MCPcopy
hub / github.com/windtf/wireproxy / lock

Function lock

cmd/wireproxy/main.go:71–119  ·  view source on GitHub ↗
(stage string)

Source from the content-addressed store, hash-verified

69}
70
71func lock(stage string) {
72 switch stage {
73 case "boot":
74 exePath := executablePath()
75 // OpenBSD
76 unveilOrPanic("/", "r")
77 unveilOrPanic(exePath, "x")
78 // only allow standard stdio operation, file reading, networking, and exec
79 // also remove unveil permission to lock unveil
80 pledgeOrPanic("stdio rpath inet dns proc exec")
81 // Linux
82 panicIfError(landlock.V1.BestEffort().RestrictPaths(
83 landlock.RODirs("/"),
84 landlock.RWFiles("/dev/null").IgnoreIfMissing(),
85 ))
86 case "boot-daemon":
87 case "read-config":
88 // OpenBSD
89 pledgeOrPanic("stdio rpath inet dns")
90 case "ready":
91 // no file access is allowed from now on, only networking
92 // OpenBSD
93 pledgeOrPanic("stdio inet dns")
94 // Linux
95 net.DefaultResolver.PreferGo = true // needed to lock down dependencies
96 panicIfError(landlock.V1.BestEffort().RestrictPaths(
97 landlock.ROFiles("/etc/resolv.conf").IgnoreIfMissing(),
98 landlock.ROFiles("/dev/fd").IgnoreIfMissing(),
99 landlock.ROFiles("/dev/zero").IgnoreIfMissing(),
100 landlock.ROFiles("/dev/urandom").IgnoreIfMissing(),
101 landlock.ROFiles("/etc/localtime").IgnoreIfMissing(),
102 landlock.ROFiles("/proc/self/stat").IgnoreIfMissing(),
103 landlock.ROFiles("/proc/self/status").IgnoreIfMissing(),
104 landlock.ROFiles("/usr/share/locale").IgnoreIfMissing(),
105 landlock.ROFiles("/proc/self/cmdline").IgnoreIfMissing(),
106 landlock.ROFiles("/usr/share/zoneinfo").IgnoreIfMissing(),
107 landlock.ROFiles("/proc/sys/kernel/version").IgnoreIfMissing(),
108 landlock.ROFiles("/proc/sys/kernel/ngroups_max").IgnoreIfMissing(),
109 landlock.ROFiles("/proc/sys/kernel/cap_last_cap").IgnoreIfMissing(),
110 landlock.ROFiles("/proc/sys/vm/overcommit_memory").IgnoreIfMissing(),
111 landlock.RWFiles("/dev/log").IgnoreIfMissing(),
112 landlock.RWFiles("/dev/null").IgnoreIfMissing(),
113 landlock.RWFiles("/dev/full").IgnoreIfMissing(),
114 landlock.RWFiles("/proc/self/fd").IgnoreIfMissing(),
115 ))
116 default:
117 panic("invalid stage")
118 }
119}
120
121func extractPort(addr string) uint16 {
122 _, portStr, err := net.SplitHostPort(addr)

Callers 1

mainFunction · 0.85

Calls 4

executablePathFunction · 0.85
unveilOrPanicFunction · 0.85
pledgeOrPanicFunction · 0.85
panicIfErrorFunction · 0.85

Tested by

no test coverage detected