let's try some unveil and pledge
This commit is contained in:
Ted Unangst
parent
74a0f3537d
commit
96ed76c9b6
|
|
@ -87,6 +87,9 @@ func backendServer() {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Panicf("unable to register shrinker: %s", err)
|
log.Panicf("unable to register shrinker: %s", err)
|
||||||
}
|
}
|
||||||
|
for _, h := range preservehooks {
|
||||||
|
h()
|
||||||
|
}
|
||||||
srv.Accept(lis)
|
srv.Accept(lis)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,8 @@ changelog
|
||||||
|
|
||||||
-- next
|
-- next
|
||||||
|
|
||||||
|
+ Unveil and pledge restrictions on OpenBSD.
|
||||||
|
|
||||||
+ Lists supported in markdown.
|
+ Lists supported in markdown.
|
||||||
|
|
||||||
+ Rewrite admin console to avoid large dependencies.
|
+ Rewrite admin console to avoid large dependencies.
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,65 @@
|
||||||
|
// +build openbsd
|
||||||
|
|
||||||
|
//
|
||||||
|
// Copyright (c) 2019 Ted Unangst <tedu@tedunangst.com>
|
||||||
|
//
|
||||||
|
// Permission to use, copy, modify, and distribute this software for any
|
||||||
|
// purpose with or without fee is hereby granted, provided that the above
|
||||||
|
// copyright notice and this permission notice appear in all copies.
|
||||||
|
//
|
||||||
|
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
|
||||||
|
package main
|
||||||
|
|
||||||
|
/*
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
*/
|
||||||
|
import "C"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"unsafe"
|
||||||
|
)
|
||||||
|
|
||||||
|
func Unveil(path string, perms string) error {
|
||||||
|
cpath := C.CString(path)
|
||||||
|
defer C.free(unsafe.Pointer(cpath))
|
||||||
|
cperms := C.CString(perms)
|
||||||
|
defer C.free(unsafe.Pointer(cperms))
|
||||||
|
|
||||||
|
rv, err := C.unveil(cpath, cperms)
|
||||||
|
if rv != 0 {
|
||||||
|
return fmt.Errorf("unveil(%s, %s) failure (%d)", path, perms, err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func Pledge(promises string) error {
|
||||||
|
cpromises := C.CString(promises)
|
||||||
|
defer C.free(unsafe.Pointer(cpromises))
|
||||||
|
|
||||||
|
rv, err := C.pledge(cpromises, nil)
|
||||||
|
if rv != 0 {
|
||||||
|
return fmt.Errorf("pledge(%s) failure (%d)", promises, err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
preservehooks = append(preservehooks, func() {
|
||||||
|
Unveil("/etc/ssl", "r")
|
||||||
|
if viewDir != dataDir {
|
||||||
|
Unveil(viewDir, "r")
|
||||||
|
}
|
||||||
|
Unveil(dataDir, "rwc")
|
||||||
|
C.unveil(nil, nil)
|
||||||
|
Pledge("stdio rpath wpath cpath flock dns inet unix")
|
||||||
|
})
|
||||||
|
}
|
||||||
6
web.go
6
web.go
|
|
@ -2120,6 +2120,8 @@ sendloop:
|
||||||
os.Exit(0)
|
os.Exit(0)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var preservehooks []func()
|
||||||
|
|
||||||
func serve() {
|
func serve() {
|
||||||
db := opendatabase()
|
db := opendatabase()
|
||||||
login.Init(db)
|
login.Init(db)
|
||||||
|
|
@ -2160,6 +2162,10 @@ func serve() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for _, h := range preservehooks {
|
||||||
|
h()
|
||||||
|
}
|
||||||
|
|
||||||
mux := mux.NewRouter()
|
mux := mux.NewRouter()
|
||||||
mux.Use(login.Checker)
|
mux.Use(login.Checker)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue