Loading security/sandbox_linux.go +27 −0 Original line number Diff line number Diff line Loading @@ -38,6 +38,29 @@ func InitSandbox() error { } } // Collect CA certificate bundles/dirs that may or may not exist. // Locations vary by distro (Debian/Ubuntu, RHEL, Alpine, etc.). potentialCAFiles := []string{ "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu "/etc/pki/tls/certs/ca-bundle.crt", // RHEL/Fedora/CentOS "/etc/ssl/ca-bundle.pem", // OpenSUSE "/etc/ssl/cert.pem", // Alpine } potentialCADirs := []string{ "/etc/ssl/certs", // most distros also have individual certs here } var caFiles, caDirs []string for _, f := range potentialCAFiles { if _, err := os.Stat(f); err == nil { caFiles = append(caFiles, f) } } for _, d := range potentialCADirs { if _, err := os.Stat(d); err == nil { caDirs = append(caDirs, d) } } err := landlock.V5.BestEffort().Restrict( // BULLETIN data directory (DB, WAL, SHM files). landlock.RWDirs(bulldir), Loading @@ -58,7 +81,11 @@ func InitSandbox() error { // Allow outbound HTTPS for SSH FETCH from forges. landlock.ConnectTCP(443), landlock.ConnectTCP(53), // DNS resolution: nameserver config and local host table. landlock.ROFiles("/etc/resolv.conf", "/etc/hosts"), // TLS: CA certificate bundles and directory for HTTPS verification. landlock.ROFiles(caFiles...), landlock.RODirs(caDirs...), ) if err != nil { return fmt.Errorf("failed to apply landlock sandbox: %w", err) Loading security/sandbox_openbsd.go +3 −1 Original line number Diff line number Diff line Loading @@ -45,9 +45,11 @@ func InitSandbox() error { {"/dev/tty", "rw"}, // Terminfo databases for tcell/readline. {"/usr/share/terminfo", "r"}, // Needed for ssh fetch. // DNS resolution: nameserver config and local host table. {"/etc/resolv.conf", "r"}, {"/etc/hosts", "r"}, // TLS: CA certificate bundle for HTTPS verification. {"/etc/ssl/cert.pem", "r"}, } for _, u := range unveils { Loading Loading
security/sandbox_linux.go +27 −0 Original line number Diff line number Diff line Loading @@ -38,6 +38,29 @@ func InitSandbox() error { } } // Collect CA certificate bundles/dirs that may or may not exist. // Locations vary by distro (Debian/Ubuntu, RHEL, Alpine, etc.). potentialCAFiles := []string{ "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu "/etc/pki/tls/certs/ca-bundle.crt", // RHEL/Fedora/CentOS "/etc/ssl/ca-bundle.pem", // OpenSUSE "/etc/ssl/cert.pem", // Alpine } potentialCADirs := []string{ "/etc/ssl/certs", // most distros also have individual certs here } var caFiles, caDirs []string for _, f := range potentialCAFiles { if _, err := os.Stat(f); err == nil { caFiles = append(caFiles, f) } } for _, d := range potentialCADirs { if _, err := os.Stat(d); err == nil { caDirs = append(caDirs, d) } } err := landlock.V5.BestEffort().Restrict( // BULLETIN data directory (DB, WAL, SHM files). landlock.RWDirs(bulldir), Loading @@ -58,7 +81,11 @@ func InitSandbox() error { // Allow outbound HTTPS for SSH FETCH from forges. landlock.ConnectTCP(443), landlock.ConnectTCP(53), // DNS resolution: nameserver config and local host table. landlock.ROFiles("/etc/resolv.conf", "/etc/hosts"), // TLS: CA certificate bundles and directory for HTTPS verification. landlock.ROFiles(caFiles...), landlock.RODirs(caDirs...), ) if err != nil { return fmt.Errorf("failed to apply landlock sandbox: %w", err) Loading
security/sandbox_openbsd.go +3 −1 Original line number Diff line number Diff line Loading @@ -45,9 +45,11 @@ func InitSandbox() error { {"/dev/tty", "rw"}, // Terminfo databases for tcell/readline. {"/usr/share/terminfo", "r"}, // Needed for ssh fetch. // DNS resolution: nameserver config and local host table. {"/etc/resolv.conf", "r"}, {"/etc/hosts", "r"}, // TLS: CA certificate bundle for HTTPS verification. {"/etc/ssl/cert.pem", "r"}, } for _, u := range unveils { Loading
