From 5e8405671536f5cf37c85112846c83c13af4fe33 Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 2 Sep 2024 20:39:18 +0000 Subject: [PATCH] bunpen: make --bunpen-caps all behave as shorthand for literally specifying every capability --- pkgs/additional/bunpen/config/translate_opts.ha | 9 +++++---- pkgs/additional/bunpen/main.ha | 11 ++++------- pkgs/additional/bunpen/restrict/resources.ha | 1 - 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/pkgs/additional/bunpen/config/translate_opts.ha b/pkgs/additional/bunpen/config/translate_opts.ha index c96dba2fd..e7adaf689 100644 --- a/pkgs/additional/bunpen/config/translate_opts.ha +++ b/pkgs/additional/bunpen/config/translate_opts.ha @@ -50,13 +50,14 @@ export fn ingest_cli_opts(opts: cli_opts) (cli_request | help) = { return help; }; + //---- ingest `caps` ----// + req.resources.caps = restrict::cap_array_to_caps(opts.keep_caps); + //---- ingest `home_paths` ----// ingest_paths(&req.resources.paths, opts.home_paths, os::getenv("HOME")); //---- ingest `keep_all_caps` ----// - req.resources.all_caps = opts.keep_all_caps; - - //---- ingest `caps` ----// - req.resources.caps = restrict::cap_array_to_caps(opts.keep_caps); + if (opts.keep_all_caps) + req.resources.caps = rt::ext::CAPS_ALL; //---- ingest `keep_net` ----// req.resources.net = opts.keep_net; diff --git a/pkgs/additional/bunpen/main.ha b/pkgs/additional/bunpen/main.ha index 3de82c54b..83b9a7810 100644 --- a/pkgs/additional/bunpen/main.ha +++ b/pkgs/additional/bunpen/main.ha @@ -47,14 +47,11 @@ export fn main() void = { case let other: config::cli_request => yield other; }; - restrict::namespace_restrict(&req.resources); - if (req.resources.all_caps) { - // TODO: this probably isn't what i want? i think this actually results in having no caps - log::printfln("not restricting capabilities"); - } else { - restrict::capability_restrict(&req.resources); - }; + // set no_new_privs early. this is a flag which prevents us from gaining privs + // via SUID/SGID executables, which we never intend to do. errors::ext::check("no_new_privs", rt::ext::no_new_privs()); + restrict::namespace_restrict(&req.resources); + restrict::capability_restrict(&req.resources); // XXX: landlock prevents other sandboxers like `bwrap` from executing, // because it forbids all future `mount` syscalls. so don't landlock. // restrict::landlock_restrict(&req.resources); diff --git a/pkgs/additional/bunpen/restrict/resources.ha b/pkgs/additional/bunpen/restrict/resources.ha index d929b0ed4..33311fe16 100644 --- a/pkgs/additional/bunpen/restrict/resources.ha +++ b/pkgs/additional/bunpen/restrict/resources.ha @@ -6,7 +6,6 @@ export type resources = struct { // paths to allow unrestricted access to (i.e. with whatever permissions the // user has naturally. paths: []path::buffer, - all_caps: bool, caps: rt::ext::caps, // true to allow unrestricted net access. // false to maximally disable net access.