add security features on OpenBSD

Signed-off-by: Aisha Tammy <floss@bsd.ac>
2024-11-21 10:46:27 +00:00 · 2022-05-16 15:33:13 -04:00 · 2022-05-16 15:33:13 -04:00 · 97a64c7247
commit 97a64c7247
parent dd92cc509a
3 changed files with 36 additions and 0 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -594,6 +594,15 @@ version = "0.3.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d1a3ea4f0dd7f1f3e512cf97bf100819aa547f36a6eccac8dbaae839eb92363e"

+[[package]]
+name = "pledge"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "252599417b7d9a43b7fdc63dd790b0848666a8910b2ebe1a25118309c3c981e5"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "ppv-lite86"
 version = "0.2.15"
@ -995,6 +1004,15 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"

+[[package]]
+name = "unveil"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e7fa867d559102001ec694165ed17d5f82e95213060a65f9c8b6280084bbfec"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "url"
 version = "2.2.2"
@ -1014,11 +1032,13 @@ dependencies = [
 "anyhow",
 "envy",
 "ldap3",
+ "pledge",
 "reqwest",
 "serde",
 "serde_json",
 "thiserror",
 "toml",
+ "unveil",
 ]

 [[package]]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -13,3 +13,5 @@ serde_json = "1.0"
 thiserror = "1.0"
 anyhow = "1.0"
 envy = "0.4.1"
+pledge = "0.4.2"
+unveil = "0.3.2"
--- a/src/main.rs
+++ b/src/main.rs
@ -1,5 +1,7 @@
 extern crate anyhow;
 extern crate ldap3;
+extern crate pledge;
+extern crate unveil;

 use std::collections::HashSet;
 use std::thread::sleep;
@ -9,6 +11,8 @@ use anyhow::Context as _;
 use anyhow::Error as AnyError;
 use anyhow::Result;
 use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions};
+use pledge::pledge;
+use unveil::unveil;

 mod config;
 mod vw_admin;
@ -21,6 +25,16 @@ fn main() {
        config.get_vaultwarden_root_cert_file(),
    );

+    unveil(config::get_config_path(), "r")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not unveil config file");
+    unveil("", "")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not disable further unveils");
+    pledge("dns flock inet rpath stdio tty", "")
+        .or_else(pledge::Error::ignore_platform)
+        .expect("Could not pledge permissions");
+
    invite_users(&config, &mut client, config.get_ldap_sync_loop())
 }