all repos — honk @ f634f633d722b60be4328f71d61d619a084a4696

my fork of honk

unveil.go (view raw)

 1//
 2// Copyright (c) 2019 Ted Unangst <tedu@tedunangst.com>
 3//
 4// Permission to use, copy, modify, and distribute this software for any
 5// purpose with or without fee is hereby granted, provided that the above
 6// copyright notice and this permission notice appear in all copies.
 7//
 8// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 9// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16package main
17
18import (
19	"humungus.tedunangst.com/r/gonix"
20)
21
22func securitizeweb() {
23	err := gonix.Unveil("/etc/ssl", "r")
24	if err != nil {
25		elog.Fatalf("unveil(%s, %s) failure (%d)", "/etc/ssl", "r", err)
26	}
27	if viewDir != dataDir {
28		err = gonix.Unveil(viewDir, "r")
29		if err != nil {
30			elog.Fatalf("unveil(%s, %s) failure (%d)", viewDir, "r", err)
31		}
32	}
33	err = gonix.Unveil(dataDir, "rwc")
34	if err != nil {
35		elog.Fatalf("unveil(%s, %s) failure (%d)", dataDir, "rwc", err)
36	}
37	gonix.UnveilEnd()
38	promises := "stdio rpath wpath cpath flock dns inet unix"
39	err = gonix.Pledge(promises)
40	if err != nil {
41		elog.Fatalf("pledge(%s) failure (%d)", promises, err)
42	}
43}
44
45func securitizebackend() {
46	gonix.UnveilEnd()
47	promises := "stdio unix"
48	err := gonix.Pledge(promises)
49	if err != nil {
50		elog.Fatalf("pledge(%s) failure (%d)", promises, err)
51	}
52}