all repos — honk @ 798bcef6f3bf167634fac651389ef1b05eee833f

my fork of honk

unveil.go (view raw)

 1//go:build openbsd
 2
 3//
 4// Copyright (c) 2019 Ted Unangst <tedu@tedunangst.com>
 5//
 6// Permission to use, copy, modify, and distribute this software for any
 7// purpose with or without fee is hereby granted, provided that the above
 8// copyright notice and this permission notice appear in all copies.
 9//
10// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18package main
19
20/*
21#include <stdlib.h>
22#include <unistd.h>
23*/
24import "C"
25
26import (
27	"unsafe"
28)
29
30func Unveil(path string, perms string) {
31	cpath := C.CString(path)
32	defer C.free(unsafe.Pointer(cpath))
33	cperms := C.CString(perms)
34	defer C.free(unsafe.Pointer(cperms))
35
36	rv, err := C.unveil(cpath, cperms)
37	if rv != 0 {
38		elog.Fatalf("unveil(%s, %s) failure (%d)", path, perms, err)
39	}
40}
41
42func Pledge(promises string) {
43	cpromises := C.CString(promises)
44	defer C.free(unsafe.Pointer(cpromises))
45
46	rv, err := C.pledge(cpromises, nil)
47	if rv != 0 {
48		elog.Fatalf("pledge(%s) failure (%d)", promises, err)
49	}
50}
51
52func init() {
53	preservehooks = append(preservehooks, func() {
54		Unveil("/etc/ssl", "r")
55		if viewDir != dataDir {
56			Unveil(viewDir, "r")
57		}
58		Unveil(dataDir, "rwc")
59		C.unveil(nil, nil)
60		Pledge("stdio rpath wpath cpath flock dns inet unix")
61	})
62	backendhooks = append(backendhooks, func() {
63		C.unveil(nil, nil)
64		Pledge("stdio unix")
65	})
66}