Use pledge(2) on OpenBSD

Straight forward thanks to all privileged operations being done early
enough during startup.

Basically forbid all groups of syscalls except for networking, so
no fileystem access, signals, process management, etc.

Author: klemensn

cmd/yggdrasil/main.go

@@ -312,6 +312,22 @@ func main() {
 		}
 	}
 
+	// Promise final modes of operation.  At this point, if at all:
+	// - raw socket is created/open
+	// - admin socket is created/open
+	// - privileges are dropped to non-root user
+	promises := []string{"stdio", "inet", "dns"}
+	if usesUnixSocket {
+		// Go's net.Listen.Close() itself will delete the file on shutdown.
+		promises = append(promises, "cpath")
+	}
+	if len(cfg.MulticastInterfaces) > 0 {
+		promises = append(promises, "mcast")
+	}
+	if err := protect.Pledge(strings.Join(promises, " ")); err != nil {
+		panic(fmt.Sprintf("pledge: %v: %v", promises, err))
+	}
+
 	// Block until we are told to shut down.
 	<-ctx.Done()