harden btcd on OpenBSD

Restrict the available set of system calls to the daemon to the basic network and filesystem operations on OpenBSD. Further reduce potential harm by limiting file system access to the btcd data dir and the rpc files.
bitnet-io · Apr 9, 2022 · 67aad53 · 67aad53
1 parent 796f174
commit 67aad53
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 0 deletions.
diff --git a/btcd.go b/btcd.go
@@ -18,6 +18,7 @@ import (
 	"github.com/btcsuite/btcd/blockchain/indexers"
 	"github.com/btcsuite/btcd/database"
 	"github.com/btcsuite/btcd/limits"
+	"github.com/btcsuite/btcd/ossec"
 )
 
 const (
@@ -144,6 +145,16 @@ func btcdMain(serverChan chan<- *server) error {
 		return nil
 	}
 
+	// The config file is already created if it did not exist and the log
+	// file has already been opened by now so we only need to allow
+	// creating rpc cert and key files if they don't exist.
+	unveilx(cfg.RPCKey, "rwc")
+	unveilx(cfg.RPCCert, "rwc")
+	unveilx(cfg.DataDir, "rwc")
+
+	// drop unveil and tty
+	pledgex("stdio rpath wpath cpath flock dns inet")
+
 	// Create server and start it.
 	server, err := newServer(cfg.Listeners, cfg.AgentBlacklist,
 		cfg.AgentWhitelist, db, activeNetParams.Params, interrupt)
@@ -296,6 +307,26 @@ func loadBlockDB() (database.DB, error) {
 	return db, nil
 }
 
+func unveilx(path string, perms string) {
+	err := ossec.Unveil(path, perms)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "unveil failed: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func pledgex(promises string) {
+	err := ossec.PledgePromises(promises)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "pledge failed: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func init() {
+	pledgex("unveil stdio id rpath wpath cpath flock dns inet tty")
+}
+
 func main() {
 	// Block and transaction processing can cause bursty allocations.  This
 	// limits the garbage collector from excessively overallocating during

diff --git a/ossec/ossec.go b/ossec/ossec.go
@@ -0,0 +1,15 @@
+//go:build !openbsd
+
+package ossec
+
+func Unveil(path string, perms string) error {
+	return nil
+}
+
+func Pledge(promises, execpromises string) error {
+	return nil
+}
+
+func PledgePromises(promises string) error {
+	return nil
+}
diff --git a/ossec/ossec_openbsd.go b/ossec/ossec_openbsd.go
@@ -0,0 +1,17 @@
+package ossec
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+func Unveil(path string, perms string) error {
+	return unix.Unveil(path, perms)
+}
+
+func Pledge(promises, execpromises string) error {
+	return unix.Pledge(promises, execpromises)
+}
+
+func PledgePromises(promises string) error {
+	return unix.PledgePromises(promises)
+}