- From:
- Omar Polo <op@omarpolo.com>
- Subject:
- got-portable: sandboxing got-notify-*
- To:
- gameoftrees@openbsd.org
- Date:
- Tue, 09 Apr 2024 09:26:18 +0200
Download raw body.
Thread
got-portable: sandboxing got-notify-*
Download raw body.
got-portable: sandboxing got-notify-*
similarly to what we do for the other libexecs. When we
pledge("stdio"), we're in an environment where we can enter capsicum on
FreeBSD or remove all the filesystem access on linux.
so far only tested on freebsd by manually calling got-notify-http and
regress/gotd/http-server to verify the output. I have destroyed my
linux vm accidentally so can't test there atm but don't expect
surprises.
ok?
diff /home/op/w/got-portable
commit - 7cb3268f328cd3fef36f753e703bcc23960cebc3
path + /home/op/w/got-portable
blob - d1178c8e8f8c8e5a90c5286ec4787bed6a2980b3
file + gotd/libexec/got-notify-email/got-notify-email.c
--- gotd/libexec/got-notify-email/got-notify-email.c
+++ gotd/libexec/got-notify-email/got-notify-email.c
@@ -364,6 +364,12 @@ main(int argc, char *argv[])
#ifndef PROFILE
if (pledge("stdio", NULL) == -1)
err(1, "pledge");
+
+ /* revoke fs access */
+ if (landlock_no_fs() == -1)
+ err(1, "landlock_no_fs");
+ if (cap_enter() == -1)
+ err(1, "cap_enter");
#endif
send_email(s, default_fromaddr, fromaddr, recipient, replytoaddr,
blob - 48b3bbf945c1415462a67b74597cc92769fb4aae
file + gotd/libexec/got-notify-http/got-notify-http.c
--- gotd/libexec/got-notify-http/got-notify-http.c
+++ gotd/libexec/got-notify-http/got-notify-http.c
@@ -860,6 +860,12 @@ main(int argc, char **argv)
/* drop rpath dns inet */
if (pledge("stdio", NULL) == -1)
err(1, "pledge");
+
+ /* revoke fs access */
+ if (landlock_no_fs() == -1)
+ err(1, "landlock_no_fs");
+ if (cap_enter() == -1)
+ err(1, "cap_enter");
#endif
if ((!tls && strcmp(port, "80") != 0) ||
got-portable: sandboxing got-notify-*