1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if DISABLE_SANDBOX
20 
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
22 
23 void
24 sandbox_server_process(void)
25 {
26 	return;
27 }
28 
29 void
30 sandbox_executor_process(void)
31 {
32         log_notice(NULL, "Sandbox disabled!  "
33 	    "Please report issues upstream instead of disabling the sandbox.");
34 }
35 
36 void
37 sandbox_logger_process(void)
38 {
39 	return;
40 }
41 
42 #elif defined(__FreeBSD__)
43 
44 #include <sys/capsicum.h>
45 
46 void
47 sandbox_server_process(void)
48 {
49 	if (cap_enter() == -1)
50 		fatal("cap_enter");
51 }
52 
53 void
54 sandbox_executor_process(void)
55 {
56 	/*
57 	 * We cannot capsicum the executor process because it needs to
58 	 * fork(2)+execve(2) cgi scripts
59 	 */
60 	return;
61 }
62 
63 void
64 sandbox_logger_process(void)
65 {
66 	if (cap_enter() == -1)
67 		fatal("cap_enter");
68 }
69 
70 #elif defined(__linux__)
71 
72 #include <sys/prctl.h>
73 #include <sys/syscall.h>
74 #include <sys/syscall.h>
75 #include <sys/types.h>
76 
77 #include <linux/audit.h>
78 #include <linux/filter.h>
79 #include <linux/seccomp.h>
80 
81 #include <errno.h>
82 #include <fcntl.h>
83 #include <stddef.h>
84 #include <stdio.h>
85 #include <string.h>
86 
87 #if HAVE_LANDLOCK
88 # include "landlock_shim.h"
89 #endif
90 
91 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
92 /* #define SC_DEBUG */
93 
94 #ifdef SC_DEBUG
95 # define SC_FAIL SECCOMP_RET_TRAP
96 #else
97 # define SC_FAIL SECCOMP_RET_KILL
98 #endif
99 
100 #if (BYTE_ORDER == LITTLE_ENDIAN)
101 # define SC_ARG_LO	0
102 # define SC_ARG_HI	sizeof(uint32_t)
103 #elif (BYTE_ORDER == BIG_ENDIAN)
104 # define SC_ARG_LO	sizeof(uint32_t)
105 # define SC_ARG_HI	0
106 #else
107 # error "Uknown endian"
108 #endif
109 
110 /* make the filter more readable */
111 #define SC_ALLOW(nr)						\
112 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
113 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
114 
115 /*
116  * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
117  * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
118  */
119 #define SC_ALLOW_ARG(_nr, _arg, _val)						\
120 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6),			\
121 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
122 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO),		\
123 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
124 	    ((_val) & 0xffffffff), 0, 3),					\
125 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
126 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI),		\
127 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
128 	    (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1),		\
129 	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),				\
130 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
131 	    offsetof(struct seccomp_data, nr))
132 
133 /*
134  * I personally find this quite nutty.  Why can a system header not
135  * define a default for this?
136  */
137 #if defined(__i386__)
138 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
139 #elif defined(__x86_64__)
140 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
141 #elif defined(__arc__)
142 #  if defined(__A7__)
143 #    if (BYTE_ORDER == LITTLE_ENDIAN)
144 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
145 #    else
146 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
147 #    endif
148 #  elif defined(__HS__)
149 #    if (BYTE_ORDER == LITTLE_ENDIAN)
150 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
151 #    else
152 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
153 #    endif
154 #  else
155 #    error "Platform does not support seccomp filter yet"
156 #  endif
157 #elif defined(__arm__)
158 #  ifndef EM_ARM
159 #    define EM_ARM 40
160 #  endif
161 #  if (BYTE_ORDER == LITTLE_ENDIAN)
162 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
163 #  else
164 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
165 #  endif
166 #elif defined(__aarch64__)
167 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
168 #elif defined(__alpha__)
169 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
170 #elif defined(__hppa__)
171 #  if defined(__LP64__)
172 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
173 #  else
174 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
175 #  endif
176 #elif defined(__ia64__)
