rpz

Response policy zone (RPZ) file generator.
git clone https://git.philomathiclife.com/repos/rpz
Log | Files | Refs | README

priv_sep.rs (8123B)

      1 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
      2 pub use priv_sep::UnveilErr;
      3 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
      4 use priv_sep::{self, Permission, Permissions, Promise, Promises};
      5 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
      6 use std::env;
      7 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
      8 use std::fs;
      9 use std::{
     10     io::{Error, ErrorKind},
     11     path::Path,
     12 };
     13 /// Used instead of `()` for the parameter
     14 /// in the `pledge` functions. This allows
     15 /// one to avoid having to disable certain lints.
     16 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     17 #[derive(Clone, Copy)]
     18 pub struct Zst;
     19 /// Calls `pledge` with only the sys calls necessary for a minimal application
     20 /// to run. Specifically, the `Promise`s `Cpath`, `Dns`, `Inet`, `Rpath`, `Stdio`, `Unveil`, and `Wpath`
     21 /// are passed.
     22 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     23 pub fn pledge_init() -> Result<Promises, Error> {
     24     let promises = Promises::new([
     25         Promise::Cpath,
     26         Promise::Dns,
     27         Promise::Inet,
     28         Promise::Rpath,
     29         Promise::Stdio,
     30         Promise::Unveil,
     31         Promise::Wpath,
     32     ]);
     33     match promises.pledge() {
     34         Ok(()) => Ok(promises),
     35         Err(e) => Err(e),
     36     }
     37 }
     38 /// No-op that always returns `Ok`.
     39 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
     40 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     41 pub const fn pledge_init() -> Result<Zst, !> {
     42     Ok(Zst)
     43 }
     44 /// Removes `Cpath` and `Wpath` `Promise`s.
     45 ///
     46 /// This should only be called when `stdout` is written to
     47 /// instead of an RPZ file.
     48 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     49 pub fn pledge_away_create_write(promises: &mut Promises) -> Result<(), Error> {
     50     promises.remove_promises_then_pledge([Promise::Cpath, Promise::Wpath])
     51 }
     52 /// No-op that always returns `Ok`.
     53 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
     54 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     55 pub const fn pledge_away_create_write(_: &mut Zst) -> Result<(), !> {
     56     Ok(())
     57 }
     58 /// Removes `Promise::Unveil`.
     59 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     60 pub fn pledge_away_unveil(promises: &mut Promises) -> Result<(), Error> {
     61     promises.remove_then_pledge(Promise::Unveil)
     62 }
     63 /// No-op that always returns `Ok`.
     64 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
     65 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     66 pub const fn pledge_away_unveil(_: &mut Zst) -> Result<(), !> {
     67     Ok(())
     68 }
     69 /// Removes `Promise::Dns` and `Promise::Inet`.
     70 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     71 pub fn pledge_away_net(promises: &mut Promises) -> Result<(), Error> {
     72     promises.remove_promises_then_pledge([Promise::Dns, Promise::Inet])
     73 }
     74 /// No-op that always returns `Ok`.
     75 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
     76 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     77 pub const fn pledge_away_net(_: &mut Zst) -> Result<(), !> {
     78     Ok(())
     79 }
     80 /// Removes all `Promise`s except `Stdio`.
     81 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     82 pub fn pledge_away_all_but_stdio(promises: &mut Promises) -> Result<(), Error> {
     83     promises.retain_then_pledge([Promise::Stdio])
     84 }
     85 /// No-op that always returns `Ok`.
     86 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
     87 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     88 pub const fn pledge_away_all_but_stdio(_: &mut Zst) -> Result<(), !> {
     89     Ok(())
     90 }
     91 /// Calls `unveil`_on `path` with no `Permissions`.
     92 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     93 pub fn unveil_none<P: AsRef<Path>>(path: P) -> Result<(), UnveilErr> {
     94     Permissions::NONE.unveil(path)
     95 }
     96 /// No-op that always returns `Ok`.
     97 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     98 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
     99 pub fn unveil_none<P: AsRef<Path>>(_: P) -> Result<(), !> {
    100     Ok(())
