let's try some unveil and pledge

This commit is contained in:
Ted Unangst 2019-11-12 16:27:12 -05:00
parent 74a0f3537d
commit 96ed76c9b6
4 changed files with 76 additions and 0 deletions

View file

@ -87,6 +87,9 @@ func backendServer() {
if err != nil {
log.Panicf("unable to register shrinker: %s", err)
}
for _, h := range preservehooks {
h()
}
srv.Accept(lis)
}

View file

@ -2,6 +2,8 @@ changelog
-- next
+ Unveil and pledge restrictions on OpenBSD.
+ Lists supported in markdown.
+ Rewrite admin console to avoid large dependencies.

65
unveil.go Normal file
View file

@ -0,0 +1,65 @@
// +build openbsd
//
// Copyright (c) 2019 Ted Unangst <tedu@tedunangst.com>
//
// Permission to use, copy, modify, and distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
package main
/*
#include <stdlib.h>
#include <unistd.h>
*/
import "C"
import (
"fmt"
"unsafe"
)
func Unveil(path string, perms string) error {
cpath := C.CString(path)
defer C.free(unsafe.Pointer(cpath))
cperms := C.CString(perms)
defer C.free(unsafe.Pointer(cperms))
rv, err := C.unveil(cpath, cperms)
if rv != 0 {
return fmt.Errorf("unveil(%s, %s) failure (%d)", path, perms, err)
}
return nil
}
func Pledge(promises string) error {
cpromises := C.CString(promises)
defer C.free(unsafe.Pointer(cpromises))
rv, err := C.pledge(cpromises, nil)
if rv != 0 {
return fmt.Errorf("pledge(%s) failure (%d)", promises, err)
}
return nil
}
func init() {
preservehooks = append(preservehooks, func() {
Unveil("/etc/ssl", "r")
if viewDir != dataDir {
Unveil(viewDir, "r")
}
Unveil(dataDir, "rwc")
C.unveil(nil, nil)
Pledge("stdio rpath wpath cpath flock dns inet unix")
})
}

6
web.go
View file

@ -2120,6 +2120,8 @@ sendloop:
os.Exit(0)
}
var preservehooks []func()
func serve() {
db := opendatabase()
login.Init(db)
@ -2160,6 +2162,10 @@ func serve() {
}
}
for _, h := range preservehooks {
h()
}
mux := mux.NewRouter()
mux.Use(login.Checker)