From 09e452a09dcf00b226aa236921df11d7fa1dc039 Mon Sep 17 00:00:00 2001 From: dongresource Date: Wed, 15 Dec 2021 05:05:16 +0100 Subject: [PATCH] pledge() + unveil() sandbox This is the OpenBSD sandbox. --- Makefile | 1 + src/sandbox/openbsd.cpp | 45 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 src/sandbox/openbsd.cpp diff --git a/Makefile b/Makefile index b8dfbdd..59f6a6e 100644 --- a/Makefile +++ b/Makefile @@ -49,6 +49,7 @@ CXXSRC=\ src/db/player.cpp\ src/db/email.cpp\ src/sandbox/seccomp.cpp\ + src/sandbox/openbsd.cpp\ src/Chat.cpp\ src/CustomCommands.cpp\ src/Entities.cpp\ diff --git a/src/sandbox/openbsd.cpp b/src/sandbox/openbsd.cpp new file mode 100644 index 0000000..0b5ac9f --- /dev/null +++ b/src/sandbox/openbsd.cpp @@ -0,0 +1,45 @@ +#if defined(__OpenBSD__) && !defined(CONFIG_NOSANDBOX) + +#include "core/Core.hpp" +#include "settings.hpp" + +#include +#include + +#include + +static void eunveil(const char *path, const char *permissions) { + if (unveil(path, permissions) < 0) + err(1, "unveil"); +} + +void sandbox_start() { + /* + * There shouldn't ever be a reason to disable this one, but might as well + * be consistent with the Linux sandbox. + */ + if (!settings::SANDBOX) { + std::cout << "[WARN] Running without a sandbox" << std::endl; + return; + } + + std::cout << "[INFO] Starting pledge+unveil sandbox..." << std::endl; + + if (pledge("stdio rpath wpath cpath inet flock unveil", NULL) < 0) + err(1, "pledge"); + + // database stuff + eunveil(settings::DBPATH.c_str(), "rwc"); + eunveil((settings::DBPATH + "-journal").c_str(), "rwc"); + eunveil((settings::DBPATH + "-wal").c_str(), "rwc"); + + // tabledata stuff + eunveil((settings::TDATADIR + "/" + settings::GRUNTWORKJSON).c_str(), "wc"); + + // for bcrypt_gensalt() + eunveil("/dev/urandom", "r"); + + eunveil(NULL, NULL); +} + +#endif