ref: a7561cf5afe0bf683c0b6b384e5a4710b754ce97
parent: 5968bd41c7e89461fec41a3b669514a89ddbda10
author: Aaron Bieber <[email protected]>
date: Thu May 14 10:44:37 EDT 2020
fix unveil on new installs
--- a/go.mod
+++ b/go.mod
@@ -5,5 +5,6 @@
require (
golang.org/x/build v0.0.0-20200428202702-916311cec4e1
golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
- golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527
+ golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3
+ suah.dev/protect v1.0.0
)
--- a/go.sum
+++ b/go.sum
@@ -181,6 +181,8 @@
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527 h1:uYVVQ9WP/Ds2ROhcaGPeIdVq0RIXVLwsHlnvJ+cT1So=
golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 h1:5B6i6EAiSYyejWfvc5Rc9BbI3rzIsrrXfAQBWnYfn+w=
+golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -276,3 +278,5 @@
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+suah.dev/protect v1.0.0 h1:X8pzDvDIZIiugmkmr6DES6JFO1XUdJWi34Ffmk6CMZY=
+suah.dev/protect v1.0.0/go.mod h1:ZSgyBM30JUwhVPWJzVHh0jlu5W6Qz1VR6tIhAzqJZ9Y=
--- a/main.go
+++ b/main.go
@@ -29,6 +29,7 @@
"strings"
"golang.org/x/crypto/openpgp"
+ "suah.dev/protect"
)
// Google Inc. (Linux Packages Signing Authority) <[email protected]>
@@ -314,11 +315,15 @@
log.Fatalf("gover: %v", err)
}
- pledge("stdio tty unveil rpath cpath wpath proc dns inet fattr exec")
+ if err := os.MkdirAll(root, 0755); err != nil {
+ log.Fatalf("failed to create gover directory: %v\n", err)
+ }
- unveil("/etc", "r")
- unveil(root, "rwxc")
- unveilBlock()
+ _ = protect.Pledge("stdio tty unveil rpath cpath wpath proc dns inet fattr exec")
+
+ _ = protect.Unveil("/etc", "r")
+ _ = protect.Unveil(root, "rwxc")
+ _ = protect.UnveilBlock()
if os.Args[1] == "download" {
switch len(os.Args) {
--- a/protect.go
+++ /dev/null
@@ -1,7 +1,0 @@
-//+build !openbsd
-
-package main
-
-func pledge(promises string) {}
-func unveil(path string, flags string) {}
-func unveilBlock() {}
--- a/protect_openbsd.go
+++ /dev/null
@@ -1,28 +1,0 @@
-package main
-
-import (
- "log"
-
- "golang.org/x/sys/unix"
-)
-
-func pledge(promises string) {
- err := unix.PledgePromises(promises)
- if err != nil {
- log.Fatal(err)
- }
-}
-
-func unveil(path string, flags string) {
- err := unix.Unveil(path, flags)
- if err != nil {
- log.Fatal(err)
- }
-}
-
-func unveilBlock() {
- err := unix.UnveilBlock()
- if err != nil {
- log.Fatal(err)
- }
-}