From: Omar Polo Subject: got-portable: sandboxing got-notify-* To: gameoftrees@openbsd.org Date: Tue, 09 Apr 2024 09:26:18 +0200 similarly to what we do for the other libexecs. When we pledge("stdio"), we're in an environment where we can enter capsicum on FreeBSD or remove all the filesystem access on linux. so far only tested on freebsd by manually calling got-notify-http and regress/gotd/http-server to verify the output. I have destroyed my linux vm accidentally so can't test there atm but don't expect surprises. ok? diff /home/op/w/got-portable commit - 7cb3268f328cd3fef36f753e703bcc23960cebc3 path + /home/op/w/got-portable blob - d1178c8e8f8c8e5a90c5286ec4787bed6a2980b3 file + gotd/libexec/got-notify-email/got-notify-email.c --- gotd/libexec/got-notify-email/got-notify-email.c +++ gotd/libexec/got-notify-email/got-notify-email.c @@ -364,6 +364,12 @@ main(int argc, char *argv[]) #ifndef PROFILE if (pledge("stdio", NULL) == -1) err(1, "pledge"); + + /* revoke fs access */ + if (landlock_no_fs() == -1) + err(1, "landlock_no_fs"); + if (cap_enter() == -1) + err(1, "cap_enter"); #endif send_email(s, default_fromaddr, fromaddr, recipient, replytoaddr, blob - 48b3bbf945c1415462a67b74597cc92769fb4aae file + gotd/libexec/got-notify-http/got-notify-http.c --- gotd/libexec/got-notify-http/got-notify-http.c +++ gotd/libexec/got-notify-http/got-notify-http.c @@ -860,6 +860,12 @@ main(int argc, char **argv) /* drop rpath dns inet */ if (pledge("stdio", NULL) == -1) err(1, "pledge"); + + /* revoke fs access */ + if (landlock_no_fs() == -1) + err(1, "landlock_no_fs"); + if (cap_enter() == -1) + err(1, "cap_enter"); #endif if ((!tls && strcmp(port, "80") != 0) ||