diff options
| author | Yuce Tekol <yucetekol@gmail.com> | 2019-05-03 09:51:18 +0300 |
|---|---|---|
| committer | Yuce Tekol <yucetekol@gmail.com> | 2019-05-03 09:51:18 +0300 |
| commit | 968d5d7b886f894d4df08eef09d0fc21539f60fc (patch) | |
| tree | 6576c5b3f557ac1c98d209e56fa0e02dec63129a | |
| parent | 7fd70619f1fd5651611376f12010b237c3f96ab2 (diff) | |
| download | pyopenbsd-968d5d7b886f894d4df08eef09d0fc21539f60fc.tar.gz | |
added restrict script
| -rw-r--r-- | Makefile | 5 | ||||
| -rw-r--r-- | README.md | 3 | ||||
| -rw-r--r-- | examples/restrict.py | 55 |
3 files changed, 60 insertions, 3 deletions
diff --git a/Makefile b/Makefile index ccf1f60..19aef5b 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,10 @@ all: build build: - python setup.py build + python setup.py sdist + +release: clean build + twine upload dist/* clean: rm -rf dist build openbsd.egg-info/ diff --git a/README.md b/README.md index 6896dd2..b8b12a2 100644 --- a/README.md +++ b/README.md @@ -46,8 +46,7 @@ print(open("/etc/resolv.conf")) Try opening `/bin/ksh`. - -Use `openbsd.unveil()` to stop limiting access to directories. +Use `openbsd.unveil()` to lock down restrictions. ## License diff --git a/examples/restrict.py b/examples/restrict.py new file mode 100644 index 0000000..5fb002b --- /dev/null +++ b/examples/restrict.py @@ -0,0 +1,55 @@ +#! /usr/bin/env python + +from __future__ import print_function +import sys +import os + +from openbsd import pledge, unveil + +""" +A little utilty that pledges and unveils. +python3 restrict.py rpath stdio /tmp/foo:r /bin/cat:x -x cat /tmp/foo +""" + +def extract_args(args): + promises = set() + rviews = [] + cmd_args = [] + eop = False + + for arg in args: + if eop: + cmd_args.append(arg) + continue + if arg == "-x": + eop = True + continue + if ":" in arg: + rviews.append(tuple(arg.split(":", 1)[:2])) + else: + promises.add(arg) + + promises = None if "ALL" in promises else " ".join(promises) + return promises, rviews, eop, cmd_args + + +def print_usage(): + print("Usage: %s [ALL | promise1 promise2 ...] -x cmd [arg1 arg2 ...]" % sys.argv[0], file=sys.stderr) + sys.exit(1) + + +def main(): + promises, rviews, eop, cmd_args = extract_args(sys.argv[1:]) + if not eop: + print_usage() + + if rviews: + for path, perm in rviews: + unveil(path, perm) + + pledge("exec stdio rpath", promises) + os.execvp(cmd_args[0], cmd_args) + +if __name__ == "__main__": + main() + |