Finished the OpenBSD pledge/unveil implementation after testing SCGI procs.
This commit is contained in:
kvothe
parent
69a253f820
commit
fb77a13088
1 changed files with 21 additions and 6 deletions
|
|
@ -8,15 +8,20 @@ import (
|
|||
|
||||
// Restrict access to the files specified in config in an OS-dependent way.
|
||||
// The OpenBSD implementation uses pledge(2) and unveil(2) to restrict the
|
||||
// operations available to the molly brown executable.
|
||||
// operations available to the molly brown executable. Please note that (S)CGI
|
||||
// processes that molly brown spawns or communicates with are unrestristricted
|
||||
// and should pledge their own restrictions and unveil their own files.
|
||||
func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
|
||||
|
||||
// Unveil a specific list of files that we are allowed to access.
|
||||
// Unveil the configured document base as readable.
|
||||
log.Println("Unveiling \"" + config.DocBase + "\" as readable.")
|
||||
err := unix.Unveil(config.DocBase, "r")
|
||||
if err != nil {
|
||||
errorLog.Println("Could not unveil DocBase: " + err.Error())
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
// Unveil cgi path globs as executable.
|
||||
for _, cgiPath := range config.CGIPaths {
|
||||
cgiGlobbedPaths, err := filepath.Glob(cgiPath)
|
||||
for _, cgiGlobbedPath := range cgiGlobbedPaths {
|
||||
|
|
@ -28,6 +33,15 @@ func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Unveil scgi socket paths as readable and writeable.
|
||||
for _, scgiSocket := range config.SCGIPaths {
|
||||
log.Println("Unveiling \"" + scgiSocket + "\" as read/write.")
|
||||
err = unix.Unveil(scgiSocket, "rw")
|
||||
}
|
||||
|
||||
// Finalize the unveil list.
|
||||
// Any files not whitelisted above won't be accessible to molly brown.
|
||||
err = unix.UnveilBlock()
|
||||
if err != nil {
|
||||
errorLog.Println("Could not block unveil: " + err.Error())
|
||||
|
|
@ -35,14 +49,15 @@ func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
|
|||
}
|
||||
|
||||
// Pledge to only use stdio, inet, and rpath syscalls.
|
||||
// If CGI paths have been specified, also allow exec syscalls.
|
||||
// Please note that execpromises haven't been specified, meaning that
|
||||
// CGI applications spawned by molly brown should pledge their own
|
||||
// restrictions and unveil their own files.
|
||||
promises := "stdio inet rpath"
|
||||
if len(config.CGIPaths) > 0 {
|
||||
// If CGI paths have been specified, also allow exec syscalls.
|
||||
promises += " exec proc"
|
||||
}
|
||||
if len(config.SCGIPaths) > 0 {
|
||||
// If SCGI paths have been specified, also allow unix sockets.
|
||||
promises += " unix"
|
||||
}
|
||||
err = unix.PledgePromises(promises)
|
||||
if err != nil {
|
||||
errorLog.Println("Could not pledge: " + err.Error())
|
||||
|
|
|
|||
Loading…
Reference in a new issue