impermanence: secure the symlink operation using unveil
This commit is contained in:
parent
7c90366688
commit
c85a0e8797
|
@ -10,6 +10,7 @@ use Data::Dumper;
|
||||||
use File::HomeDir;
|
use File::HomeDir;
|
||||||
use File::Path qw(make_path);
|
use File::Path qw(make_path);
|
||||||
use Sys::Syslog qw(:standard :macros);
|
use Sys::Syslog qw(:standard :macros);
|
||||||
|
use OpenBSD::Unveil;
|
||||||
use 5.010;
|
use 5.010;
|
||||||
|
|
||||||
my $verbose = 0;
|
my $verbose = 0;
|
||||||
|
@ -266,6 +267,16 @@ sub main {
|
||||||
|
|
||||||
if( $start ) {
|
if( $start ) {
|
||||||
mount_mfs($opts{u}, $impermanence_home, $data);
|
mount_mfs($opts{u}, $impermanence_home, $data);
|
||||||
|
|
||||||
|
unveil($persist_home, "r");
|
||||||
|
unveil($impermanence_home, "rwc");
|
||||||
|
unveil("/etc/pwd.db", "r");
|
||||||
|
unveil("/dev/", "r");
|
||||||
|
foreach my $binary (qw| /sbin/mount_mfs /sbin/umount /bin/sh /sbin/swapctl /bin/df|) {
|
||||||
|
unveil($binary, "x");
|
||||||
|
}
|
||||||
|
unveil();
|
||||||
|
|
||||||
populate_ramdisk($data, $persist_home, $impermanence_home, $opts{u});
|
populate_ramdisk($data, $persist_home, $impermanence_home, $opts{u});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue