1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if DISABLE_SANDBOX
20 
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
22 
23 void
24 sandbox_server_process(void)
25 {
26 	return;
27 }
28 
29 void
30 sandbox_executor_process(void)
31 {
32         log_notice(NULL, "Sandbox disabled!  "
33 	    "Please report issues upstream instead of disabling the sandbox.");
34 }
35 
36 void
37 sandbox_logger_process(void)
38 {
39 	return;
40 }
41 
42 #elif defined(__FreeBSD__)
43 
44 #include <sys/capsicum.h>
45 
46 void
47 sandbox_server_process(void)
48 {
49 	if (cap_enter() == -1)
50 		fatal("cap_enter");
51 }
52 
53 void
54 sandbox_executor_process(void)
55 {
56 	/*
57 	 * We cannot capsicum the executor process because it needs to
58 	 * fork(2)+execve(2) cgi scripts
59 	 */
60 	return;
61 }
62 
63 void
64 sandbox_logger_process(void)
65 {
66 	if (cap_enter() == -1)
67 		fatal("cap_enter");
68 }
69 
70 #elif defined(__linux__)
71 
72 #include <sys/ioctl.h>
73 #include <sys/prctl.h>
74 #include <sys/syscall.h>
75 #include <sys/syscall.h>
76 #include <sys/types.h>
77 
78 #include <linux/audit.h>
79 #include <linux/filter.h>
80 #include <linux/seccomp.h>
81 
82 #include <errno.h>
83 #include <fcntl.h>
84 #include <stddef.h>
85 #include <stdio.h>
86 #include <string.h>
87 
88 #if HAVE_LANDLOCK
89 # include "landlock_shim.h"
90 #endif
91 
92 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
93 /* #define SC_DEBUG */
94 
95 #ifdef SC_DEBUG
96 # define SC_FAIL SECCOMP_RET_TRAP
97 #else
98 # define SC_FAIL SECCOMP_RET_KILL
99 #endif
100 
101 #if (BYTE_ORDER == LITTLE_ENDIAN)
102 # define SC_ARG_LO	0
103 # define SC_ARG_HI	sizeof(uint32_t)
104 #elif (BYTE_ORDER == BIG_ENDIAN)
105 # define SC_ARG_LO	sizeof(uint32_t)
106 # define SC_ARG_HI	0
107 #else
108 # error "Uknown endian"
109 #endif
110 
111 /* make the filter more readable */
112 #define SC_ALLOW(nr)						\
113 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
114 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
115 
116 /*
117  * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
118  * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
119  */
120 #define SC_ALLOW_ARG(_nr, _arg, _val)						\
121 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6),			\
122 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
123 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO),		\
124 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
125 	    ((_val) & 0xffffffff), 0, 3),					\
126 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
127 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI),		\
128 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
129 	    (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1),		\
130 	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),				\
131 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
132 	    offsetof(struct seccomp_data, nr))
133 
134 /*
135  * I personally find this quite nutty.  Why can a system header not
136  * define a default for this?
137  */
138 #if defined(__i386__)
139 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
140 #elif defined(__x86_64__)
141 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
142 #elif defined(__arc__)
143 #  if defined(__A7__)
144 #    if (BYTE_ORDER == LITTLE_ENDIAN)
145 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
146 #    else
147 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
148 #    endif
149 #  elif defined(__HS__)
150 #    if (BYTE_ORDER == LITTLE_ENDIAN)
151 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
152 #    else
153 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
154 #    endif
155 #  else
156 #    error "Platform does not support seccomp filter yet"
157 #  endif
158 #elif defined(__arm__)
159 #  ifndef EM_ARM
160 #    define EM_ARM 40
161 #  endif
162 #  if (BYTE_ORDER == LITTLE_ENDIAN)
163 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
164 #  else
165 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
166 #  endif
167 #elif defined(__aarch64__)
168 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
169 #elif defined(__alpha__)
170 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
171 #elif defined(__hppa__)
172 #  if defined(__LP64__)
173 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
174 #  else
175 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
