unix: add support for OpenBSD pledge

Pledge, the privilege-restricting syscall and mitigation mechanism, was missing from syscall_openbsd.go. As of the latest release, it is officially supported in "stable". More information about the call itself, and hence its importance, can be found at: http://www.openbsd.org/papers/hackfest2015-pledge/mgp00001.html Change-Id: I2fdac1968664668e7bea1175677efe6433e0125e Reviewed-on: https://go-review.googlesource.com/21815 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

unix: add support for OpenBSD pledge
Pledge, the privilege-restricting syscall and mitigation mechanism, was missing from syscall_openbsd.go. As of the latest release, it is officially supported in "stable". More information about the call itself, and hence its importance, can be found at: http://www.openbsd.org/papers/hackfest2015-pledge/mgp00001.html Change-Id: I2fdac1968664668e7bea1175677efe6433e0125e Reviewed-on: https://go-review.googlesource.com/21815 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8fd966b4 · Yestin · Brad Fitzpatrick · 99f16d85 · 8fd966b4 · 8fd966b4
Commit 8fd966b4 authored Apr 10, 2016 by Yestin Committed by Brad Fitzpatrick Mar 22, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 151 additions and 0 deletions

openbsd_pledge.go unix/openbsd_pledge.go +38 -0

openbsd_test.go unix/openbsd_test.go +113 -0

No files found.
--- a/unix/openbsd_pledge.go
+++ b/unix/openbsd_pledge.go
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build openbsd
+// +build 386 amd64 arm
+
+package unix
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+const (
+	SYS_PLEDGE = 108
+)
+
+// Pledge implements the pledge syscall. For more information see pledge(2).
+func Pledge(promises string, paths []string) error {
+	promisesPtr, err := syscall.BytePtrFromString(promises)
+	if err != nil {
+		return err
+	}
+	promisesUnsafe, pathsUnsafe := unsafe.Pointer(promisesPtr), unsafe.Pointer(nil)
+	if paths != nil {
+		var pathsPtr []*byte
+		if pathsPtr, err = syscall.SlicePtrFromStrings(paths); err != nil {
+			return err
+		}
+		pathsUnsafe = unsafe.Pointer(&pathsPtr[0])
+	}
+	_, _, e := syscall.Syscall(SYS_PLEDGE, uintptr(promisesUnsafe), uintptr(pathsUnsafe), 0)
+	if e != 0 {
+		return e
+	}
+	return nil
+}
--- a/unix/openbsd_test.go
+++ b/unix/openbsd_test.go
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build openbsd
+
+// This, on the face of it, bizarre testing mechanism is necessary because
+// the only reliable way to gauge whether or not a pledge(2) call has succeeded
+// is that the program has been killed as a result of breaking its pledge.
+
+package unix_test
+
+import (
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+
+	"golang.org/x/sys/unix"
+)
+
+type testProc struct {
+	fn      func()       // should always exit instead of returning
+	cleanup func() error // for instance, delete coredumps from testing pledge
+	success bool         // whether zero-exit means success or failure
+}
+
+var (
+	testProcs = map[string]testProc{}
+	procName  = ""
+)
+
+const (
+	optName = "sys-unix-internal-procname"
+)
+
+func init() {
+	flag.StringVar(&procName, optName, "", "internal use only")
+}
+
+// testCmd generates a proper command that, when executed, runs the test
+// corresponding to the given key.
+func testCmd(procName string) (*exec.Cmd, error) {
+	exe, err := filepath.Abs(os.Args[0])
+	if err != nil {
+		return nil, err
+	}
+	cmd := exec.Command(exe, "-"+optName+"="+procName)
+	cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+	return cmd, nil
+}
+
+// ExitsCorrectly is a comprehensive, one-line-of-use wrapper for testing
+// a testProc with a key.
+func ExitsCorrectly(procName string, t *testing.T) {
+	s := testProcs[procName]
+	c, err := testCmd(procName)
+	defer func() {
+		if s.cleanup() != nil {
+			t.Fatalf("Failed to run cleanup for %s", procName)
+		}
+	}()
+	if err != nil {
+		t.Fatalf("Failed to construct command for %s", procName)
+	}
+	if (c.Run() == nil) != s.success {
+		result := "succeed"
+		if !s.success {
+			result = "fail"
+		}
+		t.Fatalf("Process did not %s when it was supposed to", result)
+	}
+}
+
+func TestMain(m *testing.M) {
+	flag.Parse()
+	if procName != "" {
+		testProcs[procName].fn()
+	}
+	os.Exit(m.Run())
+}
+
+// For example, add a test for pledge.
+func init() {
+	testProcs["pledge"] = testProc{
+		func() {
+			fmt.Println(unix.Pledge("", nil))
+			os.Exit(0)
+		},
+		func() error {
+			files, err := ioutil.ReadDir(".")
+			if err != nil {
+				return err
+			}
+			for _, file := range files {
+				if filepath.Ext(file.Name()) == ".core" {
+					if err := os.Remove(file.Name()); err != nil {
+						return err
+					}
+				}
+			}
+			return nil
+		},
+		false,
+	}
+}
+
+func TestPledge(t *testing.T) {
+	ExitsCorrectly("pledge", t)
+}