geminid

A Sandboxed Gemini server
git clone git@git.mpah.dev/geminid.git
Log | Files | Refs | README

main.ml (1730B)

      1 open Daemonize
      2 open Ogemini
      3 open Config
      4 open Landlock_ocaml.Landlock
      5 open Seccomp
      6 
      7 module Flag = struct
      8   let usage = "geminid [OPTION]"
      9   let foreground = ref false
     10   let config_file = ref ""
     11 
     12   let speclist =
     13     [ "-f", Arg.Set foreground, "Run geminid in foreground mode"
     14     ; "-c", Arg.Set_string config_file, "Specify a non-default path for config file"
     15     ]
     16 end
     17 
     18 module Conf = struct
     19   let default_config_file = "/etc/geminid.conf"
     20   let config_exists filename = Unix.access filename [ Unix.F_OK; Unix.R_OK; Unix.W_OK ]
     21 end
     22 
     23 let () =
     24   Arg.parse Flag.speclist (fun _ -> ()) Flag.usage;
     25 
     26   let config_path =
     27   (match !Flag.config_file with
     28   | "" -> Conf.default_config_file
     29   | _  -> !Flag.config_file) in
     30 
     31   (* Parse config file *)
     32   parse config_path;
     33 
     34   if not (Sys.file_exists config.logfile) then ignore (open_out_gen [Open_creat] 0o600 config.logfile);
     35 
     36   (* Change user before sandbox, later we have no access to /etc/passwd *)
     37   let user = Unix.getpwnam config.owner in
     38   let _ = Unix.setuid user.pw_uid in
     39   let _ = Unix.setgid user.pw_gid in
     40 
     41   (* Sandbox filesystem *)
     42   let fd = landlock_init () in
     43   ignore (landlock_new_rule fd config.logfile [LANDLOCK_ACCESS_FS_WRITE_FILE]);
     44   ignore (landlock_new_rule fd (Filename.dirname config.cert) [LANDLOCK_ACCESS_FS_READ_DIR ; LANDLOCK_ACCESS_FS_READ_FILE]);
     45   ignore (landlock_new_rule fd config.dir [LANDLOCK_ACCESS_FS_READ_DIR ; LANDLOCK_ACCESS_FS_READ_FILE]);
     46   ignore (landlock_new_rule fd config_path [LANDLOCK_ACCESS_FS_READ_FILE]);
     47   ignore (landlock_finish fd);
     48 
     49   if not !Flag.foreground then daemonize config.logfile;
     50 
     51   (* Restrict kernel surface *)
     52   ignore (seccomp ());
     53 
     54   print_endline "Starting server...";
     55 
     56   Lwt_main.run @@ Server.main (config)