summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorAndinus <andinus@nand.sh>2020-04-04 18:40:04 +0530
committerAndinus <andinus@nand.sh>2020-04-04 18:40:04 +0530
commit37c097e4ae1ff4a846edb615cc322ee5e547a709 (patch)
tree7046b7a18c4c388fe9bd5ee0f2dd06f8db41478f
parent8dd58b925629cdb99d6293ce7c9953a9b65ccefc (diff)
downloadcetus-37c097e4ae1ff4a846edb615cc322ee5e547a709.tar.gz
Add support for unveil on OpenBSD
-rw-r--r--cmd/cetus/app.go (renamed from cmd/cetus/main.go)3
-rw-r--r--cmd/cetus/main_openbsd.go75
-rw-r--r--cmd/cetus/main_other.go7
-rw-r--r--go.mod2
-rw-r--r--go.sum2
5 files changed, 87 insertions, 2 deletions
diff --git a/cmd/cetus/main.go b/cmd/cetus/app.go
index 8efc17c..c82fb29 100644
--- a/cmd/cetus/main.go
+++ b/cmd/cetus/app.go
@@ -23,8 +23,7 @@ var (
 	apodDate string
 )
 
-func main() {
-
+func app() {
 	// Early Check: If command was not passed then print usage and
 	// exit. Later command & service both are checked, this check
 	// is for version command. If not checked then running cetus
diff --git a/cmd/cetus/main_openbsd.go b/cmd/cetus/main_openbsd.go
new file mode 100644
index 0000000..562d239
--- /dev/null
+++ b/cmd/cetus/main_openbsd.go
@@ -0,0 +1,75 @@
+// +build openbsd
+
+package main
+
+import (
+	"fmt"
+	"log"
+	"strings"
+
+	"golang.org/x/sys/unix"
+	"tildegit.org/andinus/cetus/cache"
+)
+
+func main() {
+	unveil()
+	app()
+}
+
+func unveil() {
+	unveilL := make(map[string]string)
+
+	unveilL[cache.GetDir()] = "rw"
+	unveilL["/dev/null"] = "rw" // required by feh
+
+	unveilL["/etc/resolv.conf"] = "r"
+
+	// ktrace output
+	unveilL["/usr/libexec/ld.so"] = "r"
+	unveilL["/var/run/ld.so.hints"] = "r"
+	unveilL["/usr/lib/libpthread.so.26.1"] = "r"
+	unveilL["/usr/lib/libc.so.95.1"] = "r"
+	unveilL["/dev/urandom"] = "r"
+	unveilL["/etc/mdns.allow"] = "r"
+	unveilL["/etc/hosts"] = "r"
+	unveilL["/usr/local/etc/ssl/cert.pem"] = "r"
+	unveilL["/etc/ssl/cert.pem"] = "r"
+	unveilL["/etc/ssl/certs"] = "r"
+	unveilL["/system/etc/security/cacerts"] = "r"
+	unveilL["/usr/local/share/certs"] = "r"
+	unveilL["/etc/pki/tls/certs"] = "r"
+	unveilL["/etc/openssl/certs"] = "r"
+	unveilL["/var/ssl/certs"] = "r"
+
+	for k, v := range unveilL {
+		err = unix.Unveil(k, v)
+		if err != nil && err.Error() != "no such file or directory" {
+			log.Fatal(fmt.Sprintf("%s :: %s\n%s", k, v,
+				err.Error()))
+		}
+	}
+
+	err = unveilCmd("feh")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Block further unveil calls
+	err = unix.UnveilBlock()
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+// unveilCmd will unveil commands.
+func unveilCmd(cmd string) error {
+	pathList := strings.Split(getEnv("PATH", ""), ":")
+	for _, path := range pathList {
+		err = unix.Unveil(fmt.Sprintf("%s/%s", path, cmd), "rx")
+
+		if err != nil && err.Error() != "no such file or directory" {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/cmd/cetus/main_other.go b/cmd/cetus/main_other.go
new file mode 100644
index 0000000..d39e66f
--- /dev/null
+++ b/cmd/cetus/main_other.go
@@ -0,0 +1,7 @@
+// +build !openbsd
+
+package main
+
+func main() {
+	app()
+}
diff --git a/go.mod b/go.mod
index 1c3c737..74e2534 100644
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,5 @@
 module tildegit.org/andinus/cetus
 
 go 1.13
+
+require golang.org/x/sys v0.0.0-20200331124033-c3d80250170d
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..ad99652
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,2 @@
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d h1:nc5K6ox/4lTFbMVSL9WRR81ixkcwXThoiF6yf+R9scA=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=