mm(1): adds support for pledge(2) and unveil(2)

libopenbsd.rs(3): fixes API for unveil(2)
2024-08-10 13:29:27 -06:00 · 2024-08-10 13:25:56 -06:00
2 changed files with 57 additions and 6 deletions
--- a/src/libopenbsd.rs
+++ b/src/libopenbsd.rs
@ -17,7 +17,7 @@
 */

 use std::{
-	ffi::{ CString, c_int },
+	ffi::CString,
 	io::Error,
 	ptr::null,
 };
@ -76,7 +76,10 @@ impl UnveilPerms {
 	}
 }

-pub fn unveil(path: Option<&str>, permissions: Option<UnveilPerms>) -> c_int {
+pub fn unveil(
+	path: Option<&str>,
+	permissions: Option<UnveilPerms>,
+) -> Result<(), Error> {
 	let path_c = path.map(CString::new).map(Result::unwrap);
 	let arg1 = path_c.map(|p| p.into_raw() as *const i8).unwrap_or(null());

@ -84,5 +87,11 @@ pub fn unveil(path: Option<&str>, permissions: Option<UnveilPerms>) -> c_int {
 		.map(|p| p.0.into_raw() as *const i8)
 		.unwrap_or(null());

-	unsafe { openbsd::unveil(arg1, arg2) }
+	unsafe {
+		match openbsd::unveil(arg1, arg2) {
+			-1 => Err(Error::from_raw_os_error(*openbsd::__errno())),
+			0 => Ok(()),
+			_ => panic!(), /* unreachable */
+		}
+	}
 }
--- a/src/mm.rs
+++ b/src/mm.rs
@ -33,6 +33,16 @@ use getopt::GetOpt;
 use strerror::StrError;
 use sysexits::{ EX_IOERR, EX_USAGE };

+#[cfg(target_os="openbsd")] use sysexits::EX_OSERR;
+#[cfg(target_os="openbsd")] extern crate openbsd;
+#[cfg(target_os="openbsd")]
+use openbsd::{
+	Promises,
+	UnveilPerms,
+	pledge,
+	unveil,
+};
+
 use ArgMode::*;

 enum ArgMode { In, Out }
@ -41,6 +51,14 @@ fn main() -> ExitCode {
 	let argv = args().collect::<Vec<_>>();
 	let usage = format!("Usage: {} [-aetu] [-i input] [-o output]", argv[0]);

+	if cfg!(target_os="openbsd") {
+		let promises = Promises::new("rpath stdio unveil");
+		if let Err(e) = pledge(Some(promises), None) {
+			eprintln!("{}: {}", argv[0], e.strerror());
+			return ExitCode::from(EX_OSERR as u8);
+		}
+	}
+
 	let mut a = false; /* append to the file */
 	let mut e = false; /* use stderr as an output */
 	let mut t = true; /* do not truncate the file before writing */
@ -58,11 +76,29 @@ fn main() -> ExitCode {
 			Ok("t") => t = false,
 			Ok("i") => { /* add inputs */
 				let input = opt.arg().unwrap();
+
+				if cfg!(target_os="openbsd") {
+					let perms = UnveilPerms::new(vec!['r']);
+					if let Err(e) = unveil(Some(&input), Some(perms)) {
+						eprintln!("{}: {}", argv[0], e.strerror());
+						return ExitCode::from(EX_OSERR as u8);
+					}
+				}
+
 				ins.push(input);
 				mode = Some(In); /* latest argument == -i */
 			},
 			Ok("o") => { /* add output */
 				let output = opt.arg().unwrap(); 
+
+				if cfg!(target_os="openbsd") {
+					let perms = UnveilPerms::new(vec!['w', 'c']);
+					if let Err(e) = unveil(Some(&output), Some(perms)) {
+						eprintln!("{}: {}", argv[0], e.strerror());
+						return ExitCode::from(EX_OSERR as u8);
+					}
+				}
+
 				outs.push(output);
 				mode = Some(Out); /* latest argument == -o */
 			},
@ -86,11 +122,17 @@ fn main() -> ExitCode {
 				Out => outs.push(arg.to_string()),
 			};
 		}
-	} else {
-		eprintln!("{}", usage);
-		return ExitCode::from(EX_USAGE as u8);
 	}

+	if cfg!(target_os="openbsd") {
+		if let Err(e) = unveil(None, None) {
+			eprintln!("{}: {}", argv[0], e.strerror());
+			return ExitCode::from(EX_OSERR as u8);
+		}
+	}
+
+	println!("{:?}", ins);
+
 	/* use stdin if no inputs are specified */
 	if ins.is_empty() { ins.push("-".to_string()); }
Author	SHA1	Message	Date
emma	2f805cc942	mm(1): adds support for pledge(2) and unveil(2)	2024-08-10 13:29:27 -06:00
emma	70bec49127	libopenbsd.rs(3): fixes API for unveil(2)	2024-08-10 13:25:56 -06:00