176 #  endif
177 #elif defined(__ia64__)
178 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
179 #elif defined(__microblaze__)
180 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
181 #elif defined(__m68k__)
182 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
183 #elif defined(__mips__)
184 #  if defined(__MIPSEL__)
185 #    if defined(__LP64__)
186 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
187 #    else
188 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
189 #    endif
190 #  elif defined(__LP64__)
191 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
192 #  else
193 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
194 #  endif
195 #elif defined(__nds32__)
196 #  if (BYTE_ORDER == LITTLE_ENDIAN)
197 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
198 #else
199 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
200 #endif
201 #elif defined(__nios2__)
202 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
203 #elif defined(__or1k__)
204 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
205 #elif defined(__powerpc64__)
206 #  if (BYTE_ORDER == LITTLE_ENDIAN)
207 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
208 #  else
209 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
210 #  endif
211 #elif defined(__powerpc__)
212 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
213 #elif defined(__riscv)
214 #  if defined(__LP64__)
215 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
216 #  else
217 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
218 #  endif
219 #elif defined(__s390x__)
220 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
221 #elif defined(__s390__)
222 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
223 #elif defined(__sh__)
224 #  if defined(__LP64__)
225 #    if (BYTE_ORDER == LITTLE_ENDIAN)
226 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
227 #    else
228 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
229 #    endif
230 #  else
231 #    if (BYTE_ORDER == LITTLE_ENDIAN)
232 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
233 #    else
234 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
235 #    endif
236 #  endif
237 #elif defined(__sparc__)
238 #  if defined(__arch64__)
239 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
240 #  else
241 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
242 #  endif
243 #elif defined(__xtensa__)
244 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
245 #else
246 #  error "Platform does not support seccomp filter yet"
247 #endif
248 
249 static struct sock_filter filter[] = {
250 	/* load the *current* architecture */
251 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
252 	    (offsetof(struct seccomp_data, arch))),
253 	/* ensure it's the same that we've been compiled on */
254 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
255 	    SECCOMP_AUDIT_ARCH, 1, 0),
256 	/* if not, kill the program */
257 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
258 
259 	/* load the syscall number */
260 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
261 	    (offsetof(struct seccomp_data, nr))),
262 
263 #ifdef __NR_accept
264 	SC_ALLOW(accept),
265 #endif
266 #ifdef __NR_accept4
267 	SC_ALLOW(accept4),
268 #endif
269 #ifdef __NR_brk
270 	SC_ALLOW(brk),
271 #endif
272 #ifdef __NR_clock_gettime
273 	SC_ALLOW(clock_gettime),
274 #endif
275 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
276 	SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
277 #endif
278 #ifdef __NR_clock_gettime64
279 	SC_ALLOW(clock_gettime64),
280 #endif
281 #ifdef __NR_close
282 	SC_ALLOW(close),
283 #endif
284 #ifdef __NR_epoll_ctl
285 	SC_ALLOW(epoll_ctl),
286 #endif
287 #ifdef __NR_epoll_pwait
288 	SC_ALLOW(epoll_pwait),
289 #endif
290 #ifdef __NR_epoll_wait
291 	SC_ALLOW(epoll_wait),
292 #endif
293 #ifdef __NR_exit
294 	SC_ALLOW(exit),
295 #endif
296 #ifdef __NR_exit_group
297 	SC_ALLOW(exit_group),
298 #endif
299 #ifdef __NR_fcntl
300 	SC_ALLOW(fcntl),
301 #endif
302 #ifdef __NR_fcntl64
303 	SC_ALLOW(fcntl64),
304 #endif
305 #ifdef __NR_fstat
306 	SC_ALLOW(fstat),
307 #endif
308 #ifdef __NR_fstat64
309 	SC_ALLOW(fstat64),
310 #endif
311 #ifdef __NR_getdents64
312 	SC_ALLOW(getdents64),
313 #endif
314 #ifdef __NR_getpid
315 	SC_ALLOW(getpid),
316 #endif
317 #ifdef __NR_getrandom
318 	SC_ALLOW(getrandom),
319 #endif