    101 }
    102 /// Calls `unveil_none` on `/`.
    103 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
    104 pub fn veil_all() -> Result<(), UnveilErr> {
    105     unveil_none("/")
    106 }
    107 /// No-op that always returns `Ok`.
    108 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
    109 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
    110 pub const fn veil_all() -> Result<(), !> {
    111     Ok(())
    112 }
    113 /// Calls `unveil`_on `path` with `Permissions::CREATE`.
    114 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
    115 pub fn unveil_create<P: AsRef<Path>>(path: P) -> Result<(), UnveilErr> {
    116     Permissions::CREATE.unveil(path)
    117 }
    118 /// No-op that always returns `Ok`.
    119 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
    120 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
    121 pub fn unveil_create<P: AsRef<Path>>(_: P) -> Result<(), !> {
    122     Ok(())
    123 }
    124 /// Calls `unveil`_on `path` with `Permissions::READ` and returns
    125 /// `true` iff `path` exists.
    126 #[expect(
    127     clippy::wildcard_enum_match_arm,
    128     reason = "ErrorKind is non_exhaustive"
    129 )]
    130 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
    131 pub fn unveil_read_dir<P: AsRef<Path>>(path: P) -> Result<bool, UnveilErr> {
    132     Permissions::READ.unveil(path).map_or_else(
    133         |err| match err {
    134             UnveilErr::Io(ref err2) => match err2.kind() {
    135                 ErrorKind::NotFound => Ok(false),
    136                 _ => Err(err),
    137             },
    138             UnveilErr::Nul(_) => Err(err),
    139         },
    140         |()| Ok(true),
    141     )
    142 }
    143 /// Returns `true` iff `path` exists
    144 #[expect(
    145     clippy::wildcard_enum_match_arm,
    146     reason = "too many branches to write out manually"
    147 )]
    148 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
    149 pub fn unveil_read_dir<P: AsRef<Path>>(path: P) -> Result<bool, Error> {
    150     fs::metadata(path).map_or_else(
    151         |err| match err.kind() {
    152             ErrorKind::NotFound => Ok(false),
    153             _ => Err(err),
    154         },
    155         |dir| Ok(dir.is_dir()),
    156     )
    157 }
    158 /// Calls `unveil`_on `path` with `Permissions::READ`.
    159 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
    160 pub fn unveil_read_file<P: AsRef<Path>>(path: P) -> Result<(), UnveilErr> {
    161     Permissions::READ.unveil(path)
    162 }
    163 /// No-op that always returns `Ok`.
    164 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
    165 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
    166 pub fn unveil_read_file<P: AsRef<Path>>(_: P) -> Result<(), !> {
    167     Ok(())
    168 }
    169 /// Calls `unveil` on all files necessary for HTTP(S) with `Permissions::READ`
    170 /// in addition to setting the `SSL_CERT_FILE` variable to `/etc/ssl/cert.pem`.
    171 /// We rely on `SSL_CERT_FILE` as that allows one to `unveil(2)` only `/etc/ssl/cert.pem`
    172 /// instead of `/etc/ssl/`.
    173 #[expect(unsafe_code, reason = "safety comment justifies its correctness")]
    174 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
    175 pub fn unveil_https() -> Result<(), UnveilErr> {
    176     /// The path to the root certificate store.
    177     const CERTS: &str = "/etc/ssl/cert.pem";
    178     unveil_read_file(CERTS).map(|()| {
    179         // SAFETY:
    180         // `unveil_https` is only called in `super::main`
    181         // in a single-threaded context; thus this is OK.
    182         unsafe { env::set_var("SSL_CERT_FILE", CERTS) }
    183     })
    184 }
    185 /// No-op that always returns `Ok`.
    186 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
    187 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
    188 pub const fn unveil_https() -> Result<(), !> {
    189     Ok(())
    190 }
    191 /// Calls `unveil`_on `path` with create, read, and write `Permissions`.
    192 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
    193 pub fn unveil_create_read_write<P: AsRef<Path>>(path: P) -> Result<(), UnveilErr> {
    194     let mut perms = Permissions::ALL;
    195     perms.disable(Permission::Execute);
    196     perms.unveil(path)
    197 }
    198 /// No-op that always returns `Ok`.
    199 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
    200 #[expect(clippy::unnecessary_wraps, reason = "need to align with OpenBSD code")]
    201 pub fn unveil_create_read_write<P: AsRef<Path>>(_: P) -> Result<(), !> {
    202     Ok(())
    203 }