(stage string)
| 69 | } |
| 70 | |
| 71 | func lock(stage string) { |
| 72 | switch stage { |
| 73 | case "boot": |
| 74 | exePath := executablePath() |
| 75 | // OpenBSD |
| 76 | unveilOrPanic("/", "r") |
| 77 | unveilOrPanic(exePath, "x") |
| 78 | // only allow standard stdio operation, file reading, networking, and exec |
| 79 | // also remove unveil permission to lock unveil |
| 80 | pledgeOrPanic("stdio rpath inet dns proc exec") |
| 81 | // Linux |
| 82 | panicIfError(landlock.V1.BestEffort().RestrictPaths( |
| 83 | landlock.RODirs("/"), |
| 84 | landlock.RWFiles("/dev/null").IgnoreIfMissing(), |
| 85 | )) |
| 86 | case "boot-daemon": |
| 87 | case "read-config": |
| 88 | // OpenBSD |
| 89 | pledgeOrPanic("stdio rpath inet dns") |
| 90 | case "ready": |
| 91 | // no file access is allowed from now on, only networking |
| 92 | // OpenBSD |
| 93 | pledgeOrPanic("stdio inet dns") |
| 94 | // Linux |
| 95 | net.DefaultResolver.PreferGo = true // needed to lock down dependencies |
| 96 | panicIfError(landlock.V1.BestEffort().RestrictPaths( |
| 97 | landlock.ROFiles("/etc/resolv.conf").IgnoreIfMissing(), |
| 98 | landlock.ROFiles("/dev/fd").IgnoreIfMissing(), |
| 99 | landlock.ROFiles("/dev/zero").IgnoreIfMissing(), |
| 100 | landlock.ROFiles("/dev/urandom").IgnoreIfMissing(), |
| 101 | landlock.ROFiles("/etc/localtime").IgnoreIfMissing(), |
| 102 | landlock.ROFiles("/proc/self/stat").IgnoreIfMissing(), |
| 103 | landlock.ROFiles("/proc/self/status").IgnoreIfMissing(), |
| 104 | landlock.ROFiles("/usr/share/locale").IgnoreIfMissing(), |
| 105 | landlock.ROFiles("/proc/self/cmdline").IgnoreIfMissing(), |
| 106 | landlock.ROFiles("/usr/share/zoneinfo").IgnoreIfMissing(), |
| 107 | landlock.ROFiles("/proc/sys/kernel/version").IgnoreIfMissing(), |
| 108 | landlock.ROFiles("/proc/sys/kernel/ngroups_max").IgnoreIfMissing(), |
| 109 | landlock.ROFiles("/proc/sys/kernel/cap_last_cap").IgnoreIfMissing(), |
| 110 | landlock.ROFiles("/proc/sys/vm/overcommit_memory").IgnoreIfMissing(), |
| 111 | landlock.RWFiles("/dev/log").IgnoreIfMissing(), |
| 112 | landlock.RWFiles("/dev/null").IgnoreIfMissing(), |
| 113 | landlock.RWFiles("/dev/full").IgnoreIfMissing(), |
| 114 | landlock.RWFiles("/proc/self/fd").IgnoreIfMissing(), |
| 115 | )) |
| 116 | default: |
| 117 | panic("invalid stage") |
| 118 | } |
| 119 | } |
| 120 | |
| 121 | func extractPort(addr string) uint16 { |
| 122 | _, portStr, err := net.SplitHostPort(addr) |
no test coverage detected