diff options
author | Andinus <andinus@nand.sh> | 2020-04-04 18:40:04 +0530 |
---|---|---|
committer | Andinus <andinus@nand.sh> | 2020-04-04 18:40:04 +0530 |
commit | 37c097e4ae1ff4a846edb615cc322ee5e547a709 (patch) | |
tree | 7046b7a18c4c388fe9bd5ee0f2dd06f8db41478f | |
parent | 8dd58b925629cdb99d6293ce7c9953a9b65ccefc (diff) | |
download | cetus-37c097e4ae1ff4a846edb615cc322ee5e547a709.tar.gz |
Add support for unveil on OpenBSD
-rw-r--r-- | cmd/cetus/app.go (renamed from cmd/cetus/main.go) | 3 | ||||
-rw-r--r-- | cmd/cetus/main_openbsd.go | 75 | ||||
-rw-r--r-- | cmd/cetus/main_other.go | 7 | ||||
-rw-r--r-- | go.mod | 2 | ||||
-rw-r--r-- | go.sum | 2 |
5 files changed, 87 insertions, 2 deletions
diff --git a/cmd/cetus/main.go b/cmd/cetus/app.go index 8efc17c..c82fb29 100644 --- a/cmd/cetus/main.go +++ b/cmd/cetus/app.go @@ -23,8 +23,7 @@ var ( apodDate string ) -func main() { - +func app() { // Early Check: If command was not passed then print usage and // exit. Later command & service both are checked, this check // is for version command. If not checked then running cetus diff --git a/cmd/cetus/main_openbsd.go b/cmd/cetus/main_openbsd.go new file mode 100644 index 0000000..562d239 --- /dev/null +++ b/cmd/cetus/main_openbsd.go @@ -0,0 +1,75 @@ +// +build openbsd + +package main + +import ( + "fmt" + "log" + "strings" + + "golang.org/x/sys/unix" + "tildegit.org/andinus/cetus/cache" +) + +func main() { + unveil() + app() +} + +func unveil() { + unveilL := make(map[string]string) + + unveilL[cache.GetDir()] = "rw" + unveilL["/dev/null"] = "rw" // required by feh + + unveilL["/etc/resolv.conf"] = "r" + + // ktrace output + unveilL["/usr/libexec/ld.so"] = "r" + unveilL["/var/run/ld.so.hints"] = "r" + unveilL["/usr/lib/libpthread.so.26.1"] = "r" + unveilL["/usr/lib/libc.so.95.1"] = "r" + unveilL["/dev/urandom"] = "r" + unveilL["/etc/mdns.allow"] = "r" + unveilL["/etc/hosts"] = "r" + unveilL["/usr/local/etc/ssl/cert.pem"] = "r" + unveilL["/etc/ssl/cert.pem"] = "r" + unveilL["/etc/ssl/certs"] = "r" + unveilL["/system/etc/security/cacerts"] = "r" + unveilL["/usr/local/share/certs"] = "r" + unveilL["/etc/pki/tls/certs"] = "r" + unveilL["/etc/openssl/certs"] = "r" + unveilL["/var/ssl/certs"] = "r" + + for k, v := range unveilL { + err = unix.Unveil(k, v) + if err != nil && err.Error() != "no such file or directory" { + log.Fatal(fmt.Sprintf("%s :: %s\n%s", k, v, + err.Error())) + } + } + + err = unveilCmd("feh") + if err != nil { + log.Fatal(err) + } + + // Block further unveil calls + err = unix.UnveilBlock() + if err != nil { + log.Fatal(err) + } +} + +// unveilCmd will unveil commands. +func unveilCmd(cmd string) error { + pathList := strings.Split(getEnv("PATH", ""), ":") + for _, path := range pathList { + err = unix.Unveil(fmt.Sprintf("%s/%s", path, cmd), "rx") + + if err != nil && err.Error() != "no such file or directory" { + return err + } + } + return nil +} diff --git a/cmd/cetus/main_other.go b/cmd/cetus/main_other.go new file mode 100644 index 0000000..d39e66f --- /dev/null +++ b/cmd/cetus/main_other.go @@ -0,0 +1,7 @@ +// +build !openbsd + +package main + +func main() { + app() +} diff --git a/go.mod b/go.mod index 1c3c737..74e2534 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,5 @@ module tildegit.org/andinus/cetus go 1.13 + +require golang.org/x/sys v0.0.0-20200331124033-c3d80250170d diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..ad99652 --- /dev/null +++ b/go.sum @@ -0,0 +1,2 @@ +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d h1:nc5K6ox/4lTFbMVSL9WRR81ixkcwXThoiF6yf+R9scA= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= |