pledge() + unveil() sandbox

This is the OpenBSD sandbox.
This commit is contained in:
dongresource 2021-12-15 05:05:16 +01:00
parent 3c1e08372d
commit 09e452a09d
2 changed files with 46 additions and 0 deletions

View File

@ -49,6 +49,7 @@ CXXSRC=\
src/db/player.cpp\ src/db/player.cpp\
src/db/email.cpp\ src/db/email.cpp\
src/sandbox/seccomp.cpp\ src/sandbox/seccomp.cpp\
src/sandbox/openbsd.cpp\
src/Chat.cpp\ src/Chat.cpp\
src/CustomCommands.cpp\ src/CustomCommands.cpp\
src/Entities.cpp\ src/Entities.cpp\

45
src/sandbox/openbsd.cpp Normal file
View File

@ -0,0 +1,45 @@
#if defined(__OpenBSD__) && !defined(CONFIG_NOSANDBOX)
#include "core/Core.hpp"
#include "settings.hpp"
#include <stdio.h>
#include <unistd.h>
#include <err.h>
static void eunveil(const char *path, const char *permissions) {
if (unveil(path, permissions) < 0)
err(1, "unveil");
}
void sandbox_start() {
/*
* There shouldn't ever be a reason to disable this one, but might as well
* be consistent with the Linux sandbox.
*/
if (!settings::SANDBOX) {
std::cout << "[WARN] Running without a sandbox" << std::endl;
return;
}
std::cout << "[INFO] Starting pledge+unveil sandbox..." << std::endl;
if (pledge("stdio rpath wpath cpath inet flock unveil", NULL) < 0)
err(1, "pledge");
// database stuff
eunveil(settings::DBPATH.c_str(), "rwc");
eunveil((settings::DBPATH + "-journal").c_str(), "rwc");
eunveil((settings::DBPATH + "-wal").c_str(), "rwc");
// tabledata stuff
eunveil((settings::TDATADIR + "/" + settings::GRUNTWORKJSON).c_str(), "wc");
// for bcrypt_gensalt()
eunveil("/dev/urandom", "r");
eunveil(NULL, NULL);
}
#endif