Add FreeBSD CI workflow, rc.d startup script, and documentation

Add a GitHub Actions workflow that builds and tests sniproxy on the
latest FreeBSD release. The workflow dynamically detects the newest
FreeBSD version, builds with Capsicum support, runs the unit test
suite, and verifies Capsicum capability mode is active on the
mainloop process but not on the binder.

Add an rc.d startup script (scripts/sniproxy.rc) for FreeBSD service
management via rc.subr, supporting start/stop/reload.

Update README.md with FreeBSD build and installation instructions,
and update the man page with FreeBSD file paths and rc.d usage.

Author: renaudallard

.github/workflows/freebsd.yml

@@ -0,0 +1,119 @@
+name: FreeBSD
+
+on:
+  push:
+    branches: ["*"]
+  pull_request:
+
+jobs:
+  detect-freebsd:
+    name: Detect latest FreeBSD
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.detect.outputs.version }}
+    steps:
+      - name: Detect latest FreeBSD release
+        id: detect
+        run: |
+          set -euo pipefail
+          # Fetch available FreeBSD VM images and find the latest stable release
+          version=$(curl -sf https://download.freebsd.org/releases/VM-IMAGES/ |
+            grep -oP '\d+\.\d+-RELEASE' |
+            sort -t. -k1,1n -k2,2n |
+            tail -1 |
+            sed 's/-RELEASE//')
+          if [ -z "$version" ]; then
+            echo "Failed to detect FreeBSD version, using fallback" >&2
+            version="14.2"
+          fi
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+          echo "Detected FreeBSD ${version}"
+
+  build-freebsd:
+    name: FreeBSD ${{ needs.detect-freebsd.outputs.version }}
+    needs: detect-freebsd
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Build and test on FreeBSD
+        uses: cross-platform-actions/action@v0.25.0
+        with:
+          operating_system: freebsd
+          version: "${{ needs.detect-freebsd.outputs.version }}"
+          run: |
+            set -eux
+
+            sudo pkg install -y \
+              autoconf automake libtool pkgconf \
+              libev pcre2 c-ares git
+
+            ./autogen.sh
+            ./configure \
+              LDFLAGS="-L/usr/local/lib" \
+              CPPFLAGS="-I/usr/local/include"
+
+            # Verify Capsicum was detected
+            grep -q 'HAVE_CAPSICUM 1' config.log
+
+            make -j$(sysctl -n hw.ncpu)
+
+            # Run unit tests
+            make check || {
+              echo "::warning::Some tests failed"
+              cat tests/test-suite.log 2>/dev/null || true
+            }
+
+            # Verify rc.d script is distributed
+            test -f scripts/sniproxy.rc
+
+            # Smoke test: start sniproxy briefly with a test config
+            printf '%s\n' \
+              'user daemon' \
+              'error_log { syslog daemon }' \
+              'listener 127.0.0.1:18443 {' \
+              '    protocol tls' \
+              '    table hosts' \
+              '}' \
+              'table hosts {' \
+              '    .* 127.0.0.1:443' \
+              '}' > /tmp/sniproxy-test.conf
+            chmod 600 /tmp/sniproxy-test.conf
+
+            timeout 3 src/sniproxy -f -c /tmp/sniproxy-test.conf || test $? -eq 124
+
+            # Verify Capsicum is active: start as daemon and check
+            src/sniproxy -c /tmp/sniproxy-test.conf
+            sleep 1
+
+            # Check process flags for capability mode (0x100 bit)
+            mainpid=$(ps ax -o pid,flags,args | grep 'sniproxy-mainloop' | grep -v grep | awk '{print $1}')
+            binderpid=$(ps ax -o pid,flags,args | grep 'sniproxy-binder' | grep -v grep | awk '{print $1}')
+            if [ -n "$mainpid" ]; then
+              mainflags=$(ps -o flags= -p "$mainpid" | tr -d ' ')
+              binderflags=$(ps -o flags= -p "$binderpid" | tr -d ' ')
+              echo "mainloop flags=$mainflags binder flags=$binderflags"
+
+              # Mainloop must be in capability mode (flag 0x100 set)
+              if [ $(( 0x$mainflags & 0x100 )) -eq 0 ]; then
+                echo "::error::Main process is NOT in Capsicum capability mode"
+                pkill sniproxy || true
+                exit 1
+              fi
+
+              # Binder must NOT be in capability mode
+              if [ $(( 0x$binderflags & 0x100 )) -ne 0 ]; then
+                echo "::error::Binder process should NOT be in capability mode"
+                pkill sniproxy || true
+                exit 1
+              fi
+
+              echo "Capsicum verified: mainloop in cap mode, binder not"
+            else
+              echo "::error::sniproxy-mainloop process not found"
+              pkill sniproxy || true
+              exit 1
+            fi
+            pkill sniproxy || true

