cdo/waffle-mole
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use pledge() and unveil() on OpenBSD

Browse Source
This commit is contained in:
Camden Dixie O'Brien 2022-10-14 17:36:40 +01:00
parent c200de7dc1
commit f3c7f9e20a
1 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
main.c
View File

@ -85,6 +85,13 @@ int main(int argc, char *argv[])
static char pbuf[PBUF_SIZE], rbuf[RBUF_SIZE], sbuf[SBUF_SIZE], static char pbuf[PBUF_SIZE], rbuf[RBUF_SIZE], sbuf[SBUF_SIZE],
fbuf[FBUF_SIZE]; fbuf[FBUF_SIZE];
#ifdef __OpenBSD__
if (pledge("inet rpath stdio unveil", NULL) == -1) {
fprintf(stderr, "pledge() call failed\n");
return EXIT_FAILURE;
}
#endif
/* /*
* Get srvroot path from arguments and copy into pbuf. * Get srvroot path from arguments and copy into pbuf.
* *
@ -105,6 +112,29 @@ int main(int argc, char *argv[])
} }
memcpy(pbuf, argv[1], srvroot_len); memcpy(pbuf, argv[1], srvroot_len);
#ifdef __OpenBSD__
/*
* Restrict the program to readonly access to locations under
* srvroot.
*/
if (srvroot_len + 1 > PBUF_SIZE) {
fprintf(stderr, "Path buffer is too short\n");
return EXIT_FAILURE;
}
if (unveil(pbuf, "r") == -1) {
fprintf(stderr, "unveil() call failed\n");
return EXIT_FAILURE;
}
/*
* Lock program out of further unveil() calls
*/
if (pledge("inet rpath stdio", NULL) == -1) {
fprintf(stderr, "pledge() call failed\n");
return EXIT_FAILURE;
}
#endif
/* /*
* Register signal handler for SIGTERM and SIGINT. * Register signal handler for SIGTERM and SIGINT.
*/ */