diff options
| author | Jonathon Reinhart <Jonathon.Reinhart@gmail.com> | 2019-01-04 16:55:20 +0300 |
|---|---|---|
| committer | Jonathon Reinhart <Jonathon.Reinhart@gmail.com> | 2020-06-30 03:31:45 +0300 |
| commit | e38a8c567799ca64ad0816b52c3bde35a896d146 (patch) | |
| tree | 82ca5526e6696f1f97b8b2ae95ff04d0fdda5273 /daemon.go | |
| parent | 0cdbc9fadb609c426b87a58796a14a5dd4f0e7dc (diff) | |
Copy certificates from SSL_CERT_DIR into jail
Refactor out jailDaemonCerts() from jailDaemon()
Diffstat (limited to 'daemon.go')
| -rw-r--r-- | daemon.go | 79 |
1 files changed, 68 insertions, 11 deletions
@@ -4,6 +4,7 @@ import ( "crypto/rand" "encoding/json" "fmt" + "io/ioutil" "os" "os/exec" "os/signal" @@ -137,6 +138,69 @@ func chrootDaemon(cmd *exec.Cmd) (*jail.Jail, error) { return chroot, nil } +func jailCopyCertDir(cage *jail.Jail, sslCertDir, jailCertsDir string) error { + log.WithFields(log.Fields{ + "ssl-cert-dir": sslCertDir, + }).Debug("Copying certs from SSL_CERT_DIR") + + entries, err := ioutil.ReadDir(sslCertDir) + if err != nil { + return fmt.Errorf("failed to read SSL_CERT_DIR: %+v", err) + } + + for _, fi := range entries { + // Copy only regular files and symlinks + mode := fi.Mode() + if !(mode.IsRegular() || mode&os.ModeSymlink != 0) { + continue + } + + err = cage.CopyTo(jailCertsDir+"/"+fi.Name(), sslCertDir+"/"+fi.Name()) + if err != nil { + log.WithError(err).Errorf("failed to copy cert: %q", fi.Name()) + // Go on and try to copy other files. We don't want the whole + // startup process to fail due to a single failure here. + } + } + + return nil +} + +func jailDaemonCerts(cmd *exec.Cmd, cage *jail.Jail) error { + sslCertFile := os.Getenv("SSL_CERT_FILE") + sslCertDir := os.Getenv("SSL_CERT_DIR") + if sslCertFile == "" && sslCertDir == "" { + log.Warn("Neither SSL_CERT_FILE nor SSL_CERT_DIR environment variable is set. HTTPS requests will fail.") + return nil + } + + // This assumes cage.MkDir("/etc") has already been called + cage.MkDir("/etc/ssl", 0755) + + // Copy SSL_CERT_FILE inside the jail + if sslCertFile != "" { + jailCertsFile := "/etc/ssl/ca-bundle.pem" + err := cage.CopyTo(jailCertsFile, sslCertFile) + if err != nil { + return fmt.Errorf("failed to copy SSL_CERT_FILE: %+v", err) + } + cmd.Env = append(os.Environ(), "SSL_CERT_FILE="+jailCertsFile) + } + + // Copy all files and symlinks from SSL_CERT_DIR into the jail + if sslCertDir != "" { + jailCertsDir := "/etc/ssl/certs" + cage.MkDir(jailCertsDir, 0755) + err := jailCopyCertDir(cage, sslCertDir, jailCertsDir) + if err != nil { + return err + } + cmd.Env = append(os.Environ(), "SSL_CERT_DIR="+jailCertsDir) + } + + return nil +} + func jailDaemon(cmd *exec.Cmd) (*jail.Jail, error) { cage := jail.CreateTimestamped("gitlab-pages", 0755) @@ -169,17 +233,10 @@ func jailDaemon(cmd *exec.Cmd) (*jail.Jail, error) { return nil, err } - // Copy SSL_CERT_FILE inside the jail - sslCertFile := os.Getenv("SSL_CERT_FILE") - if sslCertFile != "" { - cage.MkDir("/etc/ssl", 0755) - err = cage.CopyTo("/etc/ssl/ca-bundle.pem", sslCertFile) - if err != nil { - return nil, err - } - cmd.Env = append(os.Environ(), "SSL_CERT_FILE=/etc/ssl/ca-bundle.pem") - } else { - log.Print("Missing SSL_CERT_FILE environment variable. HTTPS requests will fail") + // Add certificates inside the jail + err = jailDaemonCerts(cmd, cage) + if err != nil { + return nil, err } // Bind mount shared folder |