README.md

@@ -219,6 +219,30 @@ This is the preferred installation method for modern Fedora based distributions.
 
         sudo yum install ../sniproxy-<version>.<arch>.rpm
 
+**Building on FreeBSD**
+
+1. Install required packages
+
+        pkg install autoconf automake libtool pkgconf libev pcre2 c-ares
+
+2. Build
+
+        ./autogen.sh && ./configure LDFLAGS="-L/usr/local/lib" CPPFLAGS="-I/usr/local/include" && make
+
+3. Install
+
+        sudo make install
+        sudo cp scripts/sniproxy.rc /usr/local/etc/rc.d/sniproxy
+        sudo cp /usr/local/etc/sniproxy.conf.sample /usr/local/etc/sniproxy.conf
+
+4. Enable and start
+
+        sudo sysrc sniproxy_enable=YES
+        sudo service sniproxy start
+
+Capsicum capability mode is automatically enabled on FreeBSD when all
+listeners and backends use IP addresses (not Unix domain sockets).
+
 ***Building on OS X with Homebrew***
 
 1. install dependencies.

man/sniproxy.8

@@ -123,6 +123,22 @@ On Linux,
 \fBsniproxy\fR
 uses seccomp-bpf to restrict available system calls per process\&.
 
+.SH FILES
+.TP
+.I /etc/sniproxy.conf
+Default configuration file (Linux)\&.
+.TP
+.I /usr/local/etc/sniproxy.conf
+Default configuration file (FreeBSD)\&.
+.TP
+.I /usr/local/etc/rc.d/sniproxy
+FreeBSD rc.d startup script\&.
+Enable with
+.B sysrc sniproxy_enable=YES
+and control with
+.B service sniproxy start|stop|reload\fR\&.
+
 .SH "SEE ALSO"
 .PP
-\fBsniproxy.conf\fR(5)
+\fBsniproxy.conf\fR(5)\fR,
+\fBrc.subr\fR(8)

scripts/Makefile.am

@@ -1 +1 @@
-EXTRA_DIST = sniproxy.service
+EXTRA_DIST = sniproxy.service sniproxy.rc

scripts/sniproxy.rc

@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# PROVIDE: sniproxy
+# REQUIRE: LOGIN DAEMON NETWORKING
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf to enable sniproxy:
+#
+# sniproxy_enable (bool):	Set to "YES" to enable sniproxy.
+#				Default: "NO"
+# sniproxy_config (path):	Path to sniproxy configuration file.
+#				Default: "/usr/local/etc/sniproxy.conf"
+# sniproxy_flags (str):	Extra flags passed to sniproxy.
+#				Default: ""
+
+. /etc/rc.subr
+
+name="sniproxy"
+rcvar="${name}_enable"
+
+load_rc_config $name
+
+: ${sniproxy_enable:="NO"}
+: ${sniproxy_config:="/usr/local/etc/sniproxy.conf"}
+: ${sniproxy_flags:=""}
+
+pidfile="/var/run/${name}.pid"
+command="/usr/local/sbin/${name}"
+command_args="-c ${sniproxy_config} ${sniproxy_flags}"
+required_files="${sniproxy_config}"
+
+extra_commands="reload"
+reload_cmd="${name}_reload"
+start_precmd="${name}_prestart"
+
+sniproxy_prestart()
+{
+	if [ ! -f "${sniproxy_config}" ]; then
+		err 1 "${sniproxy_config} not found"
+	fi
+}
+
+sniproxy_reload()
+{
+	if [ -f "${pidfile}" ]; then
+		kill -HUP $(cat "${pidfile}")
+	else
+		err 1 "${name} is not running"
+	fi
+}
+
+run_rc_command "$1"