52 lines
1.5 KiB
Go
52 lines
1.5 KiB
Go
package main
|
|
|
|
import (
|
|
"golang.org/x/sys/unix"
|
|
"log"
|
|
"path/filepath"
|
|
)
|
|
|
|
// Restrict access to the files specified in config in an OS-dependent way.
|
|
// The OpenBSD implementation uses pledge(2) and unveil(2) to restrict the
|
|
// operations available to the molly brown executable.
|
|
func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
|
|
|
|
// Unveil a specific list of files that we are allowed to access.
|
|
err := unix.Unveil(config.DocBase, "r")
|
|
if err != nil {
|
|
errorLog.Println("Could not unveil DocBase: " + err.Error())
|
|
log.Fatal(err)
|
|
}
|
|
for _, cgiPath := range config.CGIPaths {
|
|
cgiGlobbedPaths, err := filepath.Glob(cgiPath)
|
|
for _, cgiGlobbedPath := range cgiGlobbedPaths {
|
|
log.Println("Unveiling \"" + cgiGlobbedPath + "\" as executable.")
|
|
err = unix.Unveil(cgiGlobbedPath, "rx")
|
|
if err != nil {
|
|
errorLog.Println("Could not unveil CGIPaths: " + err.Error())
|
|
log.Fatal(err)
|
|
}
|
|
}
|
|
}
|
|
err = unix.UnveilBlock()
|
|
if err != nil {
|
|
errorLog.Println("Could not block unveil: " + err.Error())
|
|
log.Fatal(err)
|
|
}
|
|
|
|
// Pledge to only use stdio, inet, and rpath syscalls.
|
|
// If CGI paths have been specified, also allow exec syscalls.
|
|
// Please note that execpromises haven't been specified, meaning that
|
|
// CGI applications spawned by molly brown should pledge their own
|
|
// restrictions and unveil their own files.
|
|
promises := "stdio inet rpath"
|
|
if len(config.CGIPaths) > 0 {
|
|
promises += " exec proc"
|
|
}
|
|
err = unix.PledgePromises(promises)
|
|
if err != nil {
|
|
errorLog.Println("Could not pledge: " + err.Error())
|
|
log.Fatal(err)
|
|
}
|
|
}
|