-
-
Notifications
You must be signed in to change notification settings - Fork 115
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial implementation of a sandbox for OpenBSD
Leverages pledge and unveil, and leaves a public API for other systems to follow. The API was designed to match the OpenBSD side as that's the initial target, if a BPF/capsicum implementation is brought forward it may be worth changing the API, and we should be okay with that.
- Loading branch information
1 parent
643ffff
commit 79abe3c
Showing
5 changed files
with
110 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
// +build !openbsd | ||
|
||
package sandbox | ||
|
||
func Init () { | ||
} | ||
|
||
func ReadOnlyPath (path string) { | ||
} | ||
|
||
func ReadWritePath (path string) { | ||
} | ||
|
||
func ReadWriteCreatePath (path string) { | ||
} | ||
|
||
func AllPathsAdded () { | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
package sandbox | ||
|
||
import ( | ||
"os/exec" | ||
"log" | ||
|
||
"golang.org/x/sys/unix" | ||
) | ||
|
||
func Init () { | ||
if err := unix.PledgePromises("stdio rpath cpath wpath flock inet unveil dns proc exec fattr"); err != nil { | ||
log.Fatalf ("failed to pledge: %v", err) | ||
} | ||
// find the transcoding and jukebox paths before doing any other unveils | ||
// otherwise looking for it will fail | ||
ffmpegPath, ffmpegErr := exec.LookPath("ffmpeg") | ||
mpvPath, mpvErr := exec.LookPath("mpv") | ||
if ffmpegErr == nil || mpvErr == nil { | ||
if ffmpegErr == nil { | ||
ExecPath(ffmpegPath) | ||
} | ||
if mpvErr == nil { | ||
ExecPath(mpvPath) | ||
} | ||
} else { | ||
// we can restrict our permissions | ||
if err := unix.PledgePromises("stdio rpath cpath wpath flock inet unveil dns"); err != nil { | ||
log.Fatalf ("failed to pledge: %v", err) | ||
} | ||
} | ||
// needed to enable certificate validation | ||
ReadOnlyPath ("/etc/ssl/cert.pem") | ||
} | ||
|
||
func ExecPath (path string) { | ||
if err := unix.Unveil (path, "rx"); err != nil { | ||
log.Fatalf ("failed to unveil exec for %s: %v", path, err) | ||
} | ||
} | ||
|
||
func ReadOnlyPath (path string) { | ||
if err := unix.Unveil (path, "r"); err != nil { | ||
log.Fatalf ("failed to unveil read for %s: %v", path, err) | ||
} | ||
} | ||
|
||
func ReadWritePath (path string) { | ||
if err := unix.Unveil (path, "rw"); err != nil { | ||
log.Fatalf ("failed to unveil read/write for %s: %v", path, err) | ||
} | ||
} | ||
|
||
func ReadWriteCreatePath (path string) { | ||
if err := unix.Unveil (path, "rwc"); err != nil { | ||
log.Fatalf ("failed to unveil read/write/create for %s: %v", path, err) | ||
} | ||
} | ||
|
||
func AllPathsAdded () { | ||
if err := unix.UnveilBlock(); err != nil { | ||
log.Fatalf ("failed to finalize unveil: %v", err) | ||
} | ||
} |