jcs.org / tangled-core
forked from tangled.org/core
Monorepo for Tangled
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

knotserver: add sandbox, use pledge and unveil on openbsd

The pledge is pretty wide open but we're only able to exec git
things and only unveiling the git repos dir and the database dir.

joshua stein 1e620fe8 7ef0e372

+65
+11
knotserver/sandbox.go
··· 1 + //go:build !openbsd 2 + 3 + package knotserver 4 + 5 + import ( 6 + "context" 7 + 8 + "tangled.org/core/knotserver/config" 9 + ) 10 + 11 + func sandbox(_ context.Context, _ *config.Config) error { return nil }
+50
knotserver/sandbox_openbsd.go
··· 1 + package knotserver 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + "golang.org/x/sys/unix" 7 + 8 + "tangled.org/core/knotserver/config" 9 + "tangled.org/core/log" 10 + ) 11 + 12 + func sandbox(ctx context.Context, c *config.Config) error { 13 + logger := log.FromContext(ctx) 14 + 15 + logger.Info("unveiling", "repo scan path", c.Repo.ScanPath) 16 + if err := unix.Unveil(c.Repo.ScanPath, "rwc"); err != nil { 17 + return fmt.Errorf("unveil %s: %w", c.Repo.ScanPath, err) 18 + } 19 + 20 + logger.Info("unveiling", "db path", c.Server.DBPath) 21 + if err := unix.Unveil(c.Server.DBPath, "rwc"); err != nil { 22 + return fmt.Errorf("unveil %s: %w", c.Server.DBPath, err) 23 + } 24 + 25 + if err := unix.Unveil("/etc/ssl", "r"); err != nil { 26 + return fmt.Errorf("unveil /etc/ssl: %w", err) 27 + } 28 + 29 + logger.Info("unveiling git tools") 30 + for _, path := range []string{ 31 + "/usr/local/bin/git", 32 + "/usr/local/bin/git-receive-pack", 33 + "/usr/local/bin/git-upload-pack", 34 + "/usr/local/bin/gitwrapper", 35 + } { 36 + if err := unix.Unveil(path, "rx"); err != nil { 37 + return fmt.Errorf("unveil %s: %w", path, err) 38 + } 39 + } 40 + 41 + if err := unix.UnveilBlock(); err != nil { 42 + return fmt.Errorf("unveil lock: %w", err) 43 + } 44 + 45 + if err := unix.PledgePromises("stdio rpath wpath cpath flock fattr inet dns proc exec unix"); err != nil { 46 + return fmt.Errorf("pledge: %w", err) 47 + } 48 + 49 + return nil 50 + }
+4
knotserver/server.go
··· 98 98 99 99 imux := Internal(ctx, c, db, e, &notifier) 100 100 101 + if err := sandbox(ctx, c); err != nil { 102 + return fmt.Errorf("failed to sandbox: %w", err) 103 + } 104 + 101 105 logger.Info("starting internal server", "address", c.Server.InternalListenAddr) 102 106 go http.ListenAndServe(c.Server.InternalListenAddr, imux) 103 107