impermanence: secure the symlink operation using unveil
This commit is contained in:
parent
7c90366688
commit
c85a0e8797
|
@ -10,6 +10,7 @@ use Data::Dumper;
|
|||
use File::HomeDir;
|
||||
use File::Path qw(make_path);
|
||||
use Sys::Syslog qw(:standard :macros);
|
||||
use OpenBSD::Unveil;
|
||||
use 5.010;
|
||||
|
||||
my $verbose = 0;
|
||||
|
@ -266,6 +267,16 @@ sub main {
|
|||
|
||||
if( $start ) {
|
||||
mount_mfs($opts{u}, $impermanence_home, $data);
|
||||
|
||||
unveil($persist_home, "r");
|
||||
unveil($impermanence_home, "rwc");
|
||||
unveil("/etc/pwd.db", "r");
|
||||
unveil("/dev/", "r");
|
||||
foreach my $binary (qw| /sbin/mount_mfs /sbin/umount /bin/sh /sbin/swapctl /bin/df|) {
|
||||
unveil($binary, "x");
|
||||
}
|
||||
unveil();
|
||||
|
||||
populate_ramdisk($data, $persist_home, $impermanence_home, $opts{u});
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue