.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: Cargo Build & Test
+name: Build and test
 
 on:
   push:
@@ -8,17 +8,35 @@ env:
   CARGO_TERM_COLOR: always
 
 jobs:
-  build_and_test:
-    name: Build and test
-    runs-on: ubuntu-latest
+  server_and_client:
+    name: Build and test - Server and client
     strategy:
       matrix:
         toolchain:
           - 1.75.0
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }}
       - run: cargo build --verbose
       - run: cargo test --verbose
 
+  client_only:
+    name: Build and test - Client only
+    strategy:
+      matrix:
+        toolchain:
+          - 1.75.0
+        os:
+          - windows-latest
+          - macos-latest
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }}
+      - run: cargo build --verbose --package letmein
+      - run: cargo test --verbose --package letmein
+      - run: cargo test --verbose --package letmein-conf
+      - run: cargo test --verbose --package letmein-proto
+
 # vim: ts=2 sw=2 expandtab

Cargo.lock

@@ -127,9 +127,9 @@ checksum = "a12916984aab3fa6e39d655a33e09c0071eb36d6ab3aea5c2d78551f1df6d952"
 
 [[package]]
 name = "cc"
-version = "1.1.5"
+version = "1.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "324c74f2155653c90b04f25b2a47a8a631360cb908f92a772695f430c7e31052"
+checksum = "2aba8f4e9906c7ce3c73463f62a7f0c65183ada1a2d47e397cc8810827f9694f"
 
 [[package]]
 name = "cfg-if"
@@ -139,9 +139,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
 [[package]]
 name = "clap"
-version = "4.5.9"
+version = "4.5.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64acc1846d54c1fe936a78dc189c34e28d3f5afc348403f28ecf53660b9b8462"
+checksum = "8f6b81fb3c84f5563d509c59b5a48d935f689e993afa90fe39047f05adef9142"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -149,9 +149,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.9"
+version = "4.5.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6fb8393d67ba2e7bfaf28a23458e4e2b543cc73a99595511eb207fdb8aede942"
+checksum = "5ca6706fd5224857d9ac5eb9355f6683563cc0541c7cd9d014043b57cbec78ac"
 dependencies = [
  "anstream",
  "anstyle",
@@ -592,13 +592,14 @@ dependencies = [
 
 [[package]]
 name = "mio"
-version = "0.8.11"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
+checksum = "4569e456d394deccd22ce1c1913e6ea0e54519f577285001215d33557431afe4"
 dependencies = [
+ "hermit-abi",
  "libc",
  "wasi",
- "windows-sys 0.48.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -616,16 +617,6 @@ dependencies = [
 ]
 
 [[package]]
-name = "num_cpus"
-version = "1.16.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43"
-dependencies = [
- "hermit-abi",
- "libc",
-]
-
-[[package]]
 name = "object"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -917,9 +908,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "2.0.71"
+version = "2.0.72"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b146dcf730474b4bcd16c311627b31ede9ab149045db4d6088b3becaea046462"
+checksum = "dc4b9b9bf2add8093d3f2c0204471e951b2285580335de42f9d2534f3ae7a8af"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -963,27 +954,26 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.38.1"
+version = "1.39.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb2caba9f80616f438e09748d5acda951967e1ea58508ef53d9c6402485a46df"
+checksum = "d040ac2b29ab03b09d4129c2f5bbd012a3ac2f79d38ff506a4bf8dd34b0eac8a"
 dependencies = [
  "backtrace",
  "bytes",
  "libc",
  "mio",
- "num_cpus",
  "pin-project-lite",
  "signal-hook-registry",
  "socket2",
  "tokio-macros",
- "windows-sys 0.48.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
 name = "tokio-macros"
-version = "2.3.0"
+version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f5ae998a069d4b5aba8ee9dad856af7d520c3699e6159b185c2acd48155d39a"
+checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752"
 dependencies = [
  "proc-macro2",
  "quote",

README.md

@@ -140,7 +140,21 @@ After installing all build prerequisites, run the build script:
 
