Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-11-21 Thread Stuart Henderson 
Thanks, fixed.

On 2023/11/20 22:06, Alexander Bluhm wrote:
> This breaks iperf3 in my setup.
> 
> root@ot50:.../~# iperf3 -sD
> Abort trap (core dumped)
> 
> iperf3[72726]: pledge "proc", syscall 2
> 
> Program terminated with signal SIGABRT, Aborted.
> #0  _thread_sys_fork () at /tmp/-:2
> 2   /tmp/-: No such file or directory.
> (gdb) bt
> #0  _thread_sys_fork () at /tmp/-:2
> #1  0x6b01f3ff9bf18acf in ?? ()
> #2  0x04b673981f86 in daemon (nochdir=0, noclose=0)
> at /usr/src/lib/libc/gen/daemon.c:41
> #3  0x04b3c8078629 in ?? ()
> #4  0x04b3c8078423 in ?? ()
> #5  0x04b3c8078131 in ?? ()
> #6  0x in ?? ()
> 
> Pledge should be done after initialization, but before running phase.
> Call it after daemon(3).
> 
> bluhm
> 
> On Sat, Oct 21, 2023 at 07:28:06PM +0100, Stuart Henderson wrote:
> > ...also as was as syscalls, socket options could do with checking over too.
> > 
> > If everything is in order then there's not much point adding a configure 
> > flag really, just check for pledge
> > 
> > -- 
> >   Sent from a phone, apologies for poor formatting.
> > 
> > On 21 October 2023 19:01:33 Stuart Henderson  wrote:
> > 
> > > It hasn't been properly reviewed to check if there are any syscalls which
> > > aren't covered by the pledge. I found the diskfile one which you missed,
> > > but haven't checked over nm output to look for more.
> > >
> > > --
> > >  Sent from a phone, apologies for poor formatting.
> > >
> > > On 21 October 2023 18:57:55 Mikhail  wrote:
> > >
> > >> On Sat, Oct 21, 2023 at 06:38:57PM +0100, Stuart Henderson wrote:
> > >>> Err, sending that upstream is a bit premature.
> > >>
> > >> Reasons? It works fine in my testing, also it's enabled only with
> > >> --enable-openbsd-sandbox, so if something arise it's very easy for the
> > >> users to check without this code. And during review the devs can point
> > >> to improvements.
> > >>
> > >> I can close the PR, it's not a problem.
>

Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-11-20 Thread Alexander Bluhm 
This breaks iperf3 in my setup.

root@ot50:.../~# iperf3 -sD
Abort trap (core dumped)

iperf3[72726]: pledge "proc", syscall 2

Program terminated with signal SIGABRT, Aborted.
#0  _thread_sys_fork () at /tmp/-:2
2   /tmp/-: No such file or directory.
(gdb) bt
#0  _thread_sys_fork () at /tmp/-:2
#1  0x6b01f3ff9bf18acf in ?? ()
#2  0x04b673981f86 in daemon (nochdir=0, noclose=0)
at /usr/src/lib/libc/gen/daemon.c:41
#3  0x04b3c8078629 in ?? ()
#4  0x04b3c8078423 in ?? ()
#5  0x04b3c8078131 in ?? ()
#6  0x in ?? ()

Pledge should be done after initialization, but before running phase.
Call it after daemon(3).

bluhm

On Sat, Oct 21, 2023 at 07:28:06PM +0100, Stuart Henderson wrote:
> ...also as was as syscalls, socket options could do with checking over too.
> 
> If everything is in order then there's not much point adding a configure 
> flag really, just check for pledge
> 
> -- 
>   Sent from a phone, apologies for poor formatting.
> 
> On 21 October 2023 19:01:33 Stuart Henderson  wrote:
> 
> > It hasn't been properly reviewed to check if there are any syscalls which
> > aren't covered by the pledge. I found the diskfile one which you missed,
> > but haven't checked over nm output to look for more.
> >
> > --
> >  Sent from a phone, apologies for poor formatting.
> >
> > On 21 October 2023 18:57:55 Mikhail  wrote:
> >
> >> On Sat, Oct 21, 2023 at 06:38:57PM +0100, Stuart Henderson wrote:
> >>> Err, sending that upstream is a bit premature.
> >>
> >> Reasons? It works fine in my testing, also it's enabled only with
> >> --enable-openbsd-sandbox, so if something arise it's very easy for the
> >> users to check without this code. And during review the devs can point
> >> to improvements.
> >>
> >> I can close the PR, it's not a problem.

Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-10-21 Thread Stuart Henderson 

...also as was as syscalls, socket options could do with checking over too.

If everything is in order then there's not much point adding a configure 
flag really, just check for pledge


--
 Sent from a phone, apologies for poor formatting.

On 21 October 2023 19:01:33 Stuart Henderson  wrote:


It hasn't been properly reviewed to check if there are any syscalls which
aren't covered by the pledge. I found the diskfile one which you missed,
but haven't checked over nm output to look for more.

--
 Sent from a phone, apologies for poor formatting.

On 21 October 2023 18:57:55 Mikhail  wrote:


On Sat, Oct 21, 2023 at 06:38:57PM +0100, Stuart Henderson wrote:

Err, sending that upstream is a bit premature.


Reasons? It works fine in my testing, also it's enabled only with
--enable-openbsd-sandbox, so if something arise it's very easy for the
users to check without this code. And during review the devs can point
to improvements.

I can close the PR, it's not a problem.

Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-10-21 Thread Stuart Henderson 
It hasn't been properly reviewed to check if there are any syscalls which 
aren't covered by the pledge. I found the diskfile one which you missed, 
but haven't checked over nm output to look for more.


--
 Sent from a phone, apologies for poor formatting.

On 21 October 2023 18:57:55 Mikhail  wrote:


On Sat, Oct 21, 2023 at 06:38:57PM +0100, Stuart Henderson wrote:

Err, sending that upstream is a bit premature.


Reasons? It works fine in my testing, also it's enabled only with
--enable-openbsd-sandbox, so if something arise it's very easy for the
users to check without this code. And during review the devs can point
to improvements.

I can close the PR, it's not a problem.

Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-10-21 Thread Mikhail 
On Sat, Oct 21, 2023 at 08:57:33PM +0300, Mikhail wrote:
> On Sat, Oct 21, 2023 at 06:38:57PM +0100, Stuart Henderson wrote:
> > Err, sending that upstream is a bit premature.
> 
> Reasons? It works fine in my testing, also it's enabled only with
> --enable-openbsd-sandbox, so if something arise it's very easy for the
> users to check without this code. And during review the devs can point
> to improvements.
> 
> I can close the PR, it's not a problem.

Ok, as always good thought comes last - openbsd users will use the port
version anyway...

Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-10-21 Thread Mikhail 
On Sat, Oct 21, 2023 at 06:38:57PM +0100, Stuart Henderson wrote:
> Err, sending that upstream is a bit premature.

Reasons? It works fine in my testing, also it's enabled only with
--enable-openbsd-sandbox, so if something arise it's very easy for the
users to check without this code. And during review the devs can point
to improvements.

I can close the PR, it's not a problem.

Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-10-21 Thread Stuart Henderson 

Err, sending that upstream is a bit premature.

--
 Sent from a phone, apologies for poor formatting.

On 21 October 2023 15:53:34 Mikhail  wrote:


On Wed, Oct 18, 2023 at 10:28:47PM +0100, Stuart Henderson wrote:

On 2023/10/18 22:19, Mikhail wrote:
> [cc'ing maintainer]
>
> Inlined patch updates iperf3 to 3.15 (3 bug fixes, details here -
> https://github.com/esnet/iperf/releases/tag/3.15).
>
> I run iperf on public server with unfirewalled ports, so I'd like it to
> be pledged/unveiled, -I and --logfile options are working fine.
>
> Probably we could drop privs more granularly, but for I'd like to keep
> things simple.
>

Diff below for a few things I noticed. There may be others.


Here is a try to push this upstream:
https://github.com/esnet/iperf/pull/1586

Worth waiting a little bit for their comments.

Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-10-21 Thread Mikhail 
On Wed, Oct 18, 2023 at 10:28:47PM +0100, Stuart Henderson wrote:
> On 2023/10/18 22:19, Mikhail wrote:
> > [cc'ing maintainer]
> > 
> > Inlined patch updates iperf3 to 3.15 (3 bug fixes, details here -
> > https://github.com/esnet/iperf/releases/tag/3.15).
> > 
> > I run iperf on public server with unfirewalled ports, so I'd like it to
> > be pledged/unveiled, -I and --logfile options are working fine.
> > 
> > Probably we could drop privs more granularly, but for I'd like to keep
> > things simple.
> > 
> 
> Diff below for a few things I noticed. There may be others.

Here is a try to push this upstream:
https://github.com/esnet/iperf/pull/1586

Worth waiting a little bit for their comments.

Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-10-20 Thread Stuart Henderson 
lteo, are you still interested in maintaining iperf3?

On 2023/10/18 22:28, Stuart Henderson wrote:
> On 2023/10/18 22:19, Mikhail wrote:
> > [cc'ing maintainer]
> > 
> > Inlined patch updates iperf3 to 3.15 (3 bug fixes, details here -
> > https://github.com/esnet/iperf/releases/tag/3.15).
> > 
> > I run iperf on public server with unfirewalled ports, so I'd like it to
> > be pledged/unveiled, -I and --logfile options are working fine.
> > 
> > Probably we could drop privs more granularly, but for I'd like to keep
> > things simple.
> > 
> 
> Diff below for a few things I noticed. There may be others.
> 
> Since you only unveil /dev/urandom (plus the extra paths allowed
> by tmppath and for dns access) you can add a small patch to use
> arc4random and drop rpath and /dev/urandom access in most cases.
> 
> You don't handle --file. This needs cpath wpath for server, or
> rpath for client. I just added to the existing needwr mechanism
> rather than separating the two. This could possibly be more
> granular but there are probably complications with --bidir and
> --reverse.
> 
> Rather than locking unveil for the needwr case, I called pledge
> again with unveil removed, I think this makes it a little more
> clear what the final pledges are for the two cases. (We could
> also drop the early pledge before parsing options, I don't think
> it adds much in this case, and pledges are often done like that,
> though I've left it for now).
> 
> Couple of other minor tweaks (error message fixes, don't mix
> definitions and code,
> 
> I've tested various options including --tos without problems,
> but not exhaustively.
> 
> 
> Index: Makefile
> ===
> RCS file: /cvs/ports/net/iperf3/Makefile,v
> retrieving revision 1.14
> diff -u -p -r1.14 Makefile
> --- Makefile  27 Sep 2023 14:18:10 -  1.14
> +++ Makefile  18 Oct 2023 21:03:42 -
> @@ -1,6 +1,6 @@
>  COMMENT= tool to measure maximum achievable bandwidth on IP networks
>  
> -V=   3.14
> +V=   3.15
>  PKGNAME= iperf3-${V}
>  DISTNAME=iperf-${V}
>  
> @@ -15,6 +15,7 @@ MAINTAINER= Lawrence Teo   # BSD 3-clause
>  PERMIT_PACKAGE=  Yes
>  
> +# uses pledge unveil
>  WANTLIB += c m
>  
>  SITES=   https://downloads.es.net/pub/iperf/
> Index: distinfo
> ===
> RCS file: /cvs/ports/net/iperf3/distinfo,v
> retrieving revision 1.9
> diff -u -p -r1.9 distinfo
> --- distinfo  3 Aug 2023 14:32:28 -   1.9
> +++ distinfo  18 Oct 2023 21:03:42 -
> @@ -1,2 +1,2 @@
> -SHA256 (iperf-3.14.tar.gz) = cj/MQwoCe8aVJij6KjrHdYSh0L0ygnXlc/ybIGwVUAQ=
> -SIZE (iperf-3.14.tar.gz) = 647944
> +SHA256 (iperf-3.15.tar.gz) = vbd8EfcrzpAhSIMVlXf6JEEgE+YrIIPPX1Q5HXmx2P8=
> +SIZE (iperf-3.15.tar.gz) = 649330
> Index: patches/patch-src_iperf_api_c
> ===
> RCS file: /cvs/ports/net/iperf3/patches/patch-src_iperf_api_c,v
> retrieving revision 1.8
> diff -u -p -r1.8 patch-src_iperf_api_c
> --- patches/patch-src_iperf_api_c 3 Aug 2023 14:32:28 -   1.8
> +++ patches/patch-src_iperf_api_c 18 Oct 2023 21:03:42 -
> @@ -3,7 +3,7 @@ Default to IPv4.
>  Index: src/iperf_api.c
>  --- src/iperf_api.c.orig
>  +++ src/iperf_api.c
> -@@ -2860,7 +2860,7 @@ iperf_defaults(struct iperf_test *testp)
> +@@ -2884,7 +2884,7 @@ iperf_defaults(struct iperf_test *testp)
>   testp->stats_interval = testp->reporter_interval = 1;
>   testp->num_streams = 1;
>   
> Index: patches/patch-src_iperf_util_c
> ===
> RCS file: patches/patch-src_iperf_util_c
> diff -N patches/patch-src_iperf_util_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_iperf_util_c18 Oct 2023 21:03:42 -
> @@ -0,0 +1,21 @@
> +Index: src/iperf_util.c
> +--- src/iperf_util.c.orig
>  src/iperf_util.c
> +@@ -57,6 +57,9 @@
> +  */
> + int readentropy(void *out, size_t outsize)
> + {
> ++#if defined(__OpenBSD__)
> ++arc4random_buf(out, outsize);
> ++#else
> + static FILE *frandom;
> + static const char rndfile[] = "/dev/urandom";
> + 
> +@@ -75,6 +78,7 @@ int readentropy(void *out, size_t outsize)
> +   rndfile,
> +   feof(frandom) ? "EOF" : strerror(errno));
> + }
> ++#endif
> + return 0;
> + }
> + 
> Index: patches/patch-src_main_c
> ===
> RCS file: patches/patch-src_main_c
> diff -N patches/patch-src_main_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_main_c  18 Oct 2023 21:03:42 -
> @@ -0,0 +1,67 @@
> +Add pledge and unveil
> +
> +Index: src/main.c
> +--- src/main.c.orig
>  src/main.c
> +@@ -59,6 +59,15 @@ main(int argc, char **argv)
> + {
> + struct iperf_test *test;
> + 
> ++#if defined(__OpenBSD__)
> ++int needwr = 0;
> ++
> ++if

Re: [update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-10-18 Thread Stuart Henderson 
On 2023/10/18 22:19, Mikhail wrote:
> [cc'ing maintainer]
> 
> Inlined patch updates iperf3 to 3.15 (3 bug fixes, details here -
> https://github.com/esnet/iperf/releases/tag/3.15).
> 
> I run iperf on public server with unfirewalled ports, so I'd like it to
> be pledged/unveiled, -I and --logfile options are working fine.
> 
> Probably we could drop privs more granularly, but for I'd like to keep
> things simple.
> 

Diff below for a few things I noticed. There may be others.

Since you only unveil /dev/urandom (plus the extra paths allowed
by tmppath and for dns access) you can add a small patch to use
arc4random and drop rpath and /dev/urandom access in most cases.

You don't handle --file. This needs cpath wpath for server, or
rpath for client. I just added to the existing needwr mechanism
rather than separating the two. This could possibly be more
granular but there are probably complications with --bidir and
--reverse.

Rather than locking unveil for the needwr case, I called pledge
again with unveil removed, I think this makes it a little more
clear what the final pledges are for the two cases. (We could
also drop the early pledge before parsing options, I don't think
it adds much in this case, and pledges are often done like that,
though I've left it for now).

Couple of other minor tweaks (error message fixes, don't mix
definitions and code,

I've tested various options including --tos without problems,
but not exhaustively.


Index: Makefile
===
RCS file: /cvs/ports/net/iperf3/Makefile,v
retrieving revision 1.14
diff -u -p -r1.14 Makefile
--- Makefile27 Sep 2023 14:18:10 -  1.14
+++ Makefile18 Oct 2023 21:03:42 -
@@ -1,6 +1,6 @@
 COMMENT=   tool to measure maximum achievable bandwidth on IP networks
 
-V= 3.14
+V= 3.15
 PKGNAME=   iperf3-${V}
 DISTNAME=  iperf-${V}
 
@@ -15,6 +15,7 @@ MAINTAINER=   Lawrence Teo https://downloads.es.net/pub/iperf/
Index: distinfo
===
RCS file: /cvs/ports/net/iperf3/distinfo,v
retrieving revision 1.9
diff -u -p -r1.9 distinfo
--- distinfo3 Aug 2023 14:32:28 -   1.9
+++ distinfo18 Oct 2023 21:03:42 -
@@ -1,2 +1,2 @@
-SHA256 (iperf-3.14.tar.gz) = cj/MQwoCe8aVJij6KjrHdYSh0L0ygnXlc/ybIGwVUAQ=
-SIZE (iperf-3.14.tar.gz) = 647944
+SHA256 (iperf-3.15.tar.gz) = vbd8EfcrzpAhSIMVlXf6JEEgE+YrIIPPX1Q5HXmx2P8=
+SIZE (iperf-3.15.tar.gz) = 649330
Index: patches/patch-src_iperf_api_c
===
RCS file: /cvs/ports/net/iperf3/patches/patch-src_iperf_api_c,v
retrieving revision 1.8
diff -u -p -r1.8 patch-src_iperf_api_c
--- patches/patch-src_iperf_api_c   3 Aug 2023 14:32:28 -   1.8
+++ patches/patch-src_iperf_api_c   18 Oct 2023 21:03:42 -
@@ -3,7 +3,7 @@ Default to IPv4.
 Index: src/iperf_api.c
 --- src/iperf_api.c.orig
 +++ src/iperf_api.c
-@@ -2860,7 +2860,7 @@ iperf_defaults(struct iperf_test *testp)
+@@ -2884,7 +2884,7 @@ iperf_defaults(struct iperf_test *testp)
  testp->stats_interval = testp->reporter_interval = 1;
  testp->num_streams = 1;
  
Index: patches/patch-src_iperf_util_c
===
RCS file: patches/patch-src_iperf_util_c
diff -N patches/patch-src_iperf_util_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-src_iperf_util_c  18 Oct 2023 21:03:42 -
@@ -0,0 +1,21 @@
+Index: src/iperf_util.c
+--- src/iperf_util.c.orig
 src/iperf_util.c
+@@ -57,6 +57,9 @@
+  */
+ int readentropy(void *out, size_t outsize)
+ {
++#if defined(__OpenBSD__)
++arc4random_buf(out, outsize);
++#else
+ static FILE *frandom;
+ static const char rndfile[] = "/dev/urandom";
+ 
+@@ -75,6 +78,7 @@ int readentropy(void *out, size_t outsize)
+   rndfile,
+   feof(frandom) ? "EOF" : strerror(errno));
+ }
++#endif
+ return 0;
+ }
+ 
Index: patches/patch-src_main_c
===
RCS file: patches/patch-src_main_c
diff -N patches/patch-src_main_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-src_main_c18 Oct 2023 21:03:42 -
@@ -0,0 +1,67 @@
+Add pledge and unveil
+
+Index: src/main.c
+--- src/main.c.orig
 src/main.c
+@@ -59,6 +59,15 @@ main(int argc, char **argv)
+ {
+ struct iperf_test *test;
+ 
++#if defined(__OpenBSD__)
++int needwr = 0;
++
++if (pledge("stdio tmppath rpath cpath wpath inet dns unveil", NULL) == 
-1) {
++  fprintf(stderr, "pledge: %s\n", strerror(errno));
++  exit(1);
++}
++#endif
++
+ // XXX: Setting the process affinity requires root on most systems.
+ //  Is this a feature we really need?
+ #ifdef TEST_PROC_AFFINITY
+@@ -104,6 +113,45 @@ main(int argc, char **argv)
+ usage();
+ exit(1);
+ }
++
++#if defined(__OpenBSD__)
++

[update, add pledge/unveil] net/iperf3 3.14 -> 3.15

2023-10-18 Thread Mikhail 
[cc'ing maintainer]

Inlined patch updates iperf3 to 3.15 (3 bug fixes, details here -
https://github.com/esnet/iperf/releases/tag/3.15).

I run iperf on public server with unfirewalled ports, so I'd like it to
be pledged/unveiled, -I and --logfile options are working fine.

