diff options
| author | Andinus <andinus@nand.sh> | 2020-04-04 21:59:01 +0530 |
|---|---|---|
| committer | Andinus <andinus@nand.sh> | 2020-04-04 21:59:01 +0530 |
| commit | 206a776f64c9163ab597c25a61040c08c012dfd0 (patch) | |
| tree | 62c45c0ba66453d1103a566febfbe5df6d893839 | |
| parent | ffe417d98b545333f17fc1aec055e6fe44b1dc56 (diff) | |
| download | cetus-206a776f64c9163ab597c25a61040c08c012dfd0.tar.gz | |
Fix unveil rules
| -rw-r--r-- | cache/getdir_unix.go | 18 | ||||
| -rw-r--r-- | cmd/cetus/main_openbsd.go | 21 |
2 files changed, 21 insertions, 18 deletions
diff --git a/cache/getdir_unix.go b/cache/getdir_unix.go index 62dd5ed..a65d389 100644 --- a/cache/getdir_unix.go +++ b/cache/getdir_unix.go @@ -12,6 +12,18 @@ import ( // that is not set then assume it to be the default value which is // $HOME/.cache according to XDG Base Directory Specification. func GetDir() string { + cacheDir := Dir() + + // Cetus cache directory is cacheDir/cetus. + cetusCacheDir := fmt.Sprintf("%s/%s", cacheDir, + "cetus") + + return cetusCacheDir +} + +// Dir returns the system cache directory, this is useful for unveil +// in OpenBSD. +func Dir() string { cacheDir := os.Getenv("CETUS_CACHE_DIR") if len(cacheDir) == 0 { cacheDir = os.Getenv("XDG_CACHE_HOME") @@ -21,9 +33,5 @@ func GetDir() string { ".cache") } - // Cetus cache directory is cacheDir/cetus. - cetusCacheDir := fmt.Sprintf("%s/%s", cacheDir, - "cetus") - - return cetusCacheDir + return cacheDir } diff --git a/cmd/cetus/main_openbsd.go b/cmd/cetus/main_openbsd.go index 42aecaf..a140071 100644 --- a/cmd/cetus/main_openbsd.go +++ b/cmd/cetus/main_openbsd.go @@ -19,27 +19,22 @@ func main() { func unveil() { unveilL := make(map[string]string) - unveilL[cache.GetDir()] = "rwc" - unveilL["/dev/null"] = "rw" // required by feh + // We unveil the whole cache directory. + err = unix.Unveil(cache.Dir(), "rwc") + if err != nil { + log.Fatal(err) + } + unveilL["/dev/null"] = "rw" // required by feh unveilL["/etc/resolv.conf"] = "r" // ktrace output unveilL["/usr/libexec/ld.so"] = "r" unveilL["/var/run/ld.so.hints"] = "r" - unveilL["/usr/lib/libpthread.so.26.1"] = "r" - unveilL["/usr/lib/libc.so.95.1"] = "r" + unveilL["/usr/lib"] = "r" unveilL["/dev/urandom"] = "r" - unveilL["/etc/mdns.allow"] = "r" unveilL["/etc/hosts"] = "r" - unveilL["/usr/local/etc/ssl/cert.pem"] = "r" - unveilL["/etc/ssl/cert.pem"] = "r" - unveilL["/etc/ssl/certs"] = "r" - unveilL["/system/etc/security/cacerts"] = "r" - unveilL["/usr/local/share/certs"] = "r" - unveilL["/etc/pki/tls/certs"] = "r" - unveilL["/etc/openssl/certs"] = "r" - unveilL["/var/ssl/certs"] = "r" + unveilL["/etc/ssl"] = "r" for k, v := range unveilL { err = unix.Unveil(k, v) |