1 #include "gmid.h"
2 
3 #if defined(__FreeBSD__)
4 
5 #include <sys/capsicum.h>
6 #include <err.h>
7 
8 void
9 sandbox()
10 {
11 	struct vhost *h;
12 	int has_cgi = 0;
13 
14 	for (h = hosts; h->domain != NULL; ++h)
15 		if (h->cgi != NULL)
16 			has_cgi = 1;
17 
18 	if (has_cgi) {
19 		LOGW(NULL, "disabling sandbox because CGI scripts are enabled");
20 		return;
21 	}
22 
23 	if (cap_enter() == -1)
24 		err(1, "cap_enter");
25 }
26 
27 #elif defined(__linux__)
28 
29 void
30 sandbox()
31 {
32 	/* TODO: seccomp */
33 }
34 
35 #elif defined(__OpenBSD__)
36 
37 #include <err.h>
38 #include <unistd.h>
39 
40 void
41 sandbox()
42 {
43 	struct vhost *h;
44 	int has_cgi = 0;
45 
46 	for (h = hosts; h->domain != NULL; ++h) {
47 		if (unveil(h->dir, "rx") == -1)
48 			err(1, "unveil %s for domain %s", h->dir, h->domain);
49 
50 		if (h->cgi != NULL)
51 			has_cgi = 1;
52 	}
53 
54 	if (pledge("stdio rpath inet proc exec", NULL) == -1)
55 		err(1, "pledge");
56 
57 	/* drop proc and exec if cgi isn't enabled */
58 	if (!has_cgi)
59 		if (pledge("stdio rpath inet", NULL) == -1)
60 			err(1, "pledge");
61 }
62 
63 #else
64 
65 void
66 sandbox()
67 {
68         LOGN(NULL, "%s", "no sandbox method known for this OS");
69 }
70 
71 #endif