├── CMakeLists.txt
├── COPYING
├── README.md
├── config.h.in
├── example
    ├── openbsd-example.lua
    ├── unveil.lua
    └── userokay.lua
└── src
    └── lua-openbsd.c


/CMakeLists.txt:
--------------------------------------------------------------------------------
 1 | CMAKE_MINIMUM_REQUIRED(VERSION 3.2)
 2 | PROJECT(lua-openbsd)
 3 | 
 4 | FIND_PACKAGE(PkgConfig)
 5 | INCLUDE(CheckFunctionExists)
 6 | 
 7 | SET(MODLUA_VERSION "5.1" CACHE STRING "MODLUA_VERSION from ports tree.")
 8 | STRING(REPLACE "." "" LUA_PKGCONFIG_VERSION ${MODLUA_VERSION})
 9 | 
10 | PKG_CHECK_MODULES(LUA REQUIRED "lua${LUA_PKGCONFIG_VERSION}")
11 | 
12 | ADD_DEFINITIONS("-Wall -Werror")
13 | 
14 | CHECK_FUNCTION_EXISTS("pledge" HAVE_PLEDGE)
15 | CHECK_FUNCTION_EXISTS("arc4random" HAVE_ARC4RANDOM)
16 | CHECK_FUNCTION_EXISTS("arc4random_uniform" HAVE_ARC4RANDOM_UNIFORM)
17 | CHECK_FUNCTION_EXISTS("unveil" HAVE_UNVEIL)
18 | CHECK_FUNCTION_EXISTS("auth_userokay" HAVE_AUTH_USEROKAY)
19 | CONFIGURE_FILE("${CMAKE_SOURCE_DIR}/config.h.in"
20 |   "${CMAKE_BINARY_DIR}/config.h")
21 | 
22 | 
23 | SET(SOURCES "src/lua-openbsd.c")
24 | SET(HEADERS "${CMAKE_BINARY_DIR}/config.h")
25 | 
26 | INCLUDE_DIRECTORIES(${CMAKE_BINARY_DIR}
27 |   ${LUA_INCLUDE_DIRS})
28 | 
29 | SET(TARGET "openbsd")
30 | 
31 | ADD_LIBRARY(${TARGET} SHARED ${SOURCES} ${HEADERS})
32 | SET_TARGET_PROPERTIES(${TARGET} PROPERTIES PREFIX "")
33 | TARGET_LINK_LIBRARIES(${TARGET} ${LUA_LIBRARIES} ${LUA_LDFLAGS})
34 | 
35 | INSTALL(TARGETS ${TARGET}
36 |   DESTINATION /usr/local/lib/lua/${MODLUA_VERSION}/)
37 | 


--------------------------------------------------------------------------------
/COPYING:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2016 Florian Stinglmayr <fstinglmayr@gmail.com>
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining
 4 | a copy of this software and associated documentation files (the
 5 | "Software"), to deal in the Software without restriction, including
 6 | without limitation the rights to use, copy, modify, merge, publish,
 7 | distribute, sublicense, and/or sell copies of the Software, and to
 8 | permit persons to whom the Software is furnished to do so, subject to
 9 | the following conditions:
10 | 
11 | The above copyright notice and this permission notice shall be
12 | included in all copies or substantial portions of the Software.
13 | 
14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # OpenBSD Lua Library
 2 | 
 3 | Implements:
 4 | 
 5 | * pledge()
 6 | * arc4random()
 7 | * arc4random_uniform()
 8 | * unveil()
 9 | * auth_userokay()
10 | 
11 | Works and has been tested on Lua 5.1, 5.2, 5.3 and 5.4.
12 | 
13 | Note that pledge() pre 6.3 takes an optional set of paths as the second
14 | argument.
15 | 
16 | ```lua
17 | -- OK
18 | o.pledge('rpath stdio')
19 | -- Error
20 | o.pledge('rpath stdio', 'stdio')
21 | ```
22 | 
23 | ## Build
24 | 
25 | Don't forget to set the `MODLUA_VERSION` variable to the Lua version you are
26 | using.
27 | 
28 | ```
29 | $ mkdir build && cd build
30 | $ cmake .. -DMODLUA_VERSION=5.4
31 | $ make
32 | $ make install
33 | ```
34 | 
35 | ## Usage
36 | 
37 | ```lua
38 | #!/usr/bin/env lua51
39 | 
40 | o = require('openbsd')
41 | ret, error_string = o.pledge('rpath stdio')
42 | if ret == -1 then
43 |    error(error_string)
44 | end
45 | ```
46 | 
47 | Or:
48 | 
49 | ```
50 | #!/usr/bin/env lua54
51 | 
52 | o = require('openbsd')
53 | 
54 | for i = 1, 10 do
55 |     print(o.arc4random_uniform(20))
56 | end
57 | ```
58 | 
59 | ## Author
60 | 
61 | Written by Florian Stinglmayr <fstinglmayr@gmail.com>
62 | Copyright (c) 2016, All Rights Reserved
63 | 