177 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
178 #elif defined(__microblaze__)
179 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
180 #elif defined(__m68k__)
181 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
182 #elif defined(__mips__)
183 #  if defined(__MIPSEL__)
184 #    if defined(__LP64__)
185 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
186 #    else
187 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
188 #    endif
189 #  elif defined(__LP64__)
190 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
191 #  else
192 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
193 #  endif
194 #elif defined(__nds32__)
195 #  if (BYTE_ORDER == LITTLE_ENDIAN)
196 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
197 #else
198 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
199 #endif
200 #elif defined(__nios2__)
201 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
202 #elif defined(__or1k__)
203 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
204 #elif defined(__powerpc64__)
205 #  if (BYTE_ORDER == LITTLE_ENDIAN)
206 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
207 #  else
208 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
209 #  endif
210 #elif defined(__powerpc__)
211 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
212 #elif defined(__riscv)
213 #  if defined(__LP64__)
214 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
215 #  else
216 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
217 #  endif
218 #elif defined(__s390x__)
219 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
220 #elif defined(__s390__)
221 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
222 #elif defined(__sh__)
223 #  if defined(__LP64__)
224 #    if (BYTE_ORDER == LITTLE_ENDIAN)
225 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
226 #    else
227 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
228 #    endif
229 #  else
230 #    if (BYTE_ORDER == LITTLE_ENDIAN)
231 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
232 #    else
233 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
234 #    endif
235 #  endif
236 #elif defined(__sparc__)
237 #  if defined(__arch64__)
238 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
239 #  else
240 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
241 #  endif
242 #elif defined(__xtensa__)
243 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
244 #else
245 #  error "Platform does not support seccomp filter yet"
246 #endif
247 
248 static struct sock_filter filter[] = {
249 	/* load the *current* architecture */
250 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
251 	    (offsetof(struct seccomp_data, arch))),
252 	/* ensure it's the same that we've been compiled on */
253 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
254 	    SECCOMP_AUDIT_ARCH, 1, 0),
255 	/* if not, kill the program */
256 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
257 
258 	/* load the syscall number */
259 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
260 	    (offsetof(struct seccomp_data, nr))),
261 
262 #ifdef __NR_accept
263 	SC_ALLOW(accept),
264 #endif
265 #ifdef __NR_accept4
266 	SC_ALLOW(accept4),
267 #endif
268 #ifdef __NR_brk
269 	SC_ALLOW(brk),
270 #endif
271 #ifdef __NR_clock_gettime
272 	SC_ALLOW(clock_gettime),
273 #endif
274 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
275 	SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
276 #endif
277 #ifdef __NR_clock_gettime64
278 	SC_ALLOW(clock_gettime64),
279 #endif
280 #ifdef __NR_close
281 	SC_ALLOW(close),
282 #endif
283 #ifdef __NR_epoll_ctl
284 	SC_ALLOW(epoll_ctl),
285 #endif
286 #ifdef __NR_epoll_pwait
287 	SC_ALLOW(epoll_pwait),
288 #endif
289 #ifdef __NR_epoll_wait
290 	SC_ALLOW(epoll_wait),
291 #endif
292 #ifdef __NR_exit
293 	SC_ALLOW(exit),
294 #endif
295 #ifdef __NR_exit_group
296 	SC_ALLOW(exit_group),
297 #endif
298 #ifdef __NR_fcntl
299 	SC_ALLOW(fcntl),
300 #endif
301 #ifdef __NR_fcntl64
302 	SC_ALLOW(fcntl64),
303 #endif
304 #ifdef __NR_fstat
305 	SC_ALLOW(fstat),
306 #endif
307 #ifdef __NR_fstat64
308 	SC_ALLOW(fstat64),
309 #endif
310 #ifdef __NR_getdents64
311 	SC_ALLOW(getdents64),
312 #endif
313 #ifdef __NR_getpid
314 	SC_ALLOW(getpid),
315 #endif
316 #ifdef __NR_getrandom
317 	SC_ALLOW(getrandom),
318 #endif
319 #ifdef __NR_gettimeofday
