shithub: gover

Download patch

ref: a7561cf5afe0bf683c0b6b384e5a4710b754ce97
parent: 5968bd41c7e89461fec41a3b669514a89ddbda10
author: Aaron Bieber <[email protected]>
date: Thu May 14 10:44:37 EDT 2020

fix unveil on new installs

--- a/go.mod
+++ b/go.mod
@@ -5,5 +5,6 @@
 require (
 	golang.org/x/build v0.0.0-20200428202702-916311cec4e1
 	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
-	golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527
+	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3
+	suah.dev/protect v1.0.0
 )
--- a/go.sum
+++ b/go.sum
@@ -181,6 +181,8 @@
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527 h1:uYVVQ9WP/Ds2ROhcaGPeIdVq0RIXVLwsHlnvJ+cT1So=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 h1:5B6i6EAiSYyejWfvc5Rc9BbI3rzIsrrXfAQBWnYfn+w=
+golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -276,3 +278,5 @@
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+suah.dev/protect v1.0.0 h1:X8pzDvDIZIiugmkmr6DES6JFO1XUdJWi34Ffmk6CMZY=
+suah.dev/protect v1.0.0/go.mod h1:ZSgyBM30JUwhVPWJzVHh0jlu5W6Qz1VR6tIhAzqJZ9Y=
--- a/main.go
+++ b/main.go
@@ -29,6 +29,7 @@
 	"strings"
 
 	"golang.org/x/crypto/openpgp"
+	"suah.dev/protect"
 )
 
 // Google Inc. (Linux Packages Signing Authority) <[email protected]>
@@ -314,11 +315,15 @@
 		log.Fatalf("gover: %v", err)
 	}
 
-	pledge("stdio tty unveil rpath cpath wpath proc dns inet fattr exec")
+	if err := os.MkdirAll(root, 0755); err != nil {
+		log.Fatalf("failed to create gover directory: %v\n", err)
+	}
 
-	unveil("/etc", "r")
-	unveil(root, "rwxc")
-	unveilBlock()
+	_ = protect.Pledge("stdio tty unveil rpath cpath wpath proc dns inet fattr exec")
+
+	_ = protect.Unveil("/etc", "r")
+	_ = protect.Unveil(root, "rwxc")
+	_ = protect.UnveilBlock()
 
 	if os.Args[1] == "download" {
 		switch len(os.Args) {
--- a/protect.go
+++ /dev/null
@@ -1,7 +1,0 @@
-//+build !openbsd
-
-package main
-
-func pledge(promises string)           {}
-func unveil(path string, flags string) {}
-func unveilBlock()                     {}
--- a/protect_openbsd.go
+++ /dev/null
@@ -1,28 +1,0 @@
-package main
-
-import (
-	"log"
-
-	"golang.org/x/sys/unix"
-)
-
-func pledge(promises string) {
-	err := unix.PledgePromises(promises)
-	if err != nil {
-		log.Fatal(err)
-	}
-}
-
-func unveil(path string, flags string) {
-	err := unix.Unveil(path, flags)
-	if err != nil {
-		log.Fatal(err)
-	}
-}
-
-func unveilBlock() {
-	err := unix.UnveilBlock()
-	if err != nil {
-		log.Fatal(err)
-	}
-}