From fd36b26b99ccd13489441e04966e978664967997 Mon Sep 17 00:00:00 2001 From: "C. McEnroe" Date: Sun, 30 Aug 2020 14:15:41 -0400 Subject: Sandbox pounce with unveil(2) --- README.7 | 14 ++++++++++++-- bounce.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 2 deletions(-) diff --git a/README.7 b/README.7 index 0d6bc16..241627c 100644 --- a/README.7 +++ b/README.7 @@ -1,4 +1,4 @@ -.Dd August 28, 2020 +.Dd August 30, 2020 .Dt README 7 .Os "Causal Agency" . @@ -51,9 +51,19 @@ or by LibreSSL. It primarily targets .Fx , where it is sandboxed with -.Xr capsicum 4 . +.Xr capsicum 4 , +and +.Ox , +where it is sandboxed with +.Xr pledge 2 +and +.Xr unveil 2 . Linux and macOS are also supported. +On +.Ox , +configure with +.Fl \-mandir=/usr/local/man . .Bd -literal -offset indent \&./configure make all diff --git a/bounce.c b/bounce.c index 67b5f99..4d9b077 100644 --- a/bounce.c +++ b/bounce.c @@ -184,6 +184,41 @@ static void capLimit(int fd, const cap_rights_t *rights) { } #endif +#ifdef __OpenBSD__ +static void unveilParent(const char *path, const char *mode) { + char buf[PATH_MAX]; + strlcpy(buf, path, sizeof(buf)); + char *base = strrchr(buf, '/'); + if (base) *base = '\0'; + int error = unveil((base ? buf : "."), mode); + if (error && errno != ENOENT) err(EX_OSERR, "unveil"); +} +static void unveilTarget(const char *path, const char *mode) { + char buf[PATH_MAX]; + strlcpy(buf, path, sizeof(buf)); + char *base = strrchr(buf, '/'); + base = (base ? base + 1 : buf); + ssize_t len = readlink(path, base, sizeof(buf) - (base - buf) - 1); + if (len < 0) return; + base[len] = '\0'; + unveilParent(buf, mode); +} +static void unveilConfig(const char *path) { + const char *dirs = NULL; + for (const char *abs; NULL != (abs = configPath(&dirs, path));) { + unveilParent(abs, "r"); + unveilTarget(abs, "r"); + } +} +static void unveilData(const char *path) { + const char *dirs = NULL; + for (const char *abs; NULL != (abs = dataPath(&dirs, path));) { + int error = unveil(abs, "rwc"); + if (error && errno != ENOENT) err(EX_OSERR, "unveil"); + } +} +#endif + static volatile sig_atomic_t signals[NSIG]; static void signalHandler(int signal) { signals[signal] = 1; @@ -364,6 +399,17 @@ int main(int argc, char *argv[]) { } #ifdef __OpenBSD__ + unveilConfig(certPath); + unveilConfig(privPath); + if (caPath) unveilConfig(caPath); + if (clientCert) unveilConfig(clientCert); + if (clientPriv) unveilConfig(clientPriv); + if (savePath) unveilData(savePath); + if (bindPath[0]) unveilParent(bindPath, "rwc"); + + error = unveil(tls_default_ca_cert_file(), "r"); + if (error) err(EX_OSFILE, "%s", tls_default_ca_cert_file()); + error = pledge("stdio rpath wpath cpath inet flock unix dns recvfd", NULL); if (error) err(EX_OSERR, "pledge"); #endif -- cgit 1.4.1 a copy of install.sh it's because I already git cloned this repo... Also I've replaced git with git-lite on FreeBSD since git added a dependency on subversion... 2020-01-14Highlight single-char variables nested in make interpolationsJune McEnroe e.g. ${LDLIBS_$@} 2020-01-08Set Bl -column tables to 100% widthJune McEnroe 2020-01-08Don't add dt margins to Bl-compact listsJune McEnroe 2020-01-08Use mandoc -T html for about-filterJune McEnroe This also makes source-filter show mdoc source again and removes the dependency on ttpre entirely. I copied in the inline stylesheet mandoc outputs without -O fragment and added some customizations. 2020-01-05Add The Book of FloraJune McEnroe Also bump the rating of the previous book, I enjoyed both of them a lot more than the first one. 2020-01-04Replace gr alias with git resetJune McEnroe I haven't been doing much rebasing in a long time and I've caught myself trying to use gr to do reset. 2020-01-03Remove shotty -c flag from upJune McEnroe 2020-01-03Add Darling Don't CryJune McEnroe Heard at cafe. 2020-01-01Update license header templates for the new yearJune McEnroe 2019-12-26Add \S to sort inside bracesJune McEnroe 2019-12-23Reformat music.txtJune McEnroe 2019-12-23Rename music.md to music.txtJune McEnroe 2019-12-23Add DO YOU DOUBT ME TRAITORJune McEnroe 2019-12-22Add license header to cgit CSSJune McEnroe As requested. Funny that its license header capitalizes You. 2019-12-22Add The Book of EttaJune McEnroe 2019-12-21Revert "Add first working version of imbox"June McEnroe Moved to <https://git.causal.agency/imbox>. This reverts commit 7ff5f3fd826e313ce8353a532bdfa4989dc946dc. 2019-12-21Add first working version of imboxJune McEnroe 2019-12-20Respect mailmap in gl pretty formatJune McEnroe 2019-12-20Set LANG in cgit filtersJune McEnroe ttpre needs to know about UTF-8 too so it can bold/italic non-ASCII chars. 2019-12-20Source .editrc before applying -v or -eJune McEnroe Otherwise a bind -v in .editrc will take precedence and overwrite the ^I binding for sh-complete. 2019-12-20Disable signing commitsJune McEnroe Why did I ever turn this on? This gets me nothing but inconvenience. RIP to all the wasted bytes in my git repos. 2019-12-19Ignore about-filterJune McEnroe 2019-12-19Fix matching make tags with no sourcesJune McEnroe 2019-12-19Avoid matching := assignments as tagsJune McEnroe 2019-12-18Hide line numbers when rendering mdocJune McEnroe Hack: output an extra <td> after rendering mdoc so that line numbers can be hidden based on there being three. This required splitting source-filter and about-filter since on about pages there is no table. 2019-12-18Customize cgit CSSJune McEnroe 2019-12-18Use :target rather than :focus pseudo-classJune McEnroe :target persists after you click on something else. 2019-12-18Copy cgit auxiliary binaries properlyJune McEnroe 2019-12-18Add git.causal.agency cgit configJune McEnroe 2019-12-18Bail from hi if input is binaryJune McEnroe NULs in the input cause an infinite loop in htmlEscape, not to mention regexes obviously not working, etc. 2019-12-16Post "cgit setup"June McEnroe