPv6 int, numIPv4filtered i
 }
 
 func main() {
+	err := ossec.PledgePromises("dns inet rpath stdio tty")
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "pledge failed: %v\n", err)
+		os.Exit(1)
+	}
+
 	if err := run(); err != nil {
 		fmt.Fprintf(os.Stderr, "%s\n", err)
 		os.Exit(1)

go.mod

@@ -8,4 +8,5 @@ require (
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.4.0
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
+	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1
 )

ossec/constrain.go

@@ -0,0 +1,7 @@
+// +build !openbsd
+
+package ossec
+
+func PledgePromises(promises string) error {
+	return nil
+}

ossec/constrain_openbsd.go

@@ -0,0 +1,7 @@
+package ossec
+
+import "golang.org/x/sys/unix"
+
+func PledgePromises(promises string) error {
+	return unix.PledgePromises(promises)
+}