commit - ad5301d1a00ba96c920fd89535cf9074b6e92088
commit + 62e001b06778c96d0deebceddf1913f7b57ab2d6
blob - 68170246e73c706ee72ec56fee500b46c8a67f44
blob + 645e8657de054bd503de5ea6536adbee2e50cae0
--- ex.c
+++ ex.c
int
executor_main(struct imsgbuf *ibuf)
{
- struct vhost *vhost;
struct event evs[PROC_MAX], imsgev;
int i;
-
-#ifdef __OpenBSD__
- for (vhost = hosts; vhost->domain != NULL; ++vhost) {
- /* r so we can chdir into the correct directory */
- if (unveil(vhost->dir, "rx") == -1)
- err(1, "unveil %s for domain %s",
- vhost->dir, vhost->domain);
- }
- /* rpath to chdir into the correct directory */
- if (pledge("stdio rpath sendfd proc exec", NULL))
- err(1, "pledge");
-#endif
-
event_init();
if (ibuf != NULL) {
event_add(&evs[i], NULL);
}
+ sandbox_executor_process();
+
event_dispatch();
return 1;
blob - dad7b4c1ca4fb918b5d8b9aa1e1dd13ab9ce2166
blob + 7e9bba0ea360599496bdc6cd5ca3672e11dcc6ec
--- gmid.h
+++ gmid.h
int executor_main(struct imsgbuf*);
/* sandbox.c */
-void sandbox(void);
+void sandbox_server_process(void);
+void sandbox_executor_process(void);
+void sandbox_logger_process(void);
/* utf8.c */
int valid_multibyte_utf8(struct parser*);
blob - b66aa19f73bdd79ae9869351aa60a9afc403b807
blob + 2ff21587cd8edca98f45ca03c02c49f6ae74e139
--- log.c
+++ log.c
event_set(&imsgev, fd, EV_READ | EV_PERSIST, &handle_dispatch_imsg, ibuf);
event_add(&imsgev, NULL);
-#ifdef __OpenBSD__
- if (pledge("stdio", NULL) == -1)
- err(1, "pledge");
-#endif
+ sandbox_logger_process();
event_dispatch();
blob - 2397e9afb105a1803d6c94fc46c2083187258a48
blob + b3923350574b8147ce79f90847f7e24bb011c25c
--- regress/puny-test.c
+++ regress/puny-test.c
{NULL, NULL}
};
+void
+sandbox_logger_process(void)
+{
+ /* to make the linker happy! */
+ return;
+}
+
int
main(int argc, char **argv)
{
blob - 89908505a2c22071620277117e49fb391a23d015
blob + 509d6bbc5009502ddf3e4bc8b66f7fec22586888
--- sandbox.c
+++ sandbox.c
#include <sys/capsicum.h>
void
-sandbox()
+sandbox_server_process(void)
{
if (cap_enter() == -1)
fatal("cap_enter");
}
+void
+sandbox_executor_process(void)
+{
+ /* We cannot capsicum the executor process because it needs
+ * to fork(2)+execve(2) cgi scripts */
+ return;
+}
+
+void
+sandbox_logger_process(void)
+{
+ if (cap_enter() == -1)
+ fatal("cap_enter");
+}
+
#elif defined(__linux__)
#include <sys/prctl.h>
#endif /* SC_DEBUG */
void
-sandbox()
+sandbox_server_process(void)
{
struct sock_filter filter[] = {
/* load the *current* architecture */
__func__, strerror(errno));
}
+void
+sandbox_executor_process(void)
+{
+ /* We cannot use seccomp for the executor process because we
+ * don't know what the child will do. Also, our filter will
+ * be inherited so the child cannot set its own seccomp
+ * policy. */
+ return;
+}
+
+void
+sandbox_logger_process(void)
+{
+ /* To be honest, here we could use a seccomp policy to only
+ * allow writev(2) and memory allocations. */
+ return;
+}
+
#elif defined(__OpenBSD__)
#include <unistd.h>
void
-sandbox()
+sandbox_server_process(void)
{
struct vhost *h;
fatal("pledge");
}
-#else
-
void
-sandbox()
+sandbox_executor_process(void)
{
+ struct vhost *vhost;
+
+ for (vhost = hosts; vhost->domain != NULL; ++vhost) {
+ /* r so we can chdir into the correct directory */
+ if (unveil(vhost->dir, "rx") == -1)
+ err(1, "unveil %s for domain %s",
+ vhost->dir, vhost->domain);
+ }
+
+ /* rpath to chdir into the correct directory */
+ if (pledge("stdio rpath sendfd proc exec", NULL))
+ err(1, "pledge");
+}
+
+void
+sandbox_logger_process(void)
+{
+ if (pledge("stdio", NULL) == -1)
+ err(1, "pledge");
+}
+
+#else
+
+#warning "No sandbox method known for this OS"
+
+void
+sandbox_server_process(void)
+{
+ return;
+}
+
+void
+sandbox_executor_process(void)
+{
log_notice(NULL, "no sandbox method known for this OS");
}
+void
+sandbox_logger_process(void)
+{
+ return;
+}
+
#endif
blob - b059412a1bd3b72a09d57b87388b68d9a319bb3d
blob + 0080b17b42ba540f8d10b754089ad1129bee9027
--- server.c
+++ server.c
signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
signal_add(&sigusr2, NULL);
- sandbox();
+ sandbox_server_process();
event_dispatch();
_exit(0);
}