commit 62e001b06778c96d0deebceddf1913f7b57ab2d6
from: Omar Polo <op@omarpolo.com>
date: Sat Mar 20 08:42:08 2021 UTC

move all sandbox-related code to sandbox.c

while there, add capsicum for the logger process

commit - ad5301d1a00ba96c920fd89535cf9074b6e92088
commit + 62e001b06778c96d0deebceddf1913f7b57ab2d6
blob - 68170246e73c706ee72ec56fee500b46c8a67f44
blob + 645e8657de054bd503de5ea6536adbee2e50cae0
--- ex.c
+++ ex.c
@@ -270,23 +270,9 @@ handle_dispatch_imsg(int fd, short ev, void *d)
 int
 executor_main(struct imsgbuf *ibuf)
 {
-	struct vhost	*vhost;
 	struct event	 evs[PROC_MAX], imsgev;
 	int		 i;
-
-#ifdef __OpenBSD__
-	for (vhost = hosts; vhost->domain != NULL; ++vhost) {
-		/* r so we can chdir into the correct directory */
-		if (unveil(vhost->dir, "rx") == -1)
-			err(1, "unveil %s for domain %s",
-			    vhost->dir, vhost->domain);
-	}
 
-	/* rpath to chdir into the correct directory */
-	if (pledge("stdio rpath sendfd proc exec", NULL))
-		err(1, "pledge");
-#endif
-
 	event_init();
 
 	if (ibuf != NULL) {
@@ -301,6 +287,8 @@ executor_main(struct imsgbuf *ibuf)
 		event_add(&evs[i], NULL);
 	}
 
+	sandbox_executor_process();
+
 	event_dispatch();
 
 	return 1;
blob - dad7b4c1ca4fb918b5d8b9aa1e1dd13ab9ce2166
blob + 7e9bba0ea360599496bdc6cd5ca3672e11dcc6ec
--- gmid.h
+++ gmid.h
@@ -294,7 +294,9 @@ int		 recv_fd(int);
 int		 executor_main(struct imsgbuf*);
 
 /* sandbox.c */
-void		 sandbox(void);
+void		 sandbox_server_process(void);
+void		 sandbox_executor_process(void);
+void		 sandbox_logger_process(void);
 
 /* utf8.c */
 int		 valid_multibyte_utf8(struct parser*);
blob - b66aa19f73bdd79ae9869351aa60a9afc403b807
blob + 2ff21587cd8edca98f45ca03c02c49f6ae74e139
--- log.c
+++ log.c
@@ -270,10 +270,7 @@ logger_main(int fd, struct imsgbuf *ibuf)
 	event_set(&imsgev, fd, EV_READ | EV_PERSIST, &handle_dispatch_imsg, ibuf);
 	event_add(&imsgev, NULL);
 
-#ifdef __OpenBSD__
-	if (pledge("stdio", NULL) == -1)
-		err(1, "pledge");
-#endif
+	sandbox_logger_process();
 
 	event_dispatch();
 
blob - 2397e9afb105a1803d6c94fc46c2083187258a48
blob + b3923350574b8147ce79f90847f7e24bb011c25c
--- regress/puny-test.c
+++ regress/puny-test.c
@@ -48,6 +48,13 @@ struct suite {
 	{NULL, NULL}
 };
 
+void
+sandbox_logger_process(void)
+{
+	/* to make the linker happy! */
+	return;
+}
+
 int
 main(int argc, char **argv)
 {
blob - 89908505a2c22071620277117e49fb391a23d015
blob + 509d6bbc5009502ddf3e4bc8b66f7fec22586888
--- sandbox.c
+++ sandbox.c
@@ -21,12 +21,27 @@
 #include <sys/capsicum.h>
 
 void
-sandbox()
+sandbox_server_process(void)
 {
 	if (cap_enter() == -1)
 		fatal("cap_enter");
 }
 
+void
+sandbox_executor_process(void)
+{
+	/* We cannot capsicum the executor process because it needs
+	 * to fork(2)+execve(2) cgi scripts */
+	return;
+}
+
+void
+sandbox_logger_process(void)
+{
+	if (cap_enter() == -1)
+		fatal("cap_enter");
+}
+
 #elif defined(__linux__)
 
 #include <sys/prctl.h>
@@ -124,7 +139,7 @@ sandbox_seccomp_catch_sigsys(void)
 #endif	/* SC_DEBUG */
 
 void
-sandbox()
+sandbox_server_process(void)
 {
 	struct sock_filter filter[] = {
 		/* load the *current* architecture */
@@ -239,12 +254,30 @@ sandbox()
 		    __func__, strerror(errno));
 }
 
+void
+sandbox_executor_process(void)
+{
+	/* We cannot use seccomp for the executor process because we
+	 * don't know what the child will do.  Also, our filter will
+	 * be inherited so the child cannot set its own seccomp
+	 * policy. */
+	return;
+}
+
+void
+sandbox_logger_process(void)
+{
+	/* To be honest, here we could use a seccomp policy to only
+	 * allow writev(2) and memory allocations. */
+	return;
+}
+
 #elif defined(__OpenBSD__)
 
 #include <unistd.h>
 
 void
-sandbox()
+sandbox_server_process(void)
 {
 	struct vhost *h;
 
@@ -257,12 +290,50 @@ sandbox()
 		fatal("pledge");
 }
 
-#else
-
 void
-sandbox()
+sandbox_executor_process(void)
 {
+	struct vhost	*vhost;
+
+	for (vhost = hosts; vhost->domain != NULL; ++vhost) {
+		/* r so we can chdir into the correct directory */
+		if (unveil(vhost->dir, "rx") == -1)
+			err(1, "unveil %s for domain %s",
+			    vhost->dir, vhost->domain);
+	}
+
+	/* rpath to chdir into the correct directory */
+	if (pledge("stdio rpath sendfd proc exec", NULL))
+		err(1, "pledge");
+}
+
+void
+sandbox_logger_process(void)
+{
+	if (pledge("stdio", NULL) == -1)
+		err(1, "pledge");
+}
+
+#else
+
+#warning "No sandbox method known for this OS"
+
+void
+sandbox_server_process(void)
+{
+	return;
+}
+
+void
+sandbox_executor_process(void)
+{
 	log_notice(NULL, "no sandbox method known for this OS");
 }
 
+void
+sandbox_logger_process(void)
+{
+	return;
+}
+
 #endif
blob - b059412a1bd3b72a09d57b87388b68d9a319bb3d
blob + 0080b17b42ba540f8d10b754089ad1129bee9027
--- server.c
+++ server.c
@@ -1129,7 +1129,7 @@ loop(struct tls *ctx_, int sock4, int sock6, struct im
 	signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
 	signal_add(&sigusr2, NULL);
 
-	sandbox();
+	sandbox_server_process();
 	event_dispatch();
 	_exit(0);
 }