From 37c097e4ae1ff4a846edb615cc322ee5e547a709 Mon Sep 17 00:00:00 2001 From: Andinus Date: Sat, 4 Apr 2020 18:40:04 +0530 Subject: Add support for unveil on OpenBSD --- cmd/cetus/main_openbsd.go | 75 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 cmd/cetus/main_openbsd.go (limited to 'cmd/cetus/main_openbsd.go') diff --git a/cmd/cetus/main_openbsd.go b/cmd/cetus/main_openbsd.go new file mode 100644 index 0000000..562d239 --- /dev/null +++ b/cmd/cetus/main_openbsd.go @@ -0,0 +1,75 @@ +// +build openbsd + +package main + +import ( + "fmt" + "log" + "strings" + + "golang.org/x/sys/unix" + "tildegit.org/andinus/cetus/cache" +) + +func main() { + unveil() + app() +} + +func unveil() { + unveilL := make(map[string]string) + + unveilL[cache.GetDir()] = "rw" + unveilL["/dev/null"] = "rw" // required by feh + + unveilL["/etc/resolv.conf"] = "r" + + // ktrace output + unveilL["/usr/libexec/ld.so"] = "r" + unveilL["/var/run/ld.so.hints"] = "r" + unveilL["/usr/lib/libpthread.so.26.1"] = "r" + unveilL["/usr/lib/libc.so.95.1"] = "r" + unveilL["/dev/urandom"] = "r" + unveilL["/etc/mdns.allow"] = "r" + unveilL["/etc/hosts"] = "r" + unveilL["/usr/local/etc/ssl/cert.pem"] = "r" + unveilL["/etc/ssl/cert.pem"] = "r" + unveilL["/etc/ssl/certs"] = "r" + unveilL["/system/etc/security/cacerts"] = "r" + unveilL["/usr/local/share/certs"] = "r" + unveilL["/etc/pki/tls/certs"] = "r" + unveilL["/etc/openssl/certs"] = "r" + unveilL["/var/ssl/certs"] = "r" + + for k, v := range unveilL { + err = unix.Unveil(k, v) + if err != nil && err.Error() != "no such file or directory" { + log.Fatal(fmt.Sprintf("%s :: %s\n%s", k, v, + err.Error())) + } + } + + err = unveilCmd("feh") + if err != nil { + log.Fatal(err) + } + + // Block further unveil calls + err = unix.UnveilBlock() + if err != nil { + log.Fatal(err) + } +} + +// unveilCmd will unveil commands. +func unveilCmd(cmd string) error { + pathList := strings.Split(getEnv("PATH", ""), ":") + for _, path := range pathList { + err = unix.Unveil(fmt.Sprintf("%s/%s", path, cmd), "rx") + + if err != nil && err.Error() != "no such file or directory" { + return err + } + } + return nil +} -- cgit 1.4.1-2-gfad0