1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
#! /usr/bin/env python
from __future__ import print_function
import sys
import os
from openbsd import pledge, unveil
"""
A little utilty that pledges and unveils.
python3 restrict.py rpath stdio /tmp/foo:r /bin/cat:x -x cat /tmp/foo
python3 restrict.py stdio rpath getpw tty /:r /bin/ls:x -x ls /usr
"""
def extract_args(args):
promises = set()
rviews = []
cmd_args = []
eop = False
for arg in args:
if eop:
cmd_args.append(arg)
continue
if arg == "-x":
eop = True
continue
if ":" in arg:
rviews.append(tuple(arg.split(":", 1)[:2]))
else:
promises.add(arg)
promises = None if "ALL" in promises else " ".join(promises)
return promises, rviews, eop, cmd_args
def print_usage():
print("Usage: %s [ALL | promise1 promise2 ...] -x cmd [arg1 arg2 ...]" % sys.argv[0], file=sys.stderr)
sys.exit(1)
def main():
promises, rviews, eop, cmd_args = extract_args(sys.argv[1:])
if not eop:
print_usage()
if rviews:
for path, perm in rviews:
unveil(path, perm)
pledge("exec stdio rpath", promises)
os.execvp(cmd_args[0], cmd_args)
if __name__ == "__main__":
main()
|