WIP: Handle SSL_CERT_DIR in chroot jail
This adds support for SSL_CERT_DIR
by bind-minding the directory into the jail (at /etc/ssl/certs/
.
This required removing the single-bind-mount restriction. To do so, the following changes were made:
-
Jail.unmount()
now checks to see if a bind mount was mounted and only tries to unmount ones that were -
Jail.Build()
:- Calls
Jail.unmount()
ifjail.mount()
fails - Double-checks that nothing is left mounted before calling
j.removeAll()
- Calls
readonly
parameter was added to jail.Bind()
, and all users now pass true
. This causes an additional call to make the bind mount read-only (MS_REMOUNT | MS_BIND | MS_READONLY
).
Closes #137 (closed)
WIP:
-
Needs docs and a test for SSL_CERT_DIR
-
internal/httptransport/transport.go
loadsSSL_CERT_FILE
for macOS, needsSSL_CERT_DIR
? -
Test this on production box w/ custom CA
Edited by Jonathon Reinhart