 ### Install server
 
-After building, run the `install-server.sh` to install the letmeind server to `/opt/letmein/`:
+#### Prepare user and group for the server
+
+The public network facing part of the letmein server runs with reduced privileges to lower the attack surface.
+
+For this to work, the system user `letmeind` and a system group `letmeind` have to be installed in `/etc/passwd` and `/etc/group`
+
+You can use the following helper script to create the user and group in your system:
+
+```sh
+./create-user.sh
+```
+
+#### Install the server and systemd units
+
+After building and creating the `letmeind` system user, run the `install-server.sh` to install the letmeind server to `/opt/letmein/`:
 
 ```sh
 ./install-server.sh
@@ -183,6 +197,7 @@ Tested platforms are:
 - Linux
 - Android, under [Termux](https://termux.dev/)
 - Windows
+- MacOS (build tested only)
 
 ## Internals and design goals
 

install-server.sh

@@ -45,7 +45,15 @@ try_systemctl()
 entry_checks()
 {
     [ -d "$target" ] || die "letmein is not built! Run ./build.sh"
+
     [ "$(id -u)" = "0" ] || die "Must be root to install letmein."
+
+    if ! grep -qe letmeind /etc/passwd; then
+        die "The system user 'letmeind' does not exist in /etc/passwd. Please run ./create-user.sh"
+    fi
+    if ! grep -qe letmeind /etc/group; then
+        die "The system group 'letmeind' does not exist in /etc/group. Please run ./create-user.sh"
+    fi
 }
 
 stop_services()

letmein-fwproto/src/lib.rs

@@ -8,6 +8,9 @@
 
 #![forbid(unsafe_code)]
 
+#[cfg(not(any(target_os = "linux", target_os = "android")))]
+std::compile_error!("letmeind server and letmein-fwproto do not support non-Linux platforms.");
+
 use anyhow::{self as ah, format_err as err, Context as _};
 use std::net::{IpAddr, Ipv4Addr};
 use tokio::{io::ErrorKind, net::UnixStream};

letmein-seccomp/src/lib.rs

@@ -8,6 +8,9 @@
 
 #![forbid(unsafe_code)]
 
+#[cfg(not(any(target_os = "linux", target_os = "android")))]
+std::compile_error!("letmeind server and letmein-seccomp do not support non-Linux platforms.");
+
 use anyhow::{self as ah, Context as _};
 use seccompiler::{apply_filter_all_threads, BpfProgram, SeccompAction, SeccompFilter};
 use std::{collections::BTreeMap, env::consts::ARCH};

letmein-systemd/src/lib.rs

@@ -8,6 +8,9 @@
 
 //! This crate is an abstraction of the `systemd` interfaces needed by `letmein`.
 
+#[cfg(not(any(target_os = "linux", target_os = "android")))]
+std::compile_error!("letmeind server and letmein-systemd do not support non-Linux platforms.");
+
 use anyhow as ah;
 
 #[cfg(any(feature = "tcp", feature = "unix"))]

letmeind/src/main.rs

@@ -8,6 +8,9 @@
 
 #![forbid(unsafe_code)]
 
+#[cfg(not(any(target_os = "linux", target_os = "android")))]
+std::compile_error!("letmeind server does not support non-Linux platforms.");
+
 mod firewall_client;
 mod processor;
 mod server;
@@ -176,11 +179,16 @@ async fn main() -> ah::Result<()> {
                 break;
             }
             _ = sighup.recv() => {
-                println!("SIGHUP: Reloading.");
-                {
-                    let mut conf = conf.write().await;
-                    if let Err(e) = conf.load(&opts.get_config()) {
-                        eprintln!("Failed to load configuration file: {e}");
+                match opts.seccomp {
+                    SeccompOpt::Log | SeccompOpt::Kill => {
+                        eprintln!("SIGHUP: Error: Reloading not possible with --seccomp enabled.");
+                    }
+                    SeccompOpt::Off => {
+                        println!("SIGHUP: Reloading.");
+                        let mut conf = conf.write().await;
+                        if let Err(e) = conf.load(&opts.get_config()) {
+                            eprintln!("Failed to load configuration file: {e}");
+                        }
                     }
                 }
             }