commit - 36e6e793a159a4241b87c62345e4bad2485728c6
commit + 760009951357d4c36991c4c6a62db973289b32d9
blob - a9e855207766eed4b0f02130fb6a37a621e6b4db
blob + 38b99ad306905dfa7d5831ed26d91fc0102d364c
--- gmid.h
+++ gmid.h
/* from command line */
int foreground;
int verbose;
+ int can_open_sockets;
/* in the config */
int port;
void fcgi_req(struct client *);
/* sandbox.c */
-void sandbox_server_process(void);
+void sandbox_server_process(int);
void sandbox_logger_process(void);
/* utf8.c */
blob - 1eaf0c716b73bfcdc8e33fc6f8fc17a27d875d8c
blob + 96ab053d9087b7965cba97623de12cd5f68f3d4d
--- parse.y
+++ parse.y
new_proxy(void)
{
struct proxy *p;
+
+ conf.can_open_sockets = 1;
p = xcalloc(1, sizeof(*p));
p->protocols = TLS_PROTOCOLS_DEFAULT;
struct fcgi *f;
int i;
+ conf.can_open_sockets = 1;
+
for (i = 0; i < FCGI_MAX; ++i) {
f = &fcgi[i];
blob - 78fc079906d679e45ce03e8477bd58614288e2f3
blob + 52a161ddc90a8a4446fda741dca4c8fbc1729d7f
--- sandbox.c
+++ sandbox.c
#warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
{
return;
}
#include <sys/capsicum.h>
void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
{
+ /* can't capsicum if fastcgi or proxying are used. */
+ if (can_open_sockets)
+ return;
+
if (cap_enter() == -1)
fatal("cap_enter");
}
#endif
void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
{
const struct sock_fprog prog = {
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
.filter = filter,
};
+ /* can't seccomp/landlock if fastcgi or proxying are used. */
+ if (can_open_sockets)
+ return;
+
+
#ifdef SC_DEBUG
sandbox_seccomp_catch_sigsys();
#endif
#include <unistd.h>
void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
{
struct vhost *h;
struct location *l;
#warning "No sandbox method known for this OS"
void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
{
return;
}
blob - 4e62ad3604d68309f967a4b07a403ed959e1535e
blob + b87974e60ac299ac783f598b851fa97599ada8b4
--- server.c
+++ server.c
signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
signal_add(&sigusr2, NULL);
- sandbox_server_process();
+ sandbox_server_process(conf.can_open_sockets);
event_dispatch();
_exit(0);
}