M backend.go → backend.go

@@ -87,6 +87,9 @@ lis, err := net.Listen("unix", sockname)
 	if err != nil {
 		log.Panicf("unable to register shrinker: %s", err)
 	}
+	for _, h := range preservehooks {
+		h()
+	}
 	srv.Accept(lis)
 }
 

M docs/changelog.txt → docs/changelog.txt

@@ -2,6 +2,8 @@ changelog
 
 -- next
 
++ Unveil and pledge restrictions on OpenBSD.
+
 + Lists supported in markdown.
 
 + Rewrite admin console to avoid large dependencies.

A unveil.go

@@ -0,0 +1,65 @@
+// +build openbsd
+
+//
+// Copyright (c) 2019 Ted Unangst <tedu@tedunangst.com>
+//
+// Permission to use, copy, modify, and distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+package main
+
+/*
+#include <stdlib.h>
+#include <unistd.h>
+*/
+import "C"
+
+import (
+	"fmt"
+	"unsafe"
+)
+
+func Unveil(path string, perms string) error {
+	cpath := C.CString(path)
+	defer C.free(unsafe.Pointer(cpath))
+	cperms := C.CString(perms)
+	defer C.free(unsafe.Pointer(cperms))
+
+	rv, err := C.unveil(cpath, cperms)
+	if rv != 0 {
+		return fmt.Errorf("unveil(%s, %s) failure (%d)", path, perms, err)
+	}
+	return nil
+}
+
+func Pledge(promises string) error {
+	cpromises := C.CString(promises)
+	defer C.free(unsafe.Pointer(cpromises))
+
+	rv, err := C.pledge(cpromises, nil)
+	if rv != 0 {
+		return fmt.Errorf("pledge(%s) failure (%d)", promises, err)
+	}
+	return nil
+}
+
+func init() {
+	preservehooks = append(preservehooks, func() {
+		Unveil("/etc/ssl", "r")
+		if viewDir != dataDir {
+			Unveil(viewDir, "r")
+		}
+		Unveil(dataDir, "rwc")
+		C.unveil(nil, nil)
+		Pledge("stdio rpath wpath cpath flock dns inet unix")
+	})
+}

M web.go → web.go

@@ -2120,6 +2120,8 @@ log.Printf("apocalypse")
 	os.Exit(0)
 }
 
+var preservehooks []func()
+
 func serve() {
 	db := opendatabase()
 	login.Init(db)
@@ -2158,6 +2160,10 @@ assets := []string{viewDir + "/views/style.css", dataDir + "/views/local.css", viewDir + "/views/honkpage.js"}
 		for _, s := range assets {
 			savedassetparams[s] = getassetparam(s)
 		}
+	}
+
+	for _, h := range preservehooks {
+		h()
 	}
 
 	mux := mux.NewRouter()