search

icyphox / legit

web frontend for git
https://git.icyphox.sh
MIT License
376 stars 25 forks source link

Add support for OpenBSD's unveil(2) #9

Closed e-zk closed 1 year ago

e-zk commented 1 year ago

Saw from the code comments+unveil.go you were planning on using unveil(2) at some point. I found out golang.org/x/sys/unix actually has support for Unveil and even Pledge functions.

The unix.Unveil* functions will only work on OpenBSD (obviously) so to stop Go complaining when you compile on anything that isn't OpenBSD I've made unveil_stub.go include stub functions for non-OpenBSD systems.

It prints a log message before calling unveil(2), and I've included UnveilPaths() to simplify the code in main.go.

Tested this myself on OpenBSD.

Let me know if you had any ideas for a different format of the log messages.

icyphox commented 1 year ago

Hey Zak,

On Wed, 2022-12-21 at 06:50 -0800, e-zk wrote:

Saw from the code comments+unveil.go you were planning on using unveil(2) at some point. I found out golang.org/x/sys/unix actually has support for Unveil and even Pledge functions.

Thanks for this, I was experimenting with unveil(2) locally but never got around to finishing up the horror that I was writing. TIL about x/sys/unix having Unveil and Pledge functions, very cool!

The unix.Unveil* functions will only work on OpenBSD (obviously) so to stop Go complaining when you compile on anything that isn't OpenBSD I've made unveil_stub.go include stub functions for non-OpenBSD systems. It prints a log message before calling unveil(2), and I've included UnveilPaths() to simplify the code in main.go.

Awesome, this is super clean. I checked out your PR locally and tested it on both OpenBSD and Linux machines -- works great! I'll merge this now.

Out of curiosity, are you running legit somewhere?

icyphox commented 1 year ago

Okay hm. Looks like gitkit, the library I'm using for the git http server, needs the git executable in PATH. I tried unveiling it with rx but I'm getting an 'unveil: operation not permitted' error. This is the full log:

2022/12/22 11:36:47 unveil: "./static", r
2022/12/22 11:36:47 unveil: "/var/www/git", r
2022/12/22 11:36:47 unveil: "./templates", r
2022/12/22 11:36:47 unveil: block
2022/12/22 11:36:47 unveil: "/usr/local/bin/git", rx
2022/12/22 11:36:47 unveil: operation not permitted

Looks like it gets blocked first. Am I using it incorrectly?

icyphox commented 1 year ago

Oh god, never mind me. This is what I get for trying to write code after back-to-back red-eye flights, lmao. I didn't notice the log.Printf("unveil: block") and was thoroughly confused as to why Unveil was logging that. To add to that, I was making an Unveil call after UnveilBlock, which obviously fails.

This was all discerned after a good nap and some tea.

e-zk commented 1 year ago

Hey @icyphox,

Out of curiosity, are you running legit somewhere?

Not currently, no. I was running it locally to test these changes. But I'm seriously considering replacing stagit on git.zakaria.org with legit when I have some free time.

This was all discerned after a good nap and some tea.

Hah! No worries, happens to everyone :P