File: drop-openbsd-pledge.patch

package info (click to toggle)
yggdrasil 0.5.12-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, trixie
  • size: 924 kB
  • sloc: sh: 723; ansic: 196; makefile: 21
file content (89 lines) | stat: -rw-r--r-- 2,265 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
--- a/cmd/genkeys/main.go
+++ b/cmd/genkeys/main.go
@@ -18,8 +18,6 @@
 	"runtime"
 	"time"
 
-	"suah.dev/protect"
-
 	"github.com/yggdrasil-network/yggdrasil-go/src/address"
 )
 
@@ -30,10 +28,6 @@
 }
 
 func main() {
-	if err := protect.Pledge("stdio"); err != nil {
-		panic(err)
-	}
-
 	threads := runtime.GOMAXPROCS(0)
 	fmt.Println("Threads:", threads)
 	start := time.Now()
--- a/cmd/yggdrasilctl/main.go
+++ b/cmd/yggdrasilctl/main.go
@@ -13,8 +13,6 @@
 	"strings"
 	"time"
 
-	"suah.dev/protect"
-
 	"github.com/olekukonko/tablewriter"
 	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
 	"github.com/yggdrasil-network/yggdrasil-go/src/core"
@@ -24,11 +22,6 @@
 )
 
 func main() {
-	// read config, speak DNS/TCP and/or over a UNIX socket
-	if err := protect.Pledge("stdio rpath inet unix dns"); err != nil {
-		panic(err)
-	}
-
 	// makes sure we can use defer and still return an error code to the OS
 	os.Exit(run())
 }
@@ -85,11 +78,6 @@
 		panic(err)
 	}
 
-	// config and socket are done, work without unprivileges
-	if err := protect.Pledge("stdio"); err != nil {
-		panic(err)
-	}
-
 	logger.Println("Connected")
 	defer conn.Close()
 
--- a/cmd/yggdrasil/main.go
+++ b/cmd/yggdrasil/main.go
@@ -14,8 +14,6 @@
 	"strings"
 	"syscall"
 
-	"suah.dev/protect"
-
 	"github.com/gologme/log"
 	gsyslog "github.com/hashicorp/go-syslog"
 	"github.com/hjson/hjson-go/v4"
@@ -41,20 +39,6 @@
 
 // The main function is responsible for configuring and starting Yggdrasil.
 func main() {
-	// Not all operations are coverable with pledge(2), so immediately
-	// limit file system access with unveil(2), effectively preventing
-	// "proc exec" promises right from the start:
-	//
-	// - read arbitrary config file
-	// - create/write arbitrary log file
-	// - read/write/chmod/remove admin socket, if at all
-	if err := protect.Unveil("/", "rwc"); err != nil {
-		panic(fmt.Sprintf("unveil: / rwc: %v", err))
-	}
-	if err := protect.UnveilBlock(); err != nil {
-		panic(fmt.Sprintf("unveil: %v", err))
-	}
-
 	genconf := flag.Bool("genconf", false, "print a new config to stdout")
 	useconf := flag.Bool("useconf", false, "read HJSON/JSON config from stdin")
 	useconffile := flag.String("useconffile", "", "read HJSON/JSON config from specified file path")