320 	SC_ALLOW(gettimeofday),
321 #endif
322 #ifdef __NR_ioctl
323 	/* allow ioctl on fd 1, glibc doing stuff? */
324         SC_ALLOW_ARG(__NR_ioctl, 0, 1),
325 	/* allow FIONREAD needed by libevent */
326 	SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
327 #endif
328 #ifdef __NR_lseek
329 	SC_ALLOW(lseek),
330 #endif
331 #ifdef __NR_madvise
332 	SC_ALLOW(madvise),
333 #endif
334 #ifdef __NR_mmap
335 	SC_ALLOW(mmap),
336 #endif
337 #ifdef __NR_mmap2
338 	SC_ALLOW(mmap2),
339 #endif
340 #ifdef __NR_munmap
341 	SC_ALLOW(munmap),
342 #endif
343 #ifdef __NR_newfstatat
344 	SC_ALLOW(newfstatat),
345 #endif
346 #ifdef __NR_oldfstat
347 	SC_ALLOW(oldfstat),
348 #endif
349 #ifdef __NR_openat
350 	SC_ALLOW(openat),
351 #endif
352 #ifdef __NR_prlimit64
353 	SC_ALLOW(prlimit64),
354 #endif
355 #ifdef __NR_read
356 	SC_ALLOW(read),
357 #endif
358 #ifdef __NR_recvmsg
359 	SC_ALLOW(recvmsg),
360 #endif
361 #ifdef __NR_readv
362 	SC_ALLOW(readv),
363 #endif
364 #ifdef __NR_rt_sigaction
365 	SC_ALLOW(rt_sigaction),
366 #endif
367 #ifdef __NR_rt_sigreturn
368 	SC_ALLOW(rt_sigreturn),
369 #endif
370 #ifdef __NR_sendmsg
371 	SC_ALLOW(sendmsg),
372 #endif
373 #ifdef __NR_statx
374 	SC_ALLOW(statx),
375 #endif
376 #ifdef __NR_write
377 	SC_ALLOW(write),
378 #endif
379 #ifdef __NR_writev
380 	SC_ALLOW(writev),
381 #endif
382 
383 	/* disallow everything else */
384 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
385 };
386 
387 #ifdef SC_DEBUG
388 
389 #include <signal.h>
390 #include <unistd.h>
391 
392 static void
393 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
394 {
395 	(void)signum;
396 	(void)ctx;
397 
398 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
399 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
400 	_exit(1);
401 }
402 
403 static void
404 sandbox_seccomp_catch_sigsys(void)
405 {
406 	struct sigaction act;
407 	sigset_t mask;
408 
409 	memset(&act, 0, sizeof(act));
410 	sigemptyset(&mask);
411 	sigaddset(&mask, SIGSYS);
412 
413 	act.sa_sigaction = &sandbox_seccomp_violation;
414 	act.sa_flags = SA_SIGINFO;
415 	if (sigaction(SIGSYS, &act, NULL) == -1)
416 		fatal("%s: sigaction(SIGSYS): %s",
417 		    __func__, strerror(errno));
418 
419 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
420 		fatal("%s: sigprocmask(SIGSYS): %s\n",
421 		    __func__, strerror(errno));
422 }
423 #endif	/* SC_DEBUG */
424 
425 #if HAVE_LANDLOCK
426 static inline int
427 open_landlock(void)
428 {
429 	int fd;
430 
431 	/*
432 	 * These are all the actions that we may want to
433 	 * allow.  Anything not specified here is implicitly blocked
434 	 * (e.g. LANDLOCK_ACCESS_FS_EXECUTE.)
435 	 */
436 	struct landlock_ruleset_attr attr = {
437 		.handled_access_fs =	LANDLOCK_ACCESS_FS_READ_FILE	|
438 					LANDLOCK_ACCESS_FS_READ_DIR,
439 	};
440 
441 	fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
442 	if (fd == -1) {
443 		switch (errno) {
444 		case ENOSYS:
445 			fatal("%s: failed to create ruleset.  "
446 			    "Landlock doesn't seem to be supported by the "
447 			    "current kernel.", __func__);
448 		case EOPNOTSUPP:
449 			log_warn(NULL, "%s: failed to create ruleset.  "
450 			    "Landlock seems to be currently disabled; "
451 			    "continuing without it.", __func__);
452 			break;
453 		default:
454 			fatal("%s: failed to create ruleset: %s",
455 			    __func__, strerror(errno));
456 		}
457 	}
458 
459 	return fd;
460 }
461 
462 static int
463 landlock_unveil_path(int landlock_fd, const char *path, int perms)
464 {
465 	struct landlock_path_beneath_attr pb;
466 	int err, saved_errno;
467 
468 	pb.allowed_access = perms;
469 
470 	if ((pb.parent_fd = open(path, O_PATH)) == -1)
471 		return -1;
472 
473 	err = landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH,
474 	    &pb, 0);
475 	saved_errno = errno;
476 	close(pb.parent_fd);
477 	errno = saved_errno;
478 	return err ? -1 : 0;
479 }
480 
481 static int
482 landlock_apply(int fd)
483 {
484 	int r, saved_errno;
485 
486 	if (fd == -1)
487 		return 0;
488 
489 	r = landlock_restrict_self(fd, 0);
490 	saved_errno = errno;
491 	close(fd);
492 	errno = saved_errno;
493 	return r ? -1 : 0;
494 }
495 
496 static int
497 server_landlock(void)
498 {
499 	int		 fd, perms;
500 	struct vhost	*h;
501 	struct location	*l;
502 
503 	/*
504 	 * These are all the actions allowed for the root directories
505 	 * of the vhosts.
