let's try some unveil and pledge
This commit is contained in:
parent
74a0f3537d
commit
96ed76c9b6
4 changed files with 76 additions and 0 deletions
|
@ -87,6 +87,9 @@ func backendServer() {
|
|||
if err != nil {
|
||||
log.Panicf("unable to register shrinker: %s", err)
|
||||
}
|
||||
for _, h := range preservehooks {
|
||||
h()
|
||||
}
|
||||
srv.Accept(lis)
|
||||
}
|
||||
|
||||
|
|
|
@ -2,6 +2,8 @@ changelog
|
|||
|
||||
-- next
|
||||
|
||||
+ Unveil and pledge restrictions on OpenBSD.
|
||||
|
||||
+ Lists supported in markdown.
|
||||
|
||||
+ Rewrite admin console to avoid large dependencies.
|
||||
|
|
65
unveil.go
Normal file
65
unveil.go
Normal file
|
@ -0,0 +1,65 @@
|
|||
// +build openbsd
|
||||
|
||||
//
|
||||
// Copyright (c) 2019 Ted Unangst <tedu@tedunangst.com>
|
||||
//
|
||||
// Permission to use, copy, modify, and distribute this software for any
|
||||
// purpose with or without fee is hereby granted, provided that the above
|
||||
// copyright notice and this permission notice appear in all copies.
|
||||
//
|
||||
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
package main
|
||||
|
||||
/*
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
*/
|
||||
import "C"
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"unsafe"
|
||||
)
|
||||
|
||||
func Unveil(path string, perms string) error {
|
||||
cpath := C.CString(path)
|
||||
defer C.free(unsafe.Pointer(cpath))
|
||||
cperms := C.CString(perms)
|
||||
defer C.free(unsafe.Pointer(cperms))
|
||||
|
||||
rv, err := C.unveil(cpath, cperms)
|
||||
if rv != 0 {
|
||||
return fmt.Errorf("unveil(%s, %s) failure (%d)", path, perms, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func Pledge(promises string) error {
|
||||
cpromises := C.CString(promises)
|
||||
defer C.free(unsafe.Pointer(cpromises))
|
||||
|
||||
rv, err := C.pledge(cpromises, nil)
|
||||
if rv != 0 {
|
||||
return fmt.Errorf("pledge(%s) failure (%d)", promises, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func init() {
|
||||
preservehooks = append(preservehooks, func() {
|
||||
Unveil("/etc/ssl", "r")
|
||||
if viewDir != dataDir {
|
||||
Unveil(viewDir, "r")
|
||||
}
|
||||
Unveil(dataDir, "rwc")
|
||||
C.unveil(nil, nil)
|
||||
Pledge("stdio rpath wpath cpath flock dns inet unix")
|
||||
})
|
||||
}
|
6
web.go
6
web.go
|
@ -2120,6 +2120,8 @@ sendloop:
|
|||
os.Exit(0)
|
||||
}
|
||||
|
||||
var preservehooks []func()
|
||||
|
||||
func serve() {
|
||||
db := opendatabase()
|
||||
login.Init(db)
|
||||
|
@ -2160,6 +2162,10 @@ func serve() {
|
|||
}
|
||||
}
|
||||
|
||||
for _, h := range preservehooks {
|
||||
h()
|
||||
}
|
||||
|
||||
mux := mux.NewRouter()
|
||||
mux.Use(login.Checker)
|
||||
|
||||
|
|
Loading…
Reference in a new issue