commit 1ab7c96bb305e818b5dfa3b525d5ff635ad12a0a from: Omar Polo date: Tue Sep 06 16:24:45 2022 UTC gc sandbox_executor_process commit - d29a2ee2246e1b1b0c5222a823820e42422c894e commit + 1ab7c96bb305e818b5dfa3b525d5ff635ad12a0a blob - c3ba0491522221278f4796f3d2a1c51c2827f002 blob + f9056f0b96c7b44619d014132a40a2946c1b86f7 --- gmid.h +++ gmid.h @@ -368,7 +368,6 @@ void fcgi_req(struct client *); /* sandbox.c */ void sandbox_server_process(void); -void sandbox_executor_process(void); void sandbox_logger_process(void); /* utf8.c */ blob - 45f175d8ee59374625f1428eb8d301f466505673 blob + 78fc079906d679e45ce03e8477bd58614288e2f3 --- sandbox.c +++ sandbox.c @@ -27,13 +27,6 @@ sandbox_server_process(void) } void -sandbox_executor_process(void) -{ - log_notice(NULL, "Sandbox disabled! " - "Please report issues upstream instead of disabling the sandbox."); -} - -void sandbox_logger_process(void) { return; @@ -51,16 +44,6 @@ sandbox_server_process(void) } void -sandbox_executor_process(void) -{ - /* - * We cannot capsicum the executor process because it needs to - * fork(2)+execve(2) cgi scripts - */ - return; -} - -void sandbox_logger_process(void) { if (cap_enter() == -1) @@ -578,18 +561,6 @@ sandbox_server_process(void) if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) fatal("%s: prctl(PR_SET_SECCOMP): %s\n", __func__, strerror(errno)); -} - -void -sandbox_executor_process(void) -{ - /* - * We cannot use seccomp for the executor process because we - * don't know what the child will do. Also, our filter will - * be inherited so the child cannot set its own seccomp - * policy. - */ - return; } void @@ -643,48 +614,6 @@ sandbox_server_process(void) } void -sandbox_executor_process(void) -{ - struct vhost *h; - struct location *l; - struct fcgi *f; - size_t i; - - TAILQ_FOREACH(h, &hosts, vhosts) { - TAILQ_FOREACH(l, &h->locations, locations) { - if (l->dir == NULL) - continue; - - /* r so we can chdir into the directory */ - if (unveil(l->dir, "rx") == -1) - fatal("unveil %s for domain %s", - l->dir, h->domain); - } - } - - for (i = 0; i < FCGI_MAX; i++) { - f = &fcgi[i]; - if (f->path != NULL) { - if (unveil(f->path, "rw") == -1) - fatal("unveil %s", f->path); - } - - if (f->prog != NULL) { - if (unveil(f->prog, "rx") == -1) - fatal("unveil %s", f->prog); - } - } - - /* - * rpath: to chdir into the correct directory - * proc exec: CGI - * dns inet unix: FastCGI - */ - if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL)) - err(1, "pledge"); -} - -void sandbox_logger_process(void) { if (pledge("stdio recvfd", NULL) == -1) @@ -702,12 +631,6 @@ sandbox_server_process(void) } void -sandbox_executor_process(void) -{ - log_notice(NULL, "no sandbox method known for this OS"); -} - -void sandbox_logger_process(void) { return;