op public repos

Blob

Date:: Sun Sep 19 17:08:12 2021 UTC
Message:: landlock the server process Trying to implement some landlock policies (rules?) where possible. The server process is, of course, the most dangerous process so start with that. The following should be equivalent to the unveil(2) call on OpenBSD: allows only to read files and directories inside the vhost roots. I'm assuming seccomp is enabled so I'm not trying to disallow actions such as LANDLOCK_ACCESS_FS_EXECUTE or LANDLOCK_ACCESS_FS_REMOVE_FILE which require syscalls that are already disallowed. I'm only trying to limit the damage that the currently allowed system calls can do. e.g. since write(2) is allowed, gmid could modify *any* file it has access to; this is now forbidden by landlock. There are still too many #ifdefs for my tastes, but it's still better than the seccomp code.
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if DISABLE_SANDBOX
20 
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
22 
23 void
24 sandbox_server_process(void)
25 {
26 	return;
27 }
28 
29 void
30 sandbox_executor_process(void)
31 {
32         log_notice(NULL, "Sandbox disabled!  "
33 	    "Please report issues upstream instead of disabling the sandbox.");
34 }
35 
36 void
37 sandbox_logger_process(void)
38 {
39 	return;
40 }
41 
42 #elif defined(__FreeBSD__)
43 
44 #include <sys/capsicum.h>
45 
46 void
47 sandbox_server_process(void)
48 {
49 	if (cap_enter() == -1)
50 		fatal("cap_enter");
51 }
52 
53 void
54 sandbox_executor_process(void)
55 {
56 	/*
57 	 * We cannot capsicum the executor process because it needs to
58 	 * fork(2)+execve(2) cgi scripts
59 	 */
60 	return;
61 }
62 
63 void
64 sandbox_logger_process(void)
65 {
66 	if (cap_enter() == -1)
67 		fatal("cap_enter");
68 }
69 
70 #elif defined(__linux__)
71 
72 #include <sys/prctl.h>
73 #include <sys/syscall.h>
74 #include <sys/syscall.h>
75 #include <sys/types.h>
76 
77 #include <linux/audit.h>
78 #include <linux/filter.h>
79 #include <linux/seccomp.h>
80 
81 #include <errno.h>
82 #include <fcntl.h>
83 #include <stddef.h>
84 #include <stdio.h>
85 #include <string.h>
86 
87 #if HAVE_LANDLOCK
88 # include "landlock_shim.h"
89 #endif
90 
91 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
92 /* #define SC_DEBUG */
93 
94 #ifdef SC_DEBUG
95 # define SC_FAIL SECCOMP_RET_TRAP
96 #else
97 # define SC_FAIL SECCOMP_RET_KILL
98 #endif
99 
100 #if (BYTE_ORDER == LITTLE_ENDIAN)
101 # define SC_ARG_LO	0
102 # define SC_ARG_HI	sizeof(uint32_t)
103 #elif (BYTE_ORDER == BIG_ENDIAN)
104 # define SC_ARG_LO	sizeof(uint32_t)
105 # define SC_ARG_HI	0
106 #else
107 # error "Uknown endian"
108 #endif
109 
110 /* make the filter more readable */
111 #define SC_ALLOW(nr)						\
112 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
113 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
114 
115 /*
116  * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
117  * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
118  */
119 #define SC_ALLOW_ARG(_nr, _arg, _val)						\
120 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6),			\
121 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
122 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO),		\
123 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
124 	    ((_val) & 0xffffffff), 0, 3),					\
125 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
126 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI),		\
127 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
128 	    (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1),		\
129 	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),				\
130 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
131 	    offsetof(struct seccomp_data, nr))
132 
133 /*
134  * I personally find this quite nutty.  Why can a system header not
135  * define a default for this?
136  */
137 #if defined(__i386__)
138 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
139 #elif defined(__x86_64__)
140 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
141 #elif defined(__arc__)
142 #  if defined(__A7__)
143 #    if (BYTE_ORDER == LITTLE_ENDIAN)
144 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
145 #    else
146 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
147 #    endif
148 #  elif defined(__HS__)
149 #    if (BYTE_ORDER == LITTLE_ENDIAN)
150 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
151 #    else
152 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
153 #    endif
154 #  else
155 #    error "Platform does not support seccomp filter yet"
156 #  endif
157 #elif defined(__arm__)
158 #  ifndef EM_ARM
159 #    define EM_ARM 40
160 #  endif
161 #  if (BYTE_ORDER == LITTLE_ENDIAN)
162 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
163 #  else
164 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
165 #  endif
166 #elif defined(__aarch64__)
167 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
168 #elif defined(__alpha__)
169 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
170 #elif defined(__hppa__)
171 #  if defined(__LP64__)
172 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
173 #  else
174 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
175 #  endif
176 #elif defined(__ia64__)
177 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
178 #elif defined(__microblaze__)
179 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
180 #elif defined(__m68k__)
181 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
182 #elif defined(__mips__)
183 #  if defined(__MIPSEL__)
184 #    if defined(__LP64__)
185 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
186 #    else
187 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
188 #    endif
189 #  elif defined(__LP64__)
190 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
191 #  else
192 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
193 #  endif
194 #elif defined(__nds32__)
195 #  if (BYTE_ORDER == LITTLE_ENDIAN)
196 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
197 #else
198 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
199 #endif
200 #elif defined(__nios2__)
201 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
202 #elif defined(__or1k__)
203 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
204 #elif defined(__powerpc64__)
205 #  if (BYTE_ORDER == LITTLE_ENDIAN)
206 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
207 #  else
208 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
209 #  endif
210 #elif defined(__powerpc__)
211 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
212 #elif defined(__riscv)
213 #  if defined(__LP64__)
214 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
215 #  else
216 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
217 #  endif
218 #elif defined(__s390x__)
219 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
220 #elif defined(__s390__)
221 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
222 #elif defined(__sh__)
223 #  if defined(__LP64__)
224 #    if (BYTE_ORDER == LITTLE_ENDIAN)
225 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
226 #    else
227 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
228 #    endif
229 #  else
230 #    if (BYTE_ORDER == LITTLE_ENDIAN)
231 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
232 #    else
233 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
234 #    endif
235 #  endif
236 #elif defined(__sparc__)
237 #  if defined(__arch64__)
238 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
239 #  else
240 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
241 #  endif
242 #elif defined(__xtensa__)
243 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
244 #else
245 #  error "Platform does not support seccomp filter yet"
246 #endif
247 
248 static struct sock_filter filter[] = {
249 	/* load the *current* architecture */
250 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
251 	    (offsetof(struct seccomp_data, arch))),
252 	/* ensure it's the same that we've been compiled on */
253 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
254 	    SECCOMP_AUDIT_ARCH, 1, 0),
255 	/* if not, kill the program */
256 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
257 
258 	/* load the syscall number */
259 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
260 	    (offsetof(struct seccomp_data, nr))),
261 
262 #ifdef __NR_accept
263 	SC_ALLOW(accept),
264 #endif
265 #ifdef __NR_accept4
266 	SC_ALLOW(accept4),
267 #endif
268 #ifdef __NR_brk
269 	SC_ALLOW(brk),
270 #endif
271 #ifdef __NR_clock_gettime
272 	SC_ALLOW(clock_gettime),
273 #endif
274 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
275 	SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
276 #endif
277 #ifdef __NR_clock_gettime64
278 	SC_ALLOW(clock_gettime64),
279 #endif
280 #ifdef __NR_close
281 	SC_ALLOW(close),
282 #endif
283 #ifdef __NR_epoll_ctl
284 	SC_ALLOW(epoll_ctl),
285 #endif
286 #ifdef __NR_epoll_pwait
287 	SC_ALLOW(epoll_pwait),
288 #endif
289 #ifdef __NR_epoll_wait
290 	SC_ALLOW(epoll_wait),
291 #endif
292 #ifdef __NR_exit
293 	SC_ALLOW(exit),
294 #endif
295 #ifdef __NR_exit_group
296 	SC_ALLOW(exit_group),
297 #endif
298 #ifdef __NR_fcntl
299 	SC_ALLOW(fcntl),
300 #endif
301 #ifdef __NR_fcntl64
302 	SC_ALLOW(fcntl64),
303 #endif
304 #ifdef __NR_fstat
305 	SC_ALLOW(fstat),
306 #endif
307 #ifdef __NR_fstat64
308 	SC_ALLOW(fstat64),
309 #endif
310 #ifdef __NR_getdents64
311 	SC_ALLOW(getdents64),
312 #endif
313 #ifdef __NR_getpid
314 	SC_ALLOW(getpid),
315 #endif
316 #ifdef __NR_getrandom
317 	SC_ALLOW(getrandom),
318 #endif
319 #ifdef __NR_gettimeofday
320 	SC_ALLOW(gettimeofday),
321 #endif
322 #ifdef __NR_ioctl
323 	/* allow ioctl only on fd 1, glibc doing stuff? */
324         SC_ALLOW_ARG(__NR_ioctl, 0, 1),
325 #endif
326 #ifdef __NR_lseek
327 	SC_ALLOW(lseek),
328 #endif
329 #ifdef __NR_madvise
330 	SC_ALLOW(madvise),
331 #endif
332 #ifdef __NR_mmap
333 	SC_ALLOW(mmap),
334 #endif
335 #ifdef __NR_mmap2
336 	SC_ALLOW(mmap2),
337 #endif
338 #ifdef __NR_munmap
339 	SC_ALLOW(munmap),
340 #endif
341 #ifdef __NR_newfstatat
342 	SC_ALLOW(newfstatat),
343 #endif
344 #ifdef __NR_oldfstat
345 	SC_ALLOW(oldfstat),
346 #endif
347 #ifdef __NR_openat
348 	SC_ALLOW(openat),
349 #endif
350 #ifdef __NR_prlimit64
351 	SC_ALLOW(prlimit64),
352 #endif
353 #ifdef __NR_read
354 	SC_ALLOW(read),
355 #endif
356 #ifdef __NR_recvmsg
357 	SC_ALLOW(recvmsg),
358 #endif
359 #ifdef __NR_readv
360 	SC_ALLOW(readv),
361 #endif
362 #ifdef __NR_rt_sigaction
363 	SC_ALLOW(rt_sigaction),
364 #endif
365 #ifdef __NR_rt_sigreturn
366 	SC_ALLOW(rt_sigreturn),
367 #endif
368 #ifdef __NR_sendmsg
369 	SC_ALLOW(sendmsg),
370 #endif
371 #ifdef __NR_statx
372 	SC_ALLOW(statx),
373 #endif
374 #ifdef __NR_write
375 	SC_ALLOW(write),
376 #endif
377 #ifdef __NR_writev
378 	SC_ALLOW(writev),
379 #endif
380 
381 	/* disallow everything else */
382 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
383 };
384 
385 #ifdef SC_DEBUG
386 
387 #include <signal.h>
388 #include <unistd.h>
389 
390 static void
391 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
392 {
393 	(void)signum;
394 	(void)ctx;
395 
396 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
397 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
398 	_exit(1);
399 }
400 
401 static void
402 sandbox_seccomp_catch_sigsys(void)
403 {
404 	struct sigaction act;
405 	sigset_t mask;
406 
407 	memset(&act, 0, sizeof(act));
408 	sigemptyset(&mask);
409 	sigaddset(&mask, SIGSYS);
410 
411 	act.sa_sigaction = &sandbox_seccomp_violation;
412 	act.sa_flags = SA_SIGINFO;
413 	if (sigaction(SIGSYS, &act, NULL) == -1)
414 		fatal("%s: sigaction(SIGSYS): %s",
415 		    __func__, strerror(errno));
416 
417 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
418 		fatal("%s: sigprocmask(SIGSYS): %s\n",
419 		    __func__, strerror(errno));
420 }
421 #endif	/* SC_DEBUG */
422 
423 #if HAVE_LANDLOCK
424 static int
425 server_landlock(void)
426 {
427 	int		 fd, err;
428 	struct vhost	*h;
429 	struct location	*l;
430 
431 	/*
432 	 * These are all the actions that we want to either allow or
433 	 * disallow.  Things like LANDLOCK_ACCESS_FS_EXECUTE are
434 	 * omitted because are already handled by seccomp.
435 	 */
436 	struct landlock_ruleset_attr ruleset_attr = {
437 		.handled_access_fs =	LANDLOCK_ACCESS_FS_WRITE_FILE	|
438 					LANDLOCK_ACCESS_FS_READ_FILE	|
439 					LANDLOCK_ACCESS_FS_READ_DIR	|
440 					LANDLOCK_ACCESS_FS_MAKE_CHAR	|
441 					LANDLOCK_ACCESS_FS_MAKE_DIR	|
442 					LANDLOCK_ACCESS_FS_MAKE_REG	|
443 					LANDLOCK_ACCESS_FS_MAKE_SOCK	|
444 					LANDLOCK_ACCESS_FS_MAKE_FIFO	|
445 					LANDLOCK_ACCESS_FS_MAKE_BLOCK	|
446 					LANDLOCK_ACCESS_FS_MAKE_SYM,
447 	};
448 
449 	/*
450 	 * These are all the actions allowed for the root directories
451 	 * of the vhosts.  All the other rules mentioned in
452 	 * ruleset_attr and omitted here are implicitly disallowed.
453 	 */
454 	struct landlock_path_beneath_attr path_beneath = {
455 		.allowed_access =	LANDLOCK_ACCESS_FS_READ_FILE |
456 					LANDLOCK_ACCESS_FS_READ_DIR,
457 	};
458 
459 	fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
460 	if (fd == -1) {
461 		switch (errno) {
462 		case ENOSYS:
463 			fatal("%s: failed to create ruleset.  "
464 			    "Landlock doesn't seem to be supported by the "
465 			    "current kernel.", __func__);
466 		case EOPNOTSUPP:
467 			log_warn(NULL, "%s: failed to create ruleset.  "
468 			    "Landlock seems to be currently disabled; "
469 			    "continuing without it.", __func__);
470 			return -1;
471 		default:
472 			fatal("%s: failed to create ruleset: %s",
473 			    __func__, strerror(errno));
474 		}
475 	}
476 
477 	TAILQ_FOREACH(h, &hosts, vhosts) {
478 		TAILQ_FOREACH(l, &h->locations, locations) {
479 			if (l->dir == NULL)
480 				continue;
481 
482 			path_beneath.parent_fd = open(l->dir, O_PATH);
483 			if (path_beneath.parent_fd == -1)
484 				fatal("%s: can't open %s for landlock: %s",
485 				    __func__, l->dir, strerror(errno));
486 
487 			err = landlock_add_rule(fd, LANDLOCK_RULE_PATH_BENEATH,
488 			    &path_beneath, 0);
489 			if (err)
490 				fatal("%s: landlock_add_rule(%s) failed: %s",
491 				    __func__, l->dir, strerror(errno));
492 
493 			close(path_beneath.parent_fd);
494 		}
495 	}
496 
497 	return fd;
498 }
499 #endif
500 
501 void
502 sandbox_server_process(void)
503 {
504 	int fd;
505 	struct sock_fprog prog = {
506 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
507 		.filter = filter,
508 	};
509 
510 #ifdef SC_DEBUG
511 	sandbox_seccomp_catch_sigsys();
512 #endif
513 
514 #if HAVE_LANDLOCK
515 	log_warn(NULL, "loading landlock...");
516 	fd = server_landlock();
517 #else
518 	(void)fd;		/* avoid unused var warning */
519 #endif
520 
521 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
522 		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
523 		    __func__, strerror(errno));
524 
525 #if HAVE_LANDLOCK
526 	if (fd != -1) {
527 		if (landlock_restrict_self(fd, 0))
528 			fatal("%s: landlock_restrict_self: %s",
529 			    __func__, strerror(errno));
530 		close(fd);
531 	}
532 #endif
533 
534 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
535 		fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
536 		    __func__, strerror(errno));
537 }
538 
539 void
540 sandbox_executor_process(void)
541 {
542 	/*
543 	 * We cannot use seccomp for the executor process because we
544 	 * don't know what the child will do.  Also, our filter will
545 	 * be inherited so the child cannot set its own seccomp
546 	 * policy.
