diff options
| author | murilo ijanc | 2026-03-25 15:13:38 -0300 |
|---|---|---|
| committer | murilo ijanc | 2026-03-25 15:13:38 -0300 |
| commit | b6e3f14ebd0601b1604dcb29fba07b6446a140b7 (patch) | |
| tree | bc32dbeea82754f06228d55346ba1b0e6f4ec312 /src/sandbox.rs | |
| parent | 63c080840a7567f67effa9703d7c94b488d22fc1 (diff) | |
| download | tesseras-paste-b6e3f14ebd0601b1604dcb29fba07b6446a140b7.tar.gz | |
Add missing pledge promises (drm, prot_exec) and source reference
Add reference to pledgereq[] in /usr/src/sys/kern/kern_pledge.c
and include drm and prot_exec that were missing from the list.
Diffstat (limited to 'src/sandbox.rs')
| -rw-r--r-- | src/sandbox.rs | 56 |
1 files changed, 46 insertions, 10 deletions
diff --git a/src/sandbox.rs b/src/sandbox.rs index 13f6a87..43ce4d2 100644 --- a/src/sandbox.rs +++ b/src/sandbox.rs @@ -9,12 +9,44 @@ unsafe extern "C" { } /// Valid pledge promises on OpenBSD. +/// See `pledgereq[]` in `/usr/src/sys/kern/kern_pledge.c`. const VALID_PROMISES: &[&str] = &[ - "audio", "bpf", "chown", "cpath", "disklabel", "dns", "dpath", - "error", "exec", "fattr", "flock", "getpw", "id", "inet", "mcast", - "pf", "proc", "ps", "recvfd", "route", "rpath", "sendfd", "settime", - "stdio", "tape", "tmppath", "tty", "unix", "unveil", "video", - "vminfo", "vmm", "wpath", "wroute", + "audio", + "bpf", + "chown", + "cpath", + "disklabel", + "dns", + "dpath", + "drm", + "error", + "exec", + "fattr", + "flock", + "getpw", + "id", + "inet", + "mcast", + "pf", + "proc", + "prot_exec", + "ps", + "recvfd", + "route", + "rpath", + "sendfd", + "settime", + "stdio", + "tape", + "tmppath", + "tty", + "unix", + "unveil", + "video", + "vminfo", + "vmm", + "wpath", + "wroute", ]; /// Valid unveil permission characters. @@ -44,14 +76,18 @@ pub fn do_pledge(promises: &str) { /// Add a path to the unveil whitelist with the given permissions. /// Permissions: "r" read, "w" write, "c" create, "x" execute. pub fn do_unveil(path: &Path, perms: &str) { - if perms.is_empty() || !perms.as_bytes().iter().all(|b| VALID_PERMS.contains(b)) { + if perms.is_empty() + || !perms.as_bytes().iter().all(|b| VALID_PERMS.contains(b)) + { log::error!("unveil: invalid permissions"); std::process::exit(1); } - let p = CString::new(path.as_os_str().as_encoded_bytes()).unwrap_or_else(|_| { - log::error!("unveil: path contains NUL byte"); - std::process::exit(1); - }); + let p = CString::new(path.as_os_str().as_encoded_bytes()).unwrap_or_else( + |_| { + log::error!("unveil: path contains NUL byte"); + std::process::exit(1); + }, + ); let f = CString::new(perms).unwrap_or_else(|_| { log::error!("unveil: permissions contain NUL byte"); std::process::exit(1); |