Merge pull request #82 from epsilon-0/master

add security features on OpenBSD
This commit is contained in:
Ian 2022-06-08 21:51:43 -07:00 committed by GitHub
commit ce6cb783d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 0 deletions

20
Cargo.lock generated
View File

@ -594,6 +594,15 @@ version = "0.3.23"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d1a3ea4f0dd7f1f3e512cf97bf100819aa547f36a6eccac8dbaae839eb92363e" checksum = "d1a3ea4f0dd7f1f3e512cf97bf100819aa547f36a6eccac8dbaae839eb92363e"
[[package]]
name = "pledge"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "252599417b7d9a43b7fdc63dd790b0848666a8910b2ebe1a25118309c3c981e5"
dependencies = [
"libc",
]
[[package]] [[package]]
name = "ppv-lite86" name = "ppv-lite86"
version = "0.2.15" version = "0.2.15"
@ -995,6 +1004,15 @@ version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3" checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
[[package]]
name = "unveil"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e7fa867d559102001ec694165ed17d5f82e95213060a65f9c8b6280084bbfec"
dependencies = [
"libc",
]
[[package]] [[package]]
name = "url" name = "url"
version = "2.2.2" version = "2.2.2"
@ -1014,11 +1032,13 @@ dependencies = [
"anyhow", "anyhow",
"envy", "envy",
"ldap3", "ldap3",
"pledge",
"reqwest", "reqwest",
"serde", "serde",
"serde_json", "serde_json",
"thiserror", "thiserror",
"toml", "toml",
"unveil",
] ]
[[package]] [[package]]

View File

@ -13,3 +13,5 @@ serde_json = "1.0"
thiserror = "1.0" thiserror = "1.0"
anyhow = "1.0" anyhow = "1.0"
envy = "0.4.1" envy = "0.4.1"
pledge = "0.4.2"
unveil = "0.3.2"

View File

@ -1,5 +1,7 @@
extern crate anyhow; extern crate anyhow;
extern crate ldap3; extern crate ldap3;
extern crate pledge;
extern crate unveil;
use std::collections::HashSet; use std::collections::HashSet;
use std::thread::sleep; use std::thread::sleep;
@ -9,6 +11,8 @@ use anyhow::Context as _;
use anyhow::Error as AnyError; use anyhow::Error as AnyError;
use anyhow::Result; use anyhow::Result;
use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions}; use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions};
use pledge::pledge;
use unveil::unveil;
mod config; mod config;
mod vw_admin; mod vw_admin;
@ -21,6 +25,16 @@ fn main() {
config.get_vaultwarden_root_cert_file(), config.get_vaultwarden_root_cert_file(),
); );
unveil(config::get_config_path(), "r")
.or_else(unveil::Error::ignore_platform)
.expect("Could not unveil config file");
unveil("", "")
.or_else(unveil::Error::ignore_platform)
.expect("Could not disable further unveils");
pledge("dns flock inet rpath stdio tty", "")
.or_else(pledge::Error::ignore_platform)
.expect("Could not pledge permissions");
invite_users(&config, &mut client, config.get_ldap_sync_loop()) invite_users(&config, &mut client, config.get_ldap_sync_loop())
} }