547 	 */
548 	return;
549 }
550 
551 void
552 sandbox_logger_process(void)
553 {
554 	/*
555 	 * To be honest, here we could use a seccomp policy to only
556 	 * allow writev(2) and memory allocations.
557 	 */
558 	return;
559 }
560 
561 #elif defined(__OpenBSD__)
562 
563 #include <unistd.h>
564 
565 void
566 sandbox_server_process(void)
567 {
568 	struct vhost	*h;
569 	struct location	*l;
570 
571 	TAILQ_FOREACH(h, &hosts, vhosts) {
572 		TAILQ_FOREACH(l, &h->locations, locations) {
573 			if (l->dir == NULL)
574 				continue;
575 
576 			if (unveil(l->dir, "r") == -1)
577 				fatal("unveil %s for domain %s",
578 				    l->dir,
579 				    h->domain);
580 		}
581 	}
582 
583 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
584 		fatal("pledge");
585 }
586 
587 void
588 sandbox_executor_process(void)
589 {
590 	struct vhost	*h;
591 	struct location	*l;
592 	struct fcgi	*f;
593 	size_t		 i;
594 
595 	TAILQ_FOREACH(h, &hosts, vhosts) {
596 		TAILQ_FOREACH(l, &h->locations, locations) {
597 			if (l->dir == NULL)
598 				continue;
599 
600 			/* r so we can chdir into the directory */
601 			if (unveil(l->dir, "rx") == -1)
602 				fatal("unveil %s for domain %s",
603 				    l->dir, h->domain);
604 		}
605 	}
606 
607 	for (i = 0; i < FCGI_MAX; i++) {
608                 f = &fcgi[i];
609 		if (f->path != NULL) {
610 			if (unveil(f->path, "rw") == -1)
611 				fatal("unveil %s", f->path);
612 		}
613 
614 		if (f->prog != NULL) {
615 			if (unveil(f->prog, "rx") == -1)
616 				fatal("unveil %s", f->prog);
617 		}
618 	}
619 
620 	/*
621 	 * rpath: to chdir into the correct directory
622 	 * proc exec: CGI
623 	 * dns inet unix: FastCGI
624 	 */
625 	if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
626 		err(1, "pledge");
627 }
628 
629 void
630 sandbox_logger_process(void)
631 {
632 	if (pledge("stdio recvfd", NULL) == -1)
633 		err(1, "pledge");
634 }
635 
636 #else
637 
638 #warning "No sandbox method known for this OS"
639 
640 void
641 sandbox_server_process(void)
642 {
643 	return;
644 }
645 
646 void
647 sandbox_executor_process(void)
648 {
649 	log_notice(NULL, "no sandbox method known for this OS");
650 }
651 
652 void
653 sandbox_logger_process(void)
654 {
655 	return;
656 }
657 
658 #endif