Compare commits

...

2 Commits

Author SHA1 Message Date
2f805cc942
mm(1): adds support for pledge(2) and unveil(2) 2024-08-10 13:29:27 -06:00
70bec49127
libopenbsd.rs(3): fixes API for unveil(2) 2024-08-10 13:25:56 -06:00
2 changed files with 57 additions and 6 deletions

View File

@ -17,7 +17,7 @@
*/ */
use std::{ use std::{
ffi::{ CString, c_int }, ffi::CString,
io::Error, io::Error,
ptr::null, ptr::null,
}; };
@ -76,7 +76,10 @@ impl UnveilPerms {
} }
} }
pub fn unveil(path: Option<&str>, permissions: Option<UnveilPerms>) -> c_int { pub fn unveil(
path: Option<&str>,
permissions: Option<UnveilPerms>,
) -> Result<(), Error> {
let path_c = path.map(CString::new).map(Result::unwrap); let path_c = path.map(CString::new).map(Result::unwrap);
let arg1 = path_c.map(|p| p.into_raw() as *const i8).unwrap_or(null()); let arg1 = path_c.map(|p| p.into_raw() as *const i8).unwrap_or(null());
@ -84,5 +87,11 @@ pub fn unveil(path: Option<&str>, permissions: Option<UnveilPerms>) -> c_int {
.map(|p| p.0.into_raw() as *const i8) .map(|p| p.0.into_raw() as *const i8)
.unwrap_or(null()); .unwrap_or(null());
unsafe { openbsd::unveil(arg1, arg2) } unsafe {
match openbsd::unveil(arg1, arg2) {
-1 => Err(Error::from_raw_os_error(*openbsd::__errno())),
0 => Ok(()),
_ => panic!(), /* unreachable */
}
}
} }

View File

@ -33,6 +33,16 @@ use getopt::GetOpt;
use strerror::StrError; use strerror::StrError;
use sysexits::{ EX_IOERR, EX_USAGE }; use sysexits::{ EX_IOERR, EX_USAGE };
#[cfg(target_os="openbsd")] use sysexits::EX_OSERR;
#[cfg(target_os="openbsd")] extern crate openbsd;
#[cfg(target_os="openbsd")]
use openbsd::{
Promises,
UnveilPerms,
pledge,
unveil,
};
use ArgMode::*; use ArgMode::*;
enum ArgMode { In, Out } enum ArgMode { In, Out }
@ -41,6 +51,14 @@ fn main() -> ExitCode {
let argv = args().collect::<Vec<_>>(); let argv = args().collect::<Vec<_>>();
let usage = format!("Usage: {} [-aetu] [-i input] [-o output]", argv[0]); let usage = format!("Usage: {} [-aetu] [-i input] [-o output]", argv[0]);
if cfg!(target_os="openbsd") {
let promises = Promises::new("rpath stdio unveil");
if let Err(e) = pledge(Some(promises), None) {
eprintln!("{}: {}", argv[0], e.strerror());
return ExitCode::from(EX_OSERR as u8);
}
}
let mut a = false; /* append to the file */ let mut a = false; /* append to the file */
let mut e = false; /* use stderr as an output */ let mut e = false; /* use stderr as an output */
let mut t = true; /* do not truncate the file before writing */ let mut t = true; /* do not truncate the file before writing */
@ -58,11 +76,29 @@ fn main() -> ExitCode {
Ok("t") => t = false, Ok("t") => t = false,
Ok("i") => { /* add inputs */ Ok("i") => { /* add inputs */
let input = opt.arg().unwrap(); let input = opt.arg().unwrap();
if cfg!(target_os="openbsd") {
let perms = UnveilPerms::new(vec!['r']);
if let Err(e) = unveil(Some(&input), Some(perms)) {
eprintln!("{}: {}", argv[0], e.strerror());
return ExitCode::from(EX_OSERR as u8);
}
}
ins.push(input); ins.push(input);
mode = Some(In); /* latest argument == -i */ mode = Some(In); /* latest argument == -i */
}, },
Ok("o") => { /* add output */ Ok("o") => { /* add output */
let output = opt.arg().unwrap(); let output = opt.arg().unwrap();
if cfg!(target_os="openbsd") {
let perms = UnveilPerms::new(vec!['w', 'c']);
if let Err(e) = unveil(Some(&output), Some(perms)) {
eprintln!("{}: {}", argv[0], e.strerror());
return ExitCode::from(EX_OSERR as u8);
}
}
outs.push(output); outs.push(output);
mode = Some(Out); /* latest argument == -o */ mode = Some(Out); /* latest argument == -o */
}, },
@ -86,11 +122,17 @@ fn main() -> ExitCode {
Out => outs.push(arg.to_string()), Out => outs.push(arg.to_string()),
}; };
} }
} else {
eprintln!("{}", usage);
return ExitCode::from(EX_USAGE as u8);
} }
if cfg!(target_os="openbsd") {
if let Err(e) = unveil(None, None) {
eprintln!("{}: {}", argv[0], e.strerror());
return ExitCode::from(EX_OSERR as u8);
}
}
println!("{:?}", ins);
/* use stdin if no inputs are specified */ /* use stdin if no inputs are specified */
if ins.is_empty() { ins.push("-".to_string()); } if ins.is_empty() { ins.push("-".to_string()); }