intial
This commit is contained in:
commit
ffecf00f19
15
LICENSE
Normal file
15
LICENSE
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2020 Aaron Bieber <aaron@bolddaemon.com>
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
5
go.mod
Normal file
5
go.mod
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
module suah.dev/protect
|
||||||
|
|
||||||
|
go 1.14
|
||||||
|
|
||||||
|
require golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3
|
2
go.sum
Normal file
2
go.sum
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 h1:5B6i6EAiSYyejWfvc5Rc9BbI3rzIsrrXfAQBWnYfn+w=
|
||||||
|
golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
34
protect.go
Normal file
34
protect.go
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
//+build !openbsd
|
||||||
|
|
||||||
|
/*
|
||||||
|
Package protect is a wrapper for OpenBSD's pledge(2) and unveil(2) system
|
||||||
|
calls.
|
||||||
|
|
||||||
|
This library is trivial, but I found myself writing it often enough that I
|
||||||
|
figure it should be a package.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package protect
|
||||||
|
|
||||||
|
// Unveil is a wrapper for OpenBSD's unveil(2). unveil can be used to limit
|
||||||
|
// a processes view of the filesystem.
|
||||||
|
//
|
||||||
|
// The first call to Unveil removes a processes visibility to everything
|
||||||
|
// except 'path'. Any subsequent calls expand the view to contain those
|
||||||
|
// paths. Finally a call to UnveilBlock will lock the view in place.
|
||||||
|
// Preventing access to anything else.
|
||||||
|
//
|
||||||
|
// On non-OpenBSD machines this call is a noop.
|
||||||
|
func Unveil(path string, flags string) {}
|
||||||
|
|
||||||
|
// UnveilBlock locks the Unveil'd paths. Preventing further changes to a
|
||||||
|
// processes filesystem view.
|
||||||
|
//
|
||||||
|
// On non-OpenBSD machines this call is a noop.
|
||||||
|
func UnveilBlock() {}
|
||||||
|
|
||||||
|
// Pledge wraps OpenBSD's pledge(2) system call. One can use this to limit
|
||||||
|
// the system calls a process can make.
|
||||||
|
//
|
||||||
|
// On non-OpenBSD machines this call is a noop.
|
||||||
|
func Pledge(promises string) {}
|
44
protect_openbsd.go
Normal file
44
protect_openbsd.go
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
//+build openbsd
|
||||||
|
|
||||||
|
/*
|
||||||
|
Package protect is a wrapper for OpenBSD's pledge(2) and unveil(2) system
|
||||||
|
calls.
|
||||||
|
|
||||||
|
This library is trivial, but I found myself writing it often enough that I
|
||||||
|
figure it should be a package.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package protect
|
||||||
|
|
||||||
|
import (
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Unveil is a wrapper for OpenBSD's unveil(2). unveil can be used to limit
|
||||||
|
// a processes view of the filesystem.
|
||||||
|
//
|
||||||
|
// The first call to Unveil removes a processes visibility to everything
|
||||||
|
// except 'path'. Any subsequent calls expand the view to contain those
|
||||||
|
// paths. Finally a call to UnveilBlock will lock the view in place.
|
||||||
|
// Preventing access to anything else.
|
||||||
|
//
|
||||||
|
// On non-OpenBSD machines this call is a noop.
|
||||||
|
func Unveil(path string, flags string) {
|
||||||
|
unix.Unveil(path, flags)
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnveilBlock locks the Unveil'd paths. Preventing further changes to a
|
||||||
|
// processes filesystem view.
|
||||||
|
//
|
||||||
|
// On non-OpenBSD machines this call is a noop.
|
||||||
|
func UnveilBlock() {
|
||||||
|
unix.UnveilBlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Pledge wraps OpenBSD's pledge(2) system call. One can use this to limit
|
||||||
|
// the system calls a process can make.
|
||||||
|
//
|
||||||
|
// On non-OpenBSD machines this call is a noop.
|
||||||
|
func Pledge(promises string) {
|
||||||
|
unix.PledgePromises(promises)
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user