commit - 2a911637be035476640c5c65e45ff26cb6bf169a
commit + 8e56d6adc423e81f47259a50ac5b11a1dd3c9877
blob - 1d01f66507558f28ace2f3877654457371921ef1
blob + 69ed05386571248590401f64ac197b3e9614e381
--- sandbox.c
+++ sandbox.c
sandbox()
{
if (cap_enter() == -1)
- err(1, "cap_enter");
+ fatal("cap_enter");
}
#elif defined(__linux__)
act.sa_sigaction = &sandbox_seccomp_violation;
act.sa_flags = SA_SIGINFO;
- if (sigaction(SIGSYS, &act, NULL) == -1) {
- fprintf(stderr, "%s: sigaction(SIGSYS): %s\n",
+ if (sigaction(SIGSYS, &act, NULL) == -1)
+ fatal("%s: sigaction(SIGSYS): %s",
__func__, strerror(errno));
- exit(1);
- }
- if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) {
- fprintf(stderr, "%s: sigprocmask(SIGSYS): %s\n",
+
+ if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
+ fatal("%s: sigprocmask(SIGSYS): %s\n",
__func__, strerror(errno));
- exit(1);
- }
}
#endif /* SC_DEBUG */
sandbox_seccomp_catch_sigsys();
#endif
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
- fprintf(stderr, "%s: prctl(PR_SET_NO_NEW_PRIVS): %s\n",
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+ fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
__func__, strerror(errno));
- exit(1);
- }
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
- fprintf(stderr, "%s: prctl(PR_SET_SECCOMP): %s\n",
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
+ fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
__func__, strerror(errno));
- exit(1);
- }
}
#elif defined(__OpenBSD__)
for (h = hosts; h->domain != NULL; ++h) {
if (unveil(h->dir, "r") == -1)
- err(1, "unveil %s for domain %s", h->dir, h->domain);
+ fatal("unveil %s for domain %s", h->dir, h->domain);
}
if (pledge("stdio recvfd rpath inet", NULL) == -1)
- err(1, "pledge");
+ fatal("pledge");
}
#else