Added pledge(2) and unveil(2) system calls to improve security on OpenBSD. #13
Loading…
Reference in New Issue
No description provided.
Delete Branch "kvothe/molly-brown:master"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hi solderpunk!
I added some security features to the OpenBSD implementation of molly-brown. There's a new generic security.go file that provides the enableSecurityRestrictions() function, which is a no-op for other operating systems. When compiled on OpenBSD, security_openbsd.go is instead compiled, which restricts system calls with the pledge(2) system call and restricts filesystem access with the unveil(2) system call.
I've tested these cases:
(S)CGI processes that molly brown speaks with aren't restricted in the same manner and should restrict themselves prior to handling user input, but that's out of the scope of these changes.
Hope you dig!