--------------------------------------------------------------------------------
/config.h.in:
--------------------------------------------------------------------------------
 1 | #ifndef LUA_PLEDGE_CONFIG_H
 2 | #define LUA_PLEDGE_CONFIG_H
 3 | 
 4 | /* Do we have the pledge() system call?
 5 |  */
 6 | #cmakedefine HAVE_PLEDGE
 7 | 
 8 | /* Do we have arc4random()?
 9 |  */
10 | #cmakedefine HAVE_ARC4RANDOM
11 | 
12 | /* Do we have arc4random_uniform()?
13 |  */
14 | #cmakedefine HAVE_ARC4RANDOM_UNIFORM
15 | 
16 | /* Do we have unveil()?
17 |  */
18 | #cmakedefine HAVE_UNVEIL
19 | 
20 | /* Do we have auth_userokay()?
21 |  */
22 | #cmakedefine HAVE_AUTH_USEROKAY
23 | 
24 | #endif
25 | 


--------------------------------------------------------------------------------
/example/openbsd-example.lua:
--------------------------------------------------------------------------------
 1 | o = require("openbsd")
 2 | 
 3 | -- Test out unveil
 4 | ret, errstr = o.unveil(".", "rwx")
 5 | print("unveil:", ret, errstr)
 6 | 
 7 | -- Same as pledge("rpath", NULL)
 8 | ret, s = o.pledge("rpath stdio")
 9 | print("pledge:", ret, s)
10 | 
11 | -- Same as pledge("rpath stdio wpath", "rpath stdio")
12 | ret, s = o.pledge("rpath stdio wpath", "rpath stdio")
13 | print("pledge:", ret, s)
14 | 
15 | print(o.arc4random())
16 | 
17 | for i = 1, 10 do
18 |    print(o.arc4random_uniform(10))
19 | end
20 | 


--------------------------------------------------------------------------------
/example/unveil.lua:
--------------------------------------------------------------------------------
 1 | o = require("openbsd")
 2 | 
 3 | print("adding /tmp ...")
 4 | print(o.unveil("/tmp", "rw"))
 5 | print("adding /var/cache ...")
 6 | print(o.unveil("/var/cache", "r"))
 7 | 
 8 | -- Remove further calls to unveil
 9 | print("disabling further calls to unveil ...")
10 | print(o.unveil(nil, nil))
11 | 
12 | -- Check if it worked
13 | print("adding /etc (should fail) ...")
14 | print(o.unveil("/etc", "rwx"))
15 | 
16 | print("testing arg check (should fail) ...")
17 | status, err = pcall(o.unveil, false, 1.0)
18 | print(status, err)
19 | 


--------------------------------------------------------------------------------
/example/userokay.lua:
--------------------------------------------------------------------------------
1 | o = require("openbsd")
2 | 
3 | -- lua userokay.lua <user> <style>
4 | print(o.auth_userokay(arg[1], arg[2], "", io.read()))
5 | 


