|
|
@@ -2,32 +2,54 @@
|
|
|
|
|
|
#include "snac.h"
|
|
|
|
|
|
-#ifdef __linux__
|
|
|
-#ifndef WITHOUT_SANDBOX
|
|
|
-#include <linux/version.h>
|
|
|
+#if defined(__OpenBSD__)
|
|
|
|
|
|
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 13, 0)
|
|
|
-#define WITHOUT_SANDBOX
|
|
|
-#endif
|
|
|
-#endif
|
|
|
-#endif
|
|
|
+void sbox_enter(const char *basedir)
|
|
|
+{
|
|
|
+ const char *address = xs_dict_get(srv_config, "address");
|
|
|
|
|
|
+ int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
|
|
|
|
|
|
-#ifdef WITHOUT_SANDBOX
|
|
|
+ if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
|
|
|
+ srv_log(xs_dup("OpenBSD security disabled by admin"));
|
|
|
+ return;
|
|
|
+ }
|
|
|
|
|
|
-void sbox_enter(const char *basedir)
|
|
|
-{
|
|
|
-
|
|
|
- (void)basedir;
|
|
|
+ srv_debug(1, xs_fmt("Calling unveil()"));
|
|
|
+ unveil(basedir, "rwc");
|
|
|
+ unveil("/tmp", "rwc");
|
|
|
+ unveil("/etc/resolv.conf", "r");
|
|
|
+ unveil("/etc/hosts", "r");
|
|
|
+ unveil("/etc/ssl/openssl.cnf", "r");
|
|
|
+ unveil("/etc/ssl/cert.pem", "r");
|
|
|
+ unveil("/usr/share/zoneinfo", "r");
|
|
|
+
|
|
|
+ if (smail)
|
|
|
+ unveil("/usr/sbin/sendmail", "x");
|
|
|
+
|
|
|
+ if (*address == '/')
|
|
|
+ unveil(address, "rwc");
|
|
|
+
|
|
|
+ unveil(NULL, NULL);
|
|
|
+
|
|
|
+ srv_debug(1, xs_fmt("Calling pledge()"));
|
|
|
+
|
|
|
+ xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
|
|
|
+
|
|
|
+ if (smail)
|
|
|
+ p = xs_str_cat(p, " exec");
|
|
|
+
|
|
|
+ if (*address == '/')
|
|
|
+ p = xs_str_cat(p, " unix");
|
|
|
|
|
|
- srv_debug(0, xs_fmt("Linux sandboxing disabled or unsupported"));
|
|
|
+ pledge(p, NULL);
|
|
|
}
|
|
|
|
|
|
-#else
|
|
|
+#elif defined(__linux__)
|
|
|
|
|
|
-#include <unistd.h>
|
|
|
+#if defined(WITH_LINUX_SANDBOX)
|
|
|
|
|
|
-#if defined (__linux__)
|
|
|
+#include <unistd.h>
|
|
|
|
|
|
#define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__))
|
|
|
#include "landloc.h"
|
|
|
@@ -85,66 +107,42 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
|
|
|
|
|
|
} LL_END
|
|
|
|
|
|
-#endif
|
|
|
-
|
|
|
void sbox_enter(const char *basedir)
|
|
|
{
|
|
|
const char *address = xs_dict_get(srv_config, "address");
|
|
|
|
|
|
int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
|
|
|
|
|
|
-#if defined (__OpenBSD__)
|
|
|
- if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
|
|
|
- srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
|
|
|
- return;
|
|
|
- }
|
|
|
if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
|
|
|
- srv_debug(0, xs_dup("Sandbox disabled by admin"));
|
|
|
+ srv_debug(1, xs_dup("Linux sandbox disabled by admin"));
|
|
|
return;
|
|
|
}
|
|
|
|
|
|
- srv_debug(1, xs_fmt("Calling unveil()"));
|
|
|
- unveil(basedir, "rwc");
|
|
|
- unveil("/tmp", "rwc");
|
|
|
- unveil("/etc/resolv.conf", "r");
|
|
|
- unveil("/etc/hosts", "r");
|
|
|
- unveil("/etc/ssl/openssl.cnf", "r");
|
|
|
- unveil("/etc/ssl/cert.pem", "r");
|
|
|
- unveil("/usr/share/zoneinfo", "r");
|
|
|
-
|
|
|
- if (smail)
|
|
|
- unveil("/usr/sbin/sendmail", "x");
|
|
|
-
|
|
|
- if (*address == '/')
|
|
|
- unveil(address, "rwc");
|
|
|
-
|
|
|
- unveil(NULL, NULL);
|
|
|
-
|
|
|
- srv_debug(1, xs_fmt("Calling pledge()"));
|
|
|
+ if (sbox_enter_linux_(basedir, address, smail) == 0)
|
|
|
+ srv_debug(1, xs_dup("Linux sandbox enabled"));
|
|
|
+ else
|
|
|
+ srv_debug(1, xs_dup("Linux sandbox failed"));
|
|
|
+}
|
|
|
|
|
|
- xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
|
|
|
+#else
|
|
|
|
|
|
- if (smail)
|
|
|
- p = xs_str_cat(p, " exec");
|
|
|
+void sbox_enter(const char *basedir)
|
|
|
+{
|
|
|
+ (void)basedir;
|
|
|
|
|
|
- if (*address == '/')
|
|
|
- p = xs_str_cat(p, " unix");
|
|
|
+ srv_debug(1, xs_fmt("Linux sandbox not compiled in"));
|
|
|
+}
|
|
|
|
|
|
- pledge(p, NULL);
|
|
|
+#endif
|
|
|
|
|
|
-#elif defined (__linux__)
|
|
|
-
|
|
|
- if (xs_is_true(xs_dict_get_def(srv_config, "disable_sandbox", xs_stock(XSTYPE_TRUE)))) {
|
|
|
- srv_debug(0, xs_dup("Sandbox disabled by admin"));
|
|
|
- return;
|
|
|
- }
|
|
|
+#else
|
|
|
|
|
|
- if (sbox_enter_linux_(basedir, address, smail) == 0)
|
|
|
- srv_log(xs_dup("landlocked"));
|
|
|
- else
|
|
|
- srv_log(xs_dup("landlocking failed"));
|
|
|
+
|
|
|
|
|
|
-#endif
|
|
|
+void sbox_enter(const char *basedir)
|
|
|
+{
|
|
|
+ (void)basedir;
|
|
|
}
|
|
|
|
|
|
-#endif
|
|
|
+
|
|
|
+#endif
|
default