506 	 */
507 	perms = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
508 
509 	if ((fd = open_landlock()) == -1)
510 		return 0;
511 
512 	TAILQ_FOREACH(h, &hosts, vhosts) {
513 		TAILQ_FOREACH(l, &h->locations, locations) {
514 			if (l->dir == NULL)
515 				continue;
516 
517 			if (landlock_unveil_path(fd, l->dir, perms) == -1)
518 				fatal("%s: landlock_unveil_path(%s): %s",
519 				    __func__, l->dir, strerror(errno));
520 		}
521 	}
522 
523 	return landlock_apply(fd);
524 }
525 
526 static int
527 logger_landlock(void)
528 {
529 	int fd;
530 
531 	if ((fd = open_landlock()) == -1)
532 		return 0;
533 
534 	/* no rules.  the logger doesn't need fs access at all. */
535 
536 	return landlock_apply(fd);
537 }
538 #endif
539 
540 void
541 sandbox_server_process(void)
542 {
543 	struct sock_fprog prog = {
544 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
545 		.filter = filter,
546 	};
547 
548 #ifdef SC_DEBUG
549 	sandbox_seccomp_catch_sigsys();
550 #endif
551 
552 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
553 		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
554 		    __func__, strerror(errno));
555 
556 #if HAVE_LANDLOCK
557 	if (server_landlock() == -1)
558 		fatal("%s: server_landlock: %s",
559 		    __func__, strerror(errno));
560 #endif
561 
562 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
563 		fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
564 		    __func__, strerror(errno));
565 }
566 
567 void
568 sandbox_executor_process(void)
569 {
570 	/*
571 	 * We cannot use seccomp for the executor process because we
572 	 * don't know what the child will do.  Also, our filter will
573 	 * be inherited so the child cannot set its own seccomp
574 	 * policy.
575 	 */
576 	return;
577 }
578 
579 void
580 sandbox_logger_process(void)
581 {
582 	/*
583 	 * Here we could use a seccomp filter to allow only recvfd,
584 	 * write/writev and memory allocations, but syslog is a beast
585 	 * and I don't know what syscalls it could end up doing.
586 	 * Landlock is a simpler beast, use it to disallow any file
587 	 * sytsem access.
588 	 */
589 
590 #if HAVE_LANDLOCK
591 	if (logger_landlock() == -1)
592 		fatal("%s: logger_landlock: %s",
593 		    __func__, strerror(errno));
594 #endif
595 
596 	return;
597 }
598 
599 #elif defined(__OpenBSD__)
600 
601 #include <unistd.h>
602 
603 void
604 sandbox_server_process(void)
605 {
606 	struct vhost	*h;
607 	struct location	*l;
608 
609 	TAILQ_FOREACH(h, &hosts, vhosts) {
610 		TAILQ_FOREACH(l, &h->locations, locations) {
611 			if (l->dir == NULL)
612 				continue;
613 
614 			if (unveil(l->dir, "r") == -1)
615 				fatal("unveil %s for domain %s",
616 				    l->dir,
617 				    h->domain);
618 		}
619 	}
620 
621 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
622 		fatal("pledge");
623 }
624 
625 void
626 sandbox_executor_process(void)
627 {
628 	struct vhost	*h;
629 	struct location	*l;
630 	struct fcgi	*f;
631 	size_t		 i;
632 
633 	TAILQ_FOREACH(h, &hosts, vhosts) {
634 		TAILQ_FOREACH(l, &h->locations, locations) {
635 			if (l->dir == NULL)
636 				continue;
637 
638 			/* r so we can chdir into the directory */
639 			if (unveil(l->dir, "rx") == -1)
640 				fatal("unveil %s for domain %s",
641 				    l->dir, h->domain);
642 		}
643 	}
644 
645 	for (i = 0; i < FCGI_MAX; i++) {
646                 f = &fcgi[i];
647 		if (f->path != NULL) {
648 			if (unveil(f->path, "rw") == -1)
649 				fatal("unveil %s", f->path);
650 		}
651 
652 		if (f->prog != NULL) {
653 			if (unveil(f->prog, "rx") == -1)
654 				fatal("unveil %s", f->prog);
655 		}
656 	}
657 
658 	/*
659 	 * rpath: to chdir into the correct directory
660 	 * proc exec: CGI
661 	 * dns inet unix: FastCGI
662 	 */
663 	if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
664 		err(1, "pledge");
665 }
666 
667 void
668 sandbox_logger_process(void)
669 {
670 	if (pledge("stdio recvfd", NULL) == -1)
671 		err(1, "pledge");
672 }
673 
674 #else
675 
676 #warning "No sandbox method known for this OS"
677 
678 void
679 sandbox_server_process(void)
680 {
681 	return;
682 }
683 
684 void
685 sandbox_executor_process(void)
686 {
687 	log_notice(NULL, "no sandbox method known for this OS");
688 }
689 
690 void
691 sandbox_logger_process(void)
692 {
693 	return;
694 }
695 
696 #endif