~egtann/srp

ref: 9734b138cee75a087f1ac1299fd1391fa7399226 srp/security_openbsd.go -rw-r--r-- 874 bytes
9734b138 — Evan Tann bump dependency versions 1 year, 6 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
package srp

import "golang.org/x/sys/unix"

// Pledge limits srp to specific syscalls. Go's stdlib "net" package calls
// sysctl(kern.somaxconn) which cannot be whitelisted by OpenBSD's pledges as
// of OpenBSD 6.6, though the program runs fine without the call, which is why
// we add the `error` pledge.
func Pledge() {
	const promises = "stdio rpath wpath cpath inet"
	if err := unix.Pledge(promises, ""); err != nil {
		panic(err)
	}
}

// Unveil hides the entire filesystem except for the given config file from
// srp. If there's a vulnerability at the application layer that allows a
// hacker to see the filesystem, the only visible file will be our
// configuration file.
func Unveil(filename, perm string) {
	if err := unix.Unveil(filename, perm); err != nil {
		panic(err)
	}
}

func UnveilBlock() {
	if err := unix.UnveilBlock(); err != nil {
		panic(err)
	}
}