From d9b3679d0af23480cc34afb2a4be835135db86a0 Mon Sep 17 00:00:00 2001 From: Job Snijders Date: Mon, 30 Jan 2023 21:12:43 +0000 Subject: [PATCH] On OpenBSD restrict access to system calls with pledge() --- cmd/stayrtr/stayrtr.go | 7 +++++++ go.mod | 1 + ossec/constrain.go | 7 +++++++ ossec/constrain_openbsd.go | 7 +++++++ 4 files changed, 22 insertions(+) create mode 100644 ossec/constrain.go create mode 100644 ossec/constrain_openbsd.go diff --git a/cmd/stayrtr/stayrtr.go b/cmd/stayrtr/stayrtr.go index 2a77448..f4e99cb 100644 --- a/cmd/stayrtr/stayrtr.go +++ b/cmd/stayrtr/stayrtr.go @@ -19,6 +19,7 @@ import ( "time" rtr "github.com/bgp/stayrtr/lib" + "github.com/bgp/stayrtr/ossec" "github.com/bgp/stayrtr/prefixfile" "github.com/bgp/stayrtr/utils" "github.com/prometheus/client_golang/prometheus" @@ -587,6 +588,12 @@ func (m *metricsEvent) UpdateMetrics(numIPv4 int, numIPv6 int, numIPv4filtered i } func main() { + err := ossec.PledgePromises("dns inet rpath stdio tty") + if err != nil { + fmt.Fprintf(os.Stderr, "pledge failed: %v\n", err) + os.Exit(1) + } + if err := run(); err != nil { fmt.Fprintf(os.Stderr, "%s\n", err) os.Exit(1) diff --git a/go.mod b/go.mod index 4d2a3ac..fc63b9b 100644 --- a/go.mod +++ b/go.mod @@ -8,4 +8,5 @@ require ( github.com/sirupsen/logrus v1.8.1 github.com/stretchr/testify v1.4.0 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 + golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 ) diff --git a/ossec/constrain.go b/ossec/constrain.go new file mode 100644 index 0000000..7f60f59 --- /dev/null +++ b/ossec/constrain.go @@ -0,0 +1,7 @@ +// +build !openbsd + +package ossec + +func PledgePromises(promises string) error { + return nil +} diff --git a/ossec/constrain_openbsd.go b/ossec/constrain_openbsd.go new file mode 100644 index 0000000..c7195ff --- /dev/null +++ b/ossec/constrain_openbsd.go @@ -0,0 +1,7 @@ +package ossec + +import "golang.org/x/sys/unix" + +func PledgePromises(promises string) error { + return unix.PledgePromises(promises) +}