1 dafb57b8 2021-01-15 op #include "gmid.h"
3 dafb57b8 2021-01-15 op #if defined(__FreeBSD__)
5 dafb57b8 2021-01-15 op #include <sys/capsicum.h>
6 dafb57b8 2021-01-15 op #include <err.h>
11 dafb57b8 2021-01-15 op struct vhost *h;
12 dafb57b8 2021-01-15 op int has_cgi = 0;
14 dafb57b8 2021-01-15 op for (h = hosts; h->domain != NULL; ++h)
15 dafb57b8 2021-01-15 op if (h->cgi != NULL)
18 dafb57b8 2021-01-15 op if (has_cgi) {
19 dafb57b8 2021-01-15 op LOGW(NULL, "disabling sandbox because CGI scripts are enabled");
23 dafb57b8 2021-01-15 op if (cap_enter() == -1)
24 dafb57b8 2021-01-15 op err(1, "cap_enter");
27 dafb57b8 2021-01-15 op #elif defined(__linux__)
32 dafb57b8 2021-01-15 op /* TODO: seccomp */
35 dafb57b8 2021-01-15 op #elif defined(__OpenBSD__)
37 dafb57b8 2021-01-15 op #include <err.h>
38 dafb57b8 2021-01-15 op #include <unistd.h>
43 dafb57b8 2021-01-15 op struct vhost *h;
44 dafb57b8 2021-01-15 op int has_cgi = 0;
46 dafb57b8 2021-01-15 op for (h = hosts; h->domain != NULL; ++h) {
47 dafb57b8 2021-01-15 op if (unveil(h->dir, "rx") == -1)
48 dafb57b8 2021-01-15 op err(1, "unveil %s for domain %s", h->dir, h->domain);
50 dafb57b8 2021-01-15 op if (h->cgi != NULL)
54 dafb57b8 2021-01-15 op if (pledge("stdio rpath inet proc exec", NULL) == -1)
55 dafb57b8 2021-01-15 op err(1, "pledge");
57 dafb57b8 2021-01-15 op /* drop proc and exec if cgi isn't enabled */
59 dafb57b8 2021-01-15 op if (pledge("stdio rpath inet", NULL) == -1)
60 dafb57b8 2021-01-15 op err(1, "pledge");
68 dafb57b8 2021-01-15 op LOGN(NULL, "%s", "no sandbox method known for this OS");