unveil.go (view raw)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
//go:build openbsd
// +build openbsd
//
// Copyright (c) 2019 Ted Unangst <tedu@tedunangst.com>
//
// Permission to use, copy, modify, and distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
package main
/*
#include <stdlib.h>
#include <unistd.h>
*/
import "C"
import (
"fmt"
"unsafe"
)
func Unveil(path string, perms string) error {
cpath := C.CString(path)
defer C.free(unsafe.Pointer(cpath))
cperms := C.CString(perms)
defer C.free(unsafe.Pointer(cperms))
rv, err := C.unveil(cpath, cperms)
if rv != 0 {
return fmt.Errorf("unveil(%s, %s) failure (%d)", path, perms, err)
}
return nil
}
func Pledge(promises string) error {
cpromises := C.CString(promises)
defer C.free(unsafe.Pointer(cpromises))
rv, err := C.pledge(cpromises, nil)
if rv != 0 {
return fmt.Errorf("pledge(%s) failure (%d)", promises, err)
}
return nil
}
func init() {
preservehooks = append(preservehooks, func() {
Unveil("/etc/ssl", "r")
if viewDir != dataDir {
Unveil(viewDir, "r")
}
Unveil(dataDir, "rwc")
C.unveil(nil, nil)
Pledge("stdio rpath wpath cpath flock dns inet unix")
})
backendhooks = append(backendhooks, func() {
C.unveil(nil, nil)
Pledge("stdio unix")
})
}
|