On 2024/04/09 09:26:18 +0200, Omar Polo <op@omarpolo.com> wrote:
> similarly to what we do for the other libexecs.  When we
> pledge("stdio"), we're in an environment where we can enter capsicum on
> FreeBSD or remove all the filesystem access on linux.
> 
> so far only tested on freebsd by manually calling got-notify-http and
> regress/gotd/http-server to verify the output.  I have destroyed my
> linux vm accidentally so can't test there atm but don't expect
> surprises.
> 
> ok?

ping.  I've tested on linux with landlock enabled too (with a
self-signed certificate and TLS validation disabled.)

> diff /home/op/w/got-portable
> commit - 7cb3268f328cd3fef36f753e703bcc23960cebc3
> path + /home/op/w/got-portable
> blob - d1178c8e8f8c8e5a90c5286ec4787bed6a2980b3
> file + gotd/libexec/got-notify-email/got-notify-email.c
> --- gotd/libexec/got-notify-email/got-notify-email.c
> +++ gotd/libexec/got-notify-email/got-notify-email.c
> @@ -364,6 +364,12 @@ main(int argc, char *argv[])
>  #ifndef PROFILE
>  	if (pledge("stdio", NULL) == -1)
>  		err(1, "pledge");
> +
> +	/* revoke fs access */
> +	if (landlock_no_fs() == -1)
> +		err(1, "landlock_no_fs");
> +	if (cap_enter() == -1)
> +		err(1, "cap_enter");
>  #endif
>  
>  	send_email(s, default_fromaddr, fromaddr, recipient, replytoaddr,
> blob - 48b3bbf945c1415462a67b74597cc92769fb4aae
> file + gotd/libexec/got-notify-http/got-notify-http.c
> --- gotd/libexec/got-notify-http/got-notify-http.c
> +++ gotd/libexec/got-notify-http/got-notify-http.c
> @@ -860,6 +860,12 @@ main(int argc, char **argv)
>  	/* drop rpath dns inet */
>  	if (pledge("stdio", NULL) == -1)
>  		err(1, "pledge");
> +
> +	/* revoke fs access */
> +	if (landlock_no_fs() == -1)
> +		err(1, "landlock_no_fs");
> +	if (cap_enter() == -1)
> +		err(1, "cap_enter");
>  #endif
>  
>  	if ((!tls && strcmp(port, "80") != 0) ||