320 #ifdef __NR_gettimeofday
321 	SC_ALLOW(gettimeofday),
322 #endif
323 #ifdef __NR_ioctl
324 	/* allow ioctl on fd 1, glibc doing stuff? */
325         SC_ALLOW_ARG(__NR_ioctl, 0, 1),
326 	/* allow FIONREAD needed by libevent */
327 	SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
328 #endif
329 #ifdef __NR_lseek
330 	SC_ALLOW(lseek),
331 #endif
332 #ifdef __NR_madvise
333 	SC_ALLOW(madvise),
334 #endif
335 #ifdef __NR_mmap
336 	SC_ALLOW(mmap),
337 #endif
338 #ifdef __NR_mmap2
339 	SC_ALLOW(mmap2),
340 #endif
341 #ifdef __NR_munmap
342 	SC_ALLOW(munmap),
343 #endif
344 #ifdef __NR_newfstatat
345 	SC_ALLOW(newfstatat),
346 #endif
347 #ifdef __NR_oldfstat
348 	SC_ALLOW(oldfstat),
349 #endif
350 #ifdef __NR_openat
351 	SC_ALLOW(openat),
352 #endif
353 #ifdef __NR_prlimit64
354 	SC_ALLOW(prlimit64),
355 #endif
356 #ifdef __NR_read
357 	SC_ALLOW(read),
358 #endif
359 #ifdef __NR_recvmsg
360 	SC_ALLOW(recvmsg),
361 #endif
362 #ifdef __NR_readv
363 	SC_ALLOW(readv),
364 #endif
365 #ifdef __NR_rt_sigaction
366 	SC_ALLOW(rt_sigaction),
367 #endif
368 #ifdef __NR_rt_sigreturn
369 	SC_ALLOW(rt_sigreturn),
370 #endif
371 #ifdef __NR_sendmsg
372 	SC_ALLOW(sendmsg),
373 #endif
374 #ifdef __NR_statx
375 	SC_ALLOW(statx),
376 #endif
377 #ifdef __NR_write
378 	SC_ALLOW(write),
379 #endif
380 #ifdef __NR_writev
381 	SC_ALLOW(writev),
382 #endif
383 
384 	/* disallow everything else */
385 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
386 };
387 
388 #ifdef SC_DEBUG
389 
390 #include <signal.h>
391 #include <unistd.h>
392 
393 static void
394 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
395 {
396 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
397 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
398 	_exit(1);
399 }
400 
401 static void
402 sandbox_seccomp_catch_sigsys(void)
403 {
404 	struct sigaction act;
405 	sigset_t mask;
406 
407 	memset(&act, 0, sizeof(act));
408 	sigemptyset(&mask);
409 	sigaddset(&mask, SIGSYS);
410 
411 	act.sa_sigaction = &sandbox_seccomp_violation;
412 	act.sa_flags = SA_SIGINFO;
413 	if (sigaction(SIGSYS, &act, NULL) == -1)
414 		fatal("%s: sigaction(SIGSYS): %s",
415 		    __func__, strerror(errno));
416 
417 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
418 		fatal("%s: sigprocmask(SIGSYS): %s\n",
419 		    __func__, strerror(errno));
420 }
421 #endif	/* SC_DEBUG */
422 
423 #if HAVE_LANDLOCK
424 static inline int
425 open_landlock(void)
426 {
427 	int fd;
428 
429 	/*
430 	 * These are all the actions that we may want to
431 	 * allow.  Anything not specified here is implicitly blocked
432 	 * (e.g. LANDLOCK_ACCESS_FS_EXECUTE.)
433 	 */
434 	struct landlock_ruleset_attr attr = {
435 		.handled_access_fs =	LANDLOCK_ACCESS_FS_READ_FILE	|
436 					LANDLOCK_ACCESS_FS_READ_DIR,
437 	};
438 
439 	fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
440 	if (fd == -1) {
441 		switch (errno) {
442 		case ENOSYS:
443 			fatal("%s: failed to create ruleset.  "
444 			    "Landlock doesn't seem to be supported by the "
445 			    "current kernel.", __func__);
446 		case EOPNOTSUPP:
447 			log_warn(NULL, "%s: failed to create ruleset.  "
448 			    "Landlock seems to be currently disabled; "
449 			    "continuing without it.", __func__);
450 			break;
451 		default:
452 			fatal("%s: failed to create ruleset: %s",
453 			    __func__, strerror(errno));
454 		}
455 	}
456 
457 	return fd;
458 }
459 
460 static int
461 landlock_unveil_path(int landlock_fd, const char *path, int perms)
462 {
463 	struct landlock_path_beneath_attr pb;
464 	int err, saved_errno;
465 
466 	pb.allowed_access = perms;
467 
468 	if ((pb.parent_fd = open(path, O_PATH)) == -1)
469 		return -1;
470 
471 	err = landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH,
472 	    &pb, 0);
473 	saved_errno = errno;
474 	close(pb.parent_fd);
475 	errno = saved_errno;
476 	return err ? -1 : 0;
477 }
478 
479 static int
480 landlock_apply(int fd)
481 {
482 	int r, saved_errno;
483 
484 	if (fd == -1)
485 		return 0;
486 
487 	r = landlock_restrict_self(fd, 0);
488 	saved_errno = errno;
489 	close(fd);
490 	errno = saved_errno;
491 	return r ? -1 : 0;
492 }
493 
494 static int
495 server_landlock(void)
496 {
497 	int		 fd, perms;
498 	struct vhost	*h;
499 	struct location	*l;
500 
501 	/*
502 	 * These are all the actions allowed for the root directories
503 	 * of the vhosts.