Probably we could drop privs more granularly, but for I'd like to keep
things simple.

diff refs/heads/master refs/heads/iperf3
commit - de754ab24f5686d70c44225d7fe12704063ff1de
commit + 5bdda7a75b52879eba6e0f671c5f3c95701254f7
blob - 1c29e29d94370a9345b58f34cdd29525f0fb9e53
blob + 1693ea4aab9e9051e306c4069736b501aa811193
--- net/iperf3/Makefile
+++ net/iperf3/Makefile
@@ -1,6 +1,6 @@
 COMMENT=   tool to measure maximum achievable bandwidth on IP networks
 
-V= 3.14
+V= 3.15
 PKGNAME=   iperf3-${V}
 DISTNAME=  iperf-${V}
 
@@ -15,6 +15,7 @@ MAINTAINER=   Lawrence Teo 
 # BSD 3-clause
 PERMIT_PACKAGE=Yes
 
+# uses pledge unveil
 WANTLIB += c m
 
 SITES= https://downloads.es.net/pub/iperf/
blob - aee4720c9e7a7c01d458ad75fa6ffacc4f3c5bcc
blob + 5e78d43fb08210550fb72de43ea73eb845202b01
--- net/iperf3/distinfo
+++ net/iperf3/distinfo
@@ -1,2 +1,2 @@
-SHA256 (iperf-3.14.tar.gz) = cj/MQwoCe8aVJij6KjrHdYSh0L0ygnXlc/ybIGwVUAQ=
-SIZE (iperf-3.14.tar.gz) = 647944
+SHA256 (iperf-3.15.tar.gz) = vbd8EfcrzpAhSIMVlXf6JEEgE+YrIIPPX1Q5HXmx2P8=
+SIZE (iperf-3.15.tar.gz) = 649330
blob - b14f7a1e19110d400b65c7d78c413e1d1136b36d
blob + ed586e35ac74ce8929882aac0e6c4c619fbebca9
--- net/iperf3/patches/patch-src_iperf_api_c
+++ net/iperf3/patches/patch-src_iperf_api_c
@@ -3,7 +3,7 @@ Default to IPv4.
 Index: src/iperf_api.c
 --- src/iperf_api.c.orig
 +++ src/iperf_api.c
-@@ -2860,7 +2860,7 @@ iperf_defaults(struct iperf_test *testp)
+@@ -2884,7 +2884,7 @@ iperf_defaults(struct iperf_test *testp)
  testp->stats_interval = testp->reporter_interval = 1;
  testp->num_streams = 1;
  
blob - /dev/null
blob + 0596ef57b03120c490a2cac6fafbd8e529f03807 (mode 644)
--- /dev/null
+++ net/iperf3/patches/patch-src_main_c
@@ -0,0 +1,65 @@
+Add pledge and unveil
+
+Index: src/main.c
+--- src/main.c.orig
 src/main.c
+@@ -59,6 +59,18 @@ main(int argc, char **argv)
+ {
+ struct iperf_test *test;
+ 
++#if defined(__OpenBSD__)
++if (pledge("stdio tmppath rpath cpath wpath inet unveil", NULL) == -1) {
++  fprintf(stderr, "pledge: %s\n", strerror(errno));
++  exit(1);
++}
++
++if (unveil("/dev/urandom", "r") == -1) {
++  fprintf(stderr, "unveil urandom: %s\n", strerror(errno));
++  exit(1);
++}
++#endif
++
+ // XXX: Setting the process affinity requires root on most systems.
+ //  Is this a feature we really need?
+ #ifdef TEST_PROC_AFFINITY
+@@ -104,6 +116,40 @@ main(int argc, char **argv)
+ usage();
+ exit(1);
+ }
++
++#if defined(__OpenBSD__)
++int needwr = 0;
++
++/* Check for the features which require wpath and cpath */
++if (test->pidfile) {
++  if (unveil(test->pidfile, "cw") == -1) {
++  fprintf(stderr, "uneveil pidfile: %s\n", strerror(errno));
++  exit(1);
++  } else
++  needwr = 1;
++}
++
++if (test->logfile) {
++  if (unveil(test->logfile, "cwr") == -1) {
++  fprintf(stderr, "uneveil logfile: %s\n", strerror(errno));
++  exit(1);
++  } else
++ needwr = 1;
++}
++
++/* Drop wpath and cpath if we can */
++if (needwr == 0) {
++  if (pledge("stdio tmppath rpath inet unveil", NULL) == -1) {
++  fprintf(stderr, "pledge needwr: %s\n", strerror(errno));
++  exit(1);
++  }
++}
++
++if (unveil(NULL, NULL) == -1) {
++  fprintf(stderr, "unveil NULL: %s\n", strerror(errno));
++  exit(1);
++}
++#endif
+ 
+ if (run(test) < 0)
+ iperf_errexit(test, "error - %s", iperf_strerror(i_errno));