news
BSD Leftovers, Mostly OpenBSD
-
Christian Hofstede-Kuhn ☛ A Caching FreeBSD Mirror for DN42: nginx proxy_store, pf, and a Dual-Homed VM
The usual answers are all unsatisfying. Punching clearnet holes into isolated hosts defeats the point of isolating them. NAT-ing the whole DN42 segment out through the home router reintroduces the coupling I was trying to avoid. And running a full FreeBSD mirror means rsyncing terabytes of distfiles I will never touch.
So I built the fourth option: a small dual-homed FreeBSD VM called bsdmirror that faces the clearnet on one interface and DN42 on the other, and lazily caches exactly the files my machines actually request - packages from pkg.freebsd.org, base system patches from update.freebsd.org, and release tarballs from ftp.freebsd.org for bootstrapping Bastille jails. The first client to ask for a file pays the upstream round trip; everyone after that is served from local ZFS. And since the thing exists anyway, it is now a public DN42 service: any DN42 participant can point their FreeBSD hosts at bsdmirror.chofstede.dn42.
This article walks through the whole thing: the dual-homed network setup, the strict pf policy, the three nginx server blocks (including the fun part - chasing CDN redirects server-side so the cache stays transparent), the client configuration, and a real 15.0 to 15.1 upgrade plus a Bastille jail bootstrap running entirely over the mesh.
-
Undeadly ☛ OpenBSD's pledge(2) and unveil(2) are developer-friendly, study finds
Academic studies of OpenBSD's features and their practical impact on security are somewhat rare, but we were pleasantly surprised to see the recent paper A Measurement Study on the Adoption of Pledges and Unveils in the OpenBSD Operating System, by Jukka Ruohonen, Krzysztof Sierszecki, Abhishek Tiwari (all at University of Southern Denmark).
The paper studies the adoption of the pledge(2) and unveil(2) in the OpenBSD base system and packages over time, and finds that the features provided actually seem to facilitate adoption of secure coding practices.
-
arXiv ☛ [2607.03056] A Measurement Study on the Adoption of Pledges and Unveils in the OpenBSD Operating System
The paper presents a longitudinal measurement study on the adoption of the pledge and unveil system calls in OpenBSD. These system calls are used to sandbox programs and libraries. Given a dataset covering 19 releases, many programs and libraries were modified to use the system calls already before their introductions in official releases. The adoption rates have also steadily grown; a linear trend provides a coarse but sensible heuristic. Although particularly programs residing in /usr/bin and /usr/sbin have been modified to use the system calls, the sizes of programs and libraries do not correlate well with the amounts of pledge and unveil system calls invoked. Regarding the pledges made, standard input and output operations have frequently been requested, although the full fine-grained arsenal offered by pledge has generally been utilized in OpenBSD. The same observation is seen in that particularly read operations to given paths have frequently been unveiled. All in all, the measurement results indicate that the adoption of system call minimization and sandboxing techniques is not necessarily as troublesome as has often been discussed in the literature.