From 2bc1c2d90f36eb99e0bbe4950d7141c4f359e61c Mon Sep 17 00:00:00 2001 From: Klemens Nanni Date: Sun, 20 Oct 2024 12:07:16 +0300 Subject: [PATCH 1/2] pledge genkeys The simplest tool first: genkeys only does standard I/O, nothing else. --- cmd/genkeys/main.go | 6 ++++++ go.mod | 1 + go.sum | 2 ++ 3 files changed, 9 insertions(+) diff --git a/cmd/genkeys/main.go b/cmd/genkeys/main.go index 36107c0aa..d1a15346c 100644 --- a/cmd/genkeys/main.go +++ b/cmd/genkeys/main.go @@ -18,6 +18,8 @@ import ( "runtime" "time" + "suah.dev/protect" + "github.com/yggdrasil-network/yggdrasil-go/src/address" ) @@ -27,6 +29,10 @@ type keySet struct { } func main() { + if err := protect.Pledge("stdio"); err != nil { + panic(err) + } + threads := runtime.GOMAXPROCS(0) fmt.Println("Threads:", threads) start := time.Now() diff --git a/go.mod b/go.mod index 76641a605..fdbbcaf23 100644 --- a/go.mod +++ b/go.mod @@ -45,4 +45,5 @@ require ( github.com/mattn/go-runewidth v0.0.15 // indirect github.com/olekukonko/tablewriter v0.0.5 github.com/vishvananda/netns v0.0.4 // indirect + suah.dev/protect v1.2.4 ) diff --git a/go.sum b/go.sum index 89dd0c7bc..75e4811df 100644 --- a/go.sum +++ b/go.sum @@ -155,3 +155,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ= gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY= +suah.dev/protect v1.2.4 h1:iVZG/zQB63FKNpITDYM/cXoAeCTIjCiXHuFVByJFDzg= +suah.dev/protect v1.2.4/go.mod h1:vVrquYO3u1Ep9Ez2z8x+6N6/czm+TBmWKZfiXU2tb54= From a6fcdfca2a41d4b8a6ad7cf2b3e3719b2fe21dc5 Mon Sep 17 00:00:00 2001 From: Klemens Nanni Date: Sun, 20 Oct 2024 12:19:01 +0300 Subject: [PATCH 2/2] pledge yggdrasilctl The CLI is simple, but parses config files and communicates over the network with arbitrary endpoints. Limit system operations to that is needed before doing anything and drop all priviledges after config file and socket handling is done, i.e. do parse and speak over the network completely unprivileged. --- cmd/yggdrasilctl/main.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/cmd/yggdrasilctl/main.go b/cmd/yggdrasilctl/main.go index 8a30f438f..6a3252822 100644 --- a/cmd/yggdrasilctl/main.go +++ b/cmd/yggdrasilctl/main.go @@ -13,6 +13,8 @@ import ( "strings" "time" + "suah.dev/protect" + "github.com/olekukonko/tablewriter" "github.com/yggdrasil-network/yggdrasil-go/src/admin" "github.com/yggdrasil-network/yggdrasil-go/src/core" @@ -22,6 +24,11 @@ import ( ) func main() { + // read config, speak DNS/TCP and/or over a UNIX socket + if err := protect.Pledge("stdio rpath inet unix dns"); err != nil { + panic(err) + } + // makes sure we can use defer and still return an error code to the OS os.Exit(run()) } @@ -78,6 +85,11 @@ func run() int { panic(err) } + // config and socket are done, work without unprivileges + if err := protect.Pledge("stdio"); err != nil { + panic(err) + } + logger.Println("Connected") defer conn.Close()