From 7704fa76b928569fdb63bf8f0efa4ef9e9433c46 Mon Sep 17 00:00:00 2001
From: octeep <github@bandersnatch.anonaddy.com>
Date: Mon, 4 Apr 2022 06:00:38 +0100
Subject: [PATCH] OpenBSD unveil to prevent -d from executing other binaries

---
 cmd/wireproxy/main.go | 35 +++++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/cmd/wireproxy/main.go b/cmd/wireproxy/main.go
index 5d91320..5e89fc3 100644
--- a/cmd/wireproxy/main.go
+++ b/cmd/wireproxy/main.go
@@ -23,7 +23,32 @@ func pledgeOrPanic(promises string) {
 	}
 }
 
+// attempts to unveil and panic if it fails
+// this does nothing on non-OpenBSD systems
+func unveilOrPanic(path string, flags string) {
+	err := protect.Unveil(path, flags)
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+// get the executable path via syscalls or infer it from argv
+func executablePath() string {
+	programPath, err := os.Executable()
+	if err != nil {
+		return os.Args[0]
+	}
+	return programPath
+}
+
 func main() {
+	exePath := executablePath()
+	unveilOrPanic("/", "r")
+	unveilOrPanic(exePath, "x")
+	if err := protect.UnveilBlock(); err != nil {
+		log.Fatal(err)
+	}
+
 	// only allow standard stdio operation, file reading, networking, and exec
 	pledgeOrPanic("stdio rpath inet dns proc exec")
 
@@ -69,14 +94,8 @@ func main() {
 	}
 
 	if *daemon {
-		programPath, err := os.Executable()
-		if err != nil {
-			programPath = args[0]
-		}
-
-		newArgs := []string{daemonProcess}
-		newArgs = append(newArgs, args[1:]...)
-		cmd := exec.Command(programPath, newArgs...)
+		args[0] = daemonProcess
+		cmd := exec.Command(exePath, args...)
 		err = cmd.Start()
 		if err != nil {
 			fmt.Println(err.Error())