504 	 */
505 	perms = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
506 
507 	if ((fd = open_landlock()) == -1)
508 		return 0;
509 
510 	TAILQ_FOREACH(h, &hosts, vhosts) {
511 		TAILQ_FOREACH(l, &h->locations, locations) {
512 			if (l->dir == NULL)
513 				continue;
514 
515 			if (landlock_unveil_path(fd, l->dir, perms) == -1)
516 				fatal("%s: landlock_unveil_path(%s): %s",
517 				    __func__, l->dir, strerror(errno));
518 		}
519 	}
520 
521 	return landlock_apply(fd);
522 }
523 
524 static int
525 logger_landlock(void)
526 {
527 	int fd;
528 
529 	if ((fd = open_landlock()) == -1)
530 		return 0;
531 
532 	/* no rules.  the logger doesn't need fs access at all. */
533 
534 	return landlock_apply(fd);
535 }
536 #endif
537 
538 void
539 sandbox_server_process(void)
540 {
541 	struct sock_fprog prog = {
542 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
543 		.filter = filter,
544 	};
545 
546 #ifdef SC_DEBUG
547 	sandbox_seccomp_catch_sigsys();
548 #endif
549 
550 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
551 		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
552 		    __func__, strerror(errno));
553 
554 #if HAVE_LANDLOCK
555 	if (server_landlock() == -1)
556 		fatal("%s: server_landlock: %s",
557 		    __func__, strerror(errno));
558 #endif
559 
560 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
561 		fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
562 		    __func__, strerror(errno));
563 }
564 
565 void
566 sandbox_executor_process(void)
567 {
568 	/*
569 	 * We cannot use seccomp for the executor process because we
570 	 * don't know what the child will do.  Also, our filter will
571 	 * be inherited so the child cannot set its own seccomp
572 	 * policy.
573 	 */
574 	return;
575 }
576 
577 void
578 sandbox_logger_process(void)
579 {
580 	/*
581 	 * Here we could use a seccomp filter to allow only recvfd,
582 	 * write/writev and memory allocations, but syslog is a beast
583 	 * and I don't know what syscalls it could end up doing.
584 	 * Landlock is a simpler beast, use it to disallow any file
585 	 * sytsem access.
586 	 */
587 
588 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
589 		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
590 		    __func__, strerror(errno));
591 
592 #if HAVE_LANDLOCK
593 	if (logger_landlock() == -1)
594 		fatal("%s: logger_landlock: %s",
595 		    __func__, strerror(errno));
596 #endif
597 
598 	return;
599 }
600 
601 #elif defined(__OpenBSD__)
602 
603 #include <unistd.h>
604 
605 void
606 sandbox_server_process(void)
607 {
608 	struct vhost	*h;
609 	struct location	*l;
610 
611 	TAILQ_FOREACH(h, &hosts, vhosts) {
612 		TAILQ_FOREACH(l, &h->locations, locations) {
613 			if (l->dir == NULL)
614 				continue;
615 
616 			if (unveil(l->dir, "r") == -1)
617 				fatal("unveil %s for domain %s",
618 				    l->dir,
619 				    h->domain);
620 		}
621 	}
622 
623 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
624 		fatal("pledge");
625 }
626 
627 void
628 sandbox_executor_process(void)
629 {
630 	struct vhost	*h;
631 	struct location	*l;
632 	struct fcgi	*f;
633 	size_t		 i;
634 
635 	TAILQ_FOREACH(h, &hosts, vhosts) {
636 		TAILQ_FOREACH(l, &h->locations, locations) {
637 			if (l->dir == NULL)
638 				continue;
639 
640 			/* r so we can chdir into the directory */
641 			if (unveil(l->dir, "rx") == -1)
642 				fatal("unveil %s for domain %s",
643 				    l->dir, h->domain);
644 		}
645 	}
646 
647 	for (i = 0; i < FCGI_MAX; i++) {
648                 f = &fcgi[i];
649 		if (f->path != NULL) {
650 			if (unveil(f->path, "rw") == -1)
651 				fatal("unveil %s", f->path);
652 		}
653 
654 		if (f->prog != NULL) {
655 			if (unveil(f->prog, "rx") == -1)
656 				fatal("unveil %s", f->prog);
657 		}
658 	}
659 
660 	/*
661 	 * rpath: to chdir into the correct directory
662 	 * proc exec: CGI
663 	 * dns inet unix: FastCGI
664 	 */
665 	if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
666 		err(1, "pledge");
667 }
668 
669 void
670 sandbox_logger_process(void)
671 {
672 	if (pledge("stdio recvfd", NULL) == -1)
673 		err(1, "pledge");
674 }
675 
676 #else
677 
678 #warning "No sandbox method known for this OS"
679 
680 void
681 sandbox_server_process(void)
682 {
683 	return;
684 }
685 
686 void
687 sandbox_executor_process(void)
688 {
689 	log_notice(NULL, "no sandbox method known for this OS");
690 }
691 
692 void
693 sandbox_logger_process(void)
694 {
695 	return;
696 }
697 
698 #endif