fix(landlock): landlock only after creating files
This commit is contained in:
vecāks
01aa9c6c35
revīzija
00ee8d21c6
42
main.go
42
main.go
|
@ -131,23 +131,9 @@ var indexPage []byte
|
|||
func main() {
|
||||
log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr})
|
||||
|
||||
err := landlock.V2.BestEffort().RestrictPaths(
|
||||
landlock.RWDirs("./data"),
|
||||
landlock.RWFiles("filehole.db"),
|
||||
)
|
||||
var err error
|
||||
|
||||
if err != nil {
|
||||
log.Warn().Err(err).Msg("Could not landlock")
|
||||
}
|
||||
|
||||
_, err = os.Open("/etc/passwd")
|
||||
if err == nil {
|
||||
log.Warn().Msg("Landlock failed, could open /etc/passwd")
|
||||
} else {
|
||||
log.Info().Err(err).Msg("Landlocked")
|
||||
}
|
||||
|
||||
db, err = bolt.Open("filehole.db", 0600, nil)
|
||||
db, err = bolt.Open("filehole.db", 0600, nil)
|
||||
if err != nil {
|
||||
log.Fatal().Err(err).Msg("dangerous database activity")
|
||||
}
|
||||
|
@ -160,12 +146,32 @@ func main() {
|
|||
return nil
|
||||
})
|
||||
|
||||
r := mux.NewRouter()
|
||||
// New single binary setup will have this user only reading from data
|
||||
os.Mkdir("./data", 0600)
|
||||
|
||||
// We actually need to landlock after creating all the files we reference
|
||||
// in the landlock or it will fail
|
||||
err = landlock.V2.BestEffort().RestrictPaths(
|
||||
landlock.RWDirs("./data"),
|
||||
landlock.RWFiles("filehole.db"),
|
||||
)
|
||||
if err != nil {
|
||||
log.Error().Err(err).Msg("Could not landlock")
|
||||
}
|
||||
|
||||
// Test if landlock actually works on whatever fucked kernel you're
|
||||
// probably using
|
||||
_, err = os.Open("/etc/passwd")
|
||||
if err == nil {
|
||||
log.Error().Msg("Landlock failed, could open /etc/passwd")
|
||||
} else {
|
||||
log.Info().Err(err).Msg("Landlocked")
|
||||
}
|
||||
|
||||
r := mux.NewRouter()
|
||||
r.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Write(indexPage)
|
||||
}).Methods("GET")
|
||||
|
||||
r.HandleFunc("/", UploadHandler).Methods("POST")
|
||||
|
||||
http.Handle("/", r)
|
||||
|
|
Notiek ielāde…
Atsaukties uz šo jaunā problēmā