--------------------------------------------------------------------------------
/src/lua-openbsd.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include <unistd.h>
  3 | #include <string.h>
  4 | #include <errno.h>
  5 | #include <limits.h>
  6 | 
  7 | #include <bsd_auth.h>
  8 | 
  9 | #include <lua.h>
 10 | #include <lauxlib.h>
 11 | #include <lualib.h>
 12 | 
 13 | #include <config.h>
 14 | 
 15 | 
 16 | static void lo_die(lua_State *L, char const *e)
 17 | {
 18 |     lua_pushstring(L, e);
 19 |     lua_error(L);
 20 | }
 21 | 
 22 | int lua_pledge(lua_State *L)
 23 | {
 24 |     char const *farg = NULL;
 25 |     char const *earg = NULL;
 26 |     int ret = 0;
 27 |     int top = 0;
 28 | 
 29 | #ifndef HAVE_PLEDGE
 30 |     lo_die(L, "pledge: not supported");
 31 | #endif
 32 | 
 33 |     top = lua_gettop(L);
 34 | 
 35 |     luaL_argcheck(L, lua_isstring(L, 1), 1,
 36 |                   "pledge: first argument must be string");
 37 |     if (top == 2) {
 38 |         luaL_argcheck(L, lua_isstring(L, 2), 1,
 39 |                       "pledge: second argument must be string");
 40 |     } else if (top > 2) {
 41 |         lo_die(L, "pledge: too many arguments");
 42 |     }
 43 | 
 44 |     farg = lua_tostring(L, 1);
 45 |     earg = lua_tostring(L, 2);
 46 | 
 47 |     ret = pledge(farg, earg);
 48 | 
 49 |     lua_pushnumber(L, ret);
 50 |     if (ret == -1) {
 51 |         lua_pushstring(L, strerror(errno));
 52 |         return 2;
 53 |     }
 54 | 
 55 |     return 1;
 56 | }
 57 | 
 58 | int lua_arc4random(lua_State *L)
 59 | {
 60 | #ifndef HAVE_ARC4RANDOM
 61 |     lo_die(L, "arc4random: not supported");
 62 | #endif
 63 | 
 64 |     lua_pushnumber(L, arc4random());
 65 |     return 1;
 66 | }
 67 | 
 68 | int lua_arc4random_uniform(lua_State *L)
 69 | {
 70 |     uint32_t up = 0;
 71 | 
 72 | #ifndef HAVE_ARC4RANDOM_UNIFORM
 73 |     lo_die(L, "arc4random_uniform: not supported");
 74 | #endif
 75 | 
 76 |     luaL_argcheck(L, lua_isnumber(L, 1), 1,
 77 |                   "pledge: first argument must be string");
 78 | 
 79 |     up = lua_tonumber(L, 1);
 80 |     lua_pushnumber(L, arc4random_uniform(up));
 81 | 
 82 |     return 1;
 83 | }
 84 | 
 85 | int lua_unveil(lua_State *L)
 86 | {
 87 |     char const *path = NULL, *mode = NULL;
 88 |     int ret = 0;
 89 | 
 90 | #ifndef HAVE_UNVEIL
 91 |     lo_die(L, "unveil: not supported");
 92 | #endif
 93 | 
 94 |     if (!lua_isnoneornil(L, 1)) {
 95 |         luaL_argcheck(L, lua_isstring(L, 1), 1,
 96 |                       "unveil: first argument must be string");
 97 |         path = lua_tostring(L, 1);
 98 |     }
 99 | 
100 |     if (!lua_isnoneornil(L, 2)) {
101 |         luaL_argcheck(L, lua_isstring(L, 2), 2,
102 |                   "unveil: second argument must be string");
103 |         mode = lua_tostring(L, 2);
104 |     }
105 | 
106 |     ret = unveil(path, mode);
107 |     lua_pushnumber(L, ret);
108 | 
109 |     if (ret == -1) {
110 |         lua_pushstring(L, strerror(errno));
111 |         return 2;
112 |     }
113 | 
114 |     return 1;
115 | }
116 | 
117 | char* check_string_or_nil(lua_State *L, int index, char* buf, size_t bufsize)
118 | {
119 |     if (lua_isnoneornil(L, index)) return NULL;
120 |     strlcpy(buf, luaL_checkstring(L, index), bufsize);
121 |     return buf;
122 | }
123 | 
124 | int lua_auth_userokay(lua_State *L)
125 | {
126 |     size_t NAMELEN = LOGIN_NAME_MAX + 1 + NAME_MAX + 1;
127 |     size_t TYPELEN = 128;
128 |     size_t PASSLEN = 2048;
129 | 
130 |     char usernamebuf[NAMELEN];
131 |     char stylebuf[TYPELEN];
132 |     char typebuf[TYPELEN];
133 |     char passwordbuf[PASSLEN];
134 | 
135 |     char *username = check_string_or_nil(L, 1, usernamebuf, NAMELEN);
136 |     char *style = check_string_or_nil(L, 2, stylebuf, TYPELEN);
137 |     char *type = check_string_or_nil(L, 3, typebuf, TYPELEN);
138 |     char *password = check_string_or_nil(L, 4, passwordbuf, PASSLEN);
139 | 
140 | #ifndef HAVE_AUTH_USEROKAY
141 |     lo_die(L, "auth_userokay: not supported");
142 | #endif
143 | 
144 |     lua_pushboolean(L, auth_userokay(username, style, type, password));
145 |     return 1;
146 | }
147 | 
148 | #if !defined LUA_VERSION_NUM || LUA_VERSION_NUM==501
149 | /* Adapted from Lua 5.2.0
150 |  */
151 | static void luaL_setfuncs (lua_State *L, const luaL_Reg *l, int nup) {
152 |     luaL_checkstack(L, nup+1, "too many upvalues");
153 |     for (; l->name != NULL; l++) {  /* fill the table with given functions */
154 |         int i;
155 |         lua_pushstring(L, l->name);
156 |         for (i = 0; i < nup; i++) {  /* copy upvalues to the top */
157 |             lua_pushvalue(L, -(nup+1));
158 |         }
159 |         lua_pushcclosure(L, l->func, nup);  /* closure with those upvalues */
160 |         lua_settable(L, -(nup + 3));
161 |     }
162 |     lua_pop(L, nup);  /* remove upvalues */
163 | }
164 | #endif
165 | 
166 | static const struct luaL_Reg l_pledge[] = {
167 |     { "pledge", lua_pledge },
168 |     { "arc4random", lua_arc4random },
169 |     { "arc4random_uniform", lua_arc4random_uniform },
170 |     { "unveil", lua_unveil },
171 |     { "auth_userokay", lua_auth_userokay },
172 |     { NULL, NULL },
173 | };
174 | 
175 | int luaopen_openbsd(lua_State *L)
176 | {
177 |     lua_newtable(L);
178 |     luaL_setfuncs(L, l_pledge, 0);
179 | 
180 |     return 1;
181 | }
182 | 


--------------------------------------------------------------------------------