First pass at a pledge/unveil implementation for OpenBSD.
This commit is contained in:
kvothe
parent
48f9a206c0
commit
03ca12d0c1
3 changed files with 68 additions and 0 deletions
3
main.go
3
main.go
|
|
@ -69,6 +69,9 @@ func main() {
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
// Restrict access to the files specified in config
|
||||||
|
enableSecurityRestrictions(config, errorLog)
|
||||||
|
|
||||||
// Infinite serve loop
|
// Infinite serve loop
|
||||||
for {
|
for {
|
||||||
conn, err := listener.Accept()
|
conn, err := listener.Accept()
|
||||||
|
|
|
||||||
14
security.go
Normal file
14
security.go
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
// +build !openbsd
|
||||||
|
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Restrict access to the files specified in config in an OS-dependent way.
|
||||||
|
// This is intended to be called immediately prior to accepting client
|
||||||
|
// connections and may be used to establish a security "jail" for the molly
|
||||||
|
// brown executable.
|
||||||
|
func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
|
||||||
|
}
|
||||||
51
security_openbsd.go
Normal file
51
security_openbsd.go
Normal file
|
|
@ -0,0 +1,51 @@
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
|
"log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Restrict access to the files specified in config in an OS-dependent way.
|
||||||
|
// The OpenBSD implementation uses pledge(2) and unveil(2) to restrict the
|
||||||
|
// operations available to the molly brown executable.
|
||||||
|
func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
|
||||||
|
// Pledge to only use stdio, inet, rpath, and unveil syscalls.
|
||||||
|
// If (S)CGI paths have been specified, also allow exec syscalls.
|
||||||
|
// Please note that execpromises haven't been specified, meaning that
|
||||||
|
// (S)CGI applications spawned by molly brown should pledge their own
|
||||||
|
// restrictions.
|
||||||
|
promises := "stdio inet rpath unveil"
|
||||||
|
if len(config.CGIPaths) > 0 || len(config.SCGIPaths) > 0 {
|
||||||
|
promises += " exec"
|
||||||
|
}
|
||||||
|
err := unix.PledgePromises(promises)
|
||||||
|
if err != nil {
|
||||||
|
errorLog.Println("Could not pledge: " + err.Error())
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
// Unveil a specific list of files that we are allowed to access.
|
||||||
|
err = unix.Unveil(config.DocBase, "r")
|
||||||
|
if err != nil {
|
||||||
|
errorLog.Println("Could not unveil DocBase: " + err.Error())
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
for _, cgiPath := range config.CGIPaths {
|
||||||
|
err = unix.Unveil(cgiPath, "rx")
|
||||||
|
if err != nil {
|
||||||
|
errorLog.Println("Could not unveil CGIPath: " + err.Error())
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, scgiPath := range config.SCGIPaths {
|
||||||
|
err = unix.Unveil(scgiPath, "rx")
|
||||||
|
if err != nil {
|
||||||
|
errorLog.Println("Could not unveil SCGIPaths: " + err.Error())
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
err = unix.UnveilBlock()
|
||||||
|
if err != nil {
|
||||||
|
errorLog.Println("Could not block unveil: " + err.Error())
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Add table
Reference in a new issue