commit 760009951357d4c36991c4c6a62db973289b32d9
from: Omar Polo <op@omarpolo.com>
date: Tue Sep 06 16:40:38 2022 UTC

optionally disable the sandbox on some systems

The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy'
configuration rules: new sockets needs to be opened and it's either
impossible (the former) or a huge pain in the arse (the latter).

The sandbox is still always used in case only static files are served.

commit - 36e6e793a159a4241b87c62345e4bad2485728c6
commit + 760009951357d4c36991c4c6a62db973289b32d9
blob - a9e855207766eed4b0f02130fb6a37a621e6b4db
blob + 38b99ad306905dfa7d5831ed26d91fc0102d364c
--- gmid.h
+++ gmid.h
@@ -196,6 +196,7 @@ struct conf {
 	/* from command line */
 	int		 foreground;
 	int		 verbose;
+	int		 can_open_sockets;
 
 	/* in the config */
 	int		 port;
@@ -366,7 +367,7 @@ void		 fcgi_error(struct bufferevent *, short, void *)
 void		 fcgi_req(struct client *);
 
 /* sandbox.c */
-void		 sandbox_server_process(void);
+void		 sandbox_server_process(int);
 void		 sandbox_logger_process(void);
 
 /* utf8.c */
blob - 1eaf0c716b73bfcdc8e33fc6f8fc17a27d875d8c
blob + 96ab053d9087b7965cba97623de12cd5f68f3d4d
--- parse.y
+++ parse.y
@@ -1049,6 +1049,8 @@ struct proxy *
 new_proxy(void)
 {
 	struct proxy *p;
+
+	conf.can_open_sockets = 1;
 
 	p = xcalloc(1, sizeof(*p));
 	p->protocols = TLS_PROTOCOLS_DEFAULT;
@@ -1173,6 +1175,8 @@ fastcgi_conf(char *path, char *port, char *prog)
 	struct fcgi	*f;
 	int		i;
 
+	conf.can_open_sockets = 1;
+
 	for (i = 0; i < FCGI_MAX; ++i) {
 		f = &fcgi[i];
 
blob - 78fc079906d679e45ce03e8477bd58614288e2f3
blob + 52a161ddc90a8a4446fda741dca4c8fbc1729d7f
--- sandbox.c
+++ sandbox.c
@@ -21,7 +21,7 @@
 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	return;
 }
@@ -37,8 +37,12 @@ sandbox_logger_process(void)
 #include <sys/capsicum.h>
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
+	/* can't capsicum if fastcgi or proxying are used. */
+	if (can_open_sockets)
+		return;
+
 	if (cap_enter() == -1)
 		fatal("cap_enter");
 }
@@ -537,13 +541,18 @@ logger_landlock(void)
 #endif
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	const struct sock_fprog prog = {
 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
 		.filter = filter,
 	};
 
+	/* can't seccomp/landlock if fastcgi or proxying are used. */
+	if (can_open_sockets)
+		return;
+
+
 #ifdef SC_DEBUG
 	sandbox_seccomp_catch_sigsys();
 #endif
@@ -592,7 +601,7 @@ sandbox_logger_process(void)
 #include <unistd.h>
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	struct vhost	*h;
 	struct location	*l;
@@ -625,7 +634,7 @@ sandbox_logger_process(void)
 #warning "No sandbox method known for this OS"
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	return;
 }
blob - 4e62ad3604d68309f967a4b07a403ed959e1535e
blob + b87974e60ac299ac783f598b851fa97599ada8b4
--- server.c
+++ server.c
@@ -1378,7 +1378,7 @@ loop(struct tls *ctx_, int sock4, int sock6, struct im
 	signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
 	signal_add(&sigusr2, NULL);
 
-	sandbox_server_process();
+	sandbox_server_process(conf.can_open_sockets);
 	event_dispatch();
 	_exit(0);
 }