all repos — honk @ 2899cc68d01ab80647eda61a2aa58d22b6f243d1

my fork of honk

unveil.go (view raw)

 1//go:build openbsd
 2// +build openbsd
 3
 4//
 5// Copyright (c) 2019 Ted Unangst <tedu@tedunangst.com>
 6//
 7// Permission to use, copy, modify, and distribute this software for any
 8// purpose with or without fee is hereby granted, provided that the above
 9// copyright notice and this permission notice appear in all copies.
10//
11// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19package main
20
21/*
22#include <stdlib.h>
23#include <unistd.h>
24*/
25import "C"
26
27import (
28	"fmt"
29	"unsafe"
30)
31
32func Unveil(path string, perms string) error {
33	cpath := C.CString(path)
34	defer C.free(unsafe.Pointer(cpath))
35	cperms := C.CString(perms)
36	defer C.free(unsafe.Pointer(cperms))
37
38	rv, err := C.unveil(cpath, cperms)
39	if rv != 0 {
40		return fmt.Errorf("unveil(%s, %s) failure (%d)", path, perms, err)
41	}
42	return nil
43}
44
45func Pledge(promises string) error {
46	cpromises := C.CString(promises)
47	defer C.free(unsafe.Pointer(cpromises))
48
49	rv, err := C.pledge(cpromises, nil)
50	if rv != 0 {
51		return fmt.Errorf("pledge(%s) failure (%d)", promises, err)
52	}
53	return nil
54}
55
56func init() {
57	preservehooks = append(preservehooks, func() {
58		Unveil("/etc/ssl", "r")
59		if viewDir != dataDir {
60			Unveil(viewDir, "r")
61		}
62		Unveil(dataDir, "rwc")
63		C.unveil(nil, nil)
64		Pledge("stdio rpath wpath cpath flock dns inet unix")
65	})
66	backendhooks = append(backendhooks, func() {
67		C.unveil(nil, nil)
68		Pledge("stdio unix")
69	})
70}