From: Omar Polo Subject: Re: got-portable: sandboxing got-notify-* To: Omar Polo Cc: gameoftrees@openbsd.org Date: Fri, 26 Apr 2024 13:02:34 +0200 On 2024/04/09 09:26:18 +0200, Omar Polo wrote: > similarly to what we do for the other libexecs. When we > pledge("stdio"), we're in an environment where we can enter capsicum on > FreeBSD or remove all the filesystem access on linux. > > so far only tested on freebsd by manually calling got-notify-http and > regress/gotd/http-server to verify the output. I have destroyed my > linux vm accidentally so can't test there atm but don't expect > surprises. > > ok? ping. I've tested on linux with landlock enabled too (with a self-signed certificate and TLS validation disabled.) > diff /home/op/w/got-portable > commit - 7cb3268f328cd3fef36f753e703bcc23960cebc3 > path + /home/op/w/got-portable > blob - d1178c8e8f8c8e5a90c5286ec4787bed6a2980b3 > file + gotd/libexec/got-notify-email/got-notify-email.c > --- gotd/libexec/got-notify-email/got-notify-email.c > +++ gotd/libexec/got-notify-email/got-notify-email.c > @@ -364,6 +364,12 @@ main(int argc, char *argv[]) > #ifndef PROFILE > if (pledge("stdio", NULL) == -1) > err(1, "pledge"); > + > + /* revoke fs access */ > + if (landlock_no_fs() == -1) > + err(1, "landlock_no_fs"); > + if (cap_enter() == -1) > + err(1, "cap_enter"); > #endif > > send_email(s, default_fromaddr, fromaddr, recipient, replytoaddr, > blob - 48b3bbf945c1415462a67b74597cc92769fb4aae > file + gotd/libexec/got-notify-http/got-notify-http.c > --- gotd/libexec/got-notify-http/got-notify-http.c > +++ gotd/libexec/got-notify-http/got-notify-http.c > @@ -860,6 +860,12 @@ main(int argc, char **argv) > /* drop rpath dns inet */ > if (pledge("stdio", NULL) == -1) > err(1, "pledge"); > + > + /* revoke fs access */ > + if (landlock_no_fs() == -1) > + err(1, "landlock_no_fs"); > + if (cap_enter() == -1) > + err(1, "cap_enter"); > #endif > > if ((!tls && strcmp(port, "80") != 0) ||