diff options
| author | Jon duSaint | 2022-07-16 16:37:02 -0700 |
|---|---|---|
| committer | Jon duSaint | 2022-07-16 16:37:02 -0700 |
| commit | 531e95e7ce9c9632441081267edc34a5643bdbe3 (patch) | |
| tree | 08a8e2ece91e90a159d1a71d9c02f3f16ee14198 | |
| parent | 55e4d50871d8930647682396c60cf3b52036bb5d (diff) | |
reolink: Sandbox server with unveil
| -rwxr-xr-x | reolink/reolink | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/reolink/reolink b/reolink/reolink index e6f5e6f..369f2b1 100755 --- a/reolink/reolink +++ b/reolink/reolink @@ -99,6 +99,7 @@ use File::Spec; use Getopt::Long; use IO::Select; use OpenBSD::Pledge; +use OpenBSD::Unveil; use POSIX qw(setsid :sys_wait_h); use Socket; use Sys::Syslog qw/:standard :macros/; @@ -377,6 +378,17 @@ sub run { main::load_params (\%server_params); + chdir ($server_params{spool_dir}) || die "chdir($server_params{spool_dir}): $!"; + + unveil ($server_params{spool_dir}, 'rwxc') || die "unveil($server_params{spool_dir}): $!"; + unveil ($global_config->{socket}, 'rwc') || die "unveil($global_config->{socket}): $!"; + unveil ($global_config->{config}, 'rw') || die "unveil($global_config->{config}): $!"; + unveil ($saved_argv[0], 'rx') || die "unveil($saved_argv[0]): $!"; + unveil ('/etc/protocols', 'r') || die "unveil(/etc/protocols): $!"; # HTTP::Tiny + unveil ('/etc/localtime', 'r') || die "unveil(/etc/localtime): $!"; # localtime + unveil ('/usr/share/zoneinfo', 'rx') || die "unveil (/usr/share/zoneinfo): $!"; # localtime + unveil () || die "failed to lock unveil: $!"; + unless ($debug) { pledge (qw/rpath wpath cpath inet proc unix/) or die "Failed to pledge: $!"; openlog ('reolinkd', 'PID', LOG_DAEMON); |