vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

priv_sep.rs (2939B)

      1 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
      2 use core::convert::Infallible;
      3 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
      4 pub use priv_sep::UnveilErr;
      5 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
      6 use priv_sep::{Permission, Permissions, Promise, Promises};
      7 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
      8 use std::io::Error;
      9 use std::path::Path;
     10 /// Used instead of `()` for the parameter
     11 /// in the `pledge` functions. This allows
     12 /// one to avoid having to disable certain lints.
     13 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     14 #[derive(Clone, Copy)]
     15 pub struct Zst;
     16 /// Calls `pledge` with only the sys calls necessary for a minimal application
     17 /// to run. Specifically, the `Promise`s `Cpath`, `Flock`, Inet`, `Rpath`, `Stdio`, `Unveil`, and `Wpath`
     18 /// are passed.
     19 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     20 #[inline]
     21 pub fn pledge_init() -> Result<Promises, Error> {
     22     let promises = Promises::new([
     23         Promise::Cpath,
     24         Promise::Flock,
     25         Promise::Inet,
     26         Promise::Rpath,
     27         Promise::Stdio,
     28         Promise::Unveil,
     29         Promise::Wpath,
     30     ]);
     31     match promises.pledge() {
     32         Ok(()) => Ok(promises),
     33         Err(e) => Err(e),
     34     }
     35 }
     36 /// No-op that always returns `Ok`.
     37 #[allow(clippy::unnecessary_wraps)]
     38 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     39 #[inline]
     40 pub const fn pledge_init() -> Result<Zst, Infallible> {
     41     Ok(Zst)
     42 }
     43 /// Removes `Promise::Unveil`.
     44 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     45 #[inline]
     46 pub fn pledge_away_unveil(promises: &mut Promises) -> Result<(), Error> {
     47     promises.remove_then_pledge(Promise::Unveil)
     48 }
     49 /// No-op that always returns `Ok`.
     50 #[allow(clippy::unnecessary_wraps)]
     51 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     52 #[inline]
     53 pub fn pledge_away_unveil(_: &mut Zst) -> Result<(), Infallible> {
     54     Ok(())
     55 }
     56 /// Calls `unveil` on `path` with `Permissions::READ`.
     57 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     58 #[inline]
     59 pub fn unveil_read<P: AsRef<Path>>(path: P) -> Result<(), UnveilErr> {
     60     Permissions::READ.unveil(path)
     61 }
     62 /// No-op that always returns `Ok`.
     63 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     64 #[allow(clippy::unnecessary_wraps)]
     65 #[inline]
     66 pub fn unveil_read<P: AsRef<Path>>(_: P) -> Result<(), Infallible> {
     67     Ok(())
     68 }
     69 /// Calls `unveil` on `path` with create, read, and write `Permissions`.
     70 #[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
     71 #[inline]
     72 pub fn unveil_create_read_write<P: AsRef<Path>>(path: P) -> Result<(), UnveilErr> {
     73     let mut perms = Permissions::ALL;
     74     perms.disable(Permission::Execute);
     75     perms.unveil(path)
     76 }
     77 /// No-op that always returns `Ok`.
     78 #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]
     79 #[allow(clippy::unnecessary_wraps)]
     80 #[inline]
     81 pub fn unveil_create_read_write<P: AsRef<Path>>(_: P) -> Result<(), Infallible> {
     82     Ok(())
     83 }