Usage of unveil() and pledge() can be disabled from config.

author: default 2023-01-13 14:18:23 +0100
committer: default 2023-01-13 14:18:23 +0100
commit: 6406877af1177398c0c6087b39a745abb86b2c17 (patch)
tree: f20e36a2e08874767a503e130877c34334e9cc23
parent: Updated RELEASE_NOTES. (diff)
download: penes-snac2-6406877af1177398c0c6087b39a745abb86b2c17.tar.gz
penes-snac2-6406877af1177398c0c6087b39a745abb86b2c17.tar.xz
penes-snac2-6406877af1177398c0c6087b39a745abb86b2c17.zip
1 files changed, 18 insertions, 11 deletions
diff --git a/data.c b/data.c
index 5e6ce63..f90036d 100644
--- a/data.c
+++ b/data.c
@@ -87,17 +87,24 @@ int srv_open(char *basedir, int auto_upgrade)
        srv_log(error);
 #ifdef __OpenBSD__
-    srv_debug(2, xs_fmt("Calling unveil()"));
+    char *v = xs_dict_get(srv_config, "disable_openbsd_security");
-    unveil(basedir,                "rwc");
-    unveil("/usr/sbin/sendmail",   "x");
+    if (v && xs_type(v) == XSTYPE_TRUE) {
-    unveil("/etc/resolv.conf",     "r");
+        srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
-    unveil("/etc/hosts",           "r");
+    }
-    unveil("/etc/ssl/openssl.cnf", "r");
+    else {
-    unveil("/etc/ssl/cert.pem",    "r");
+        srv_debug(1, xs_fmt("Calling unveil()"));
-    unveil("/usr/share/zoneinfo",  "r");
+        unveil(basedir,                "rwc");
-    unveil(NULL,                   NULL);
+        unveil("/usr/sbin/sendmail",   "x");
-    srv_debug(2, xs_fmt("Calling pledge()"));
+        unveil("/etc/resolv.conf",     "r");
-    pledge("stdio rpath wpath cpath flock inet proc exec dns", NULL);
+        unveil("/etc/hosts",           "r");
+        unveil("/etc/ssl/openssl.cnf", "r");
+        unveil("/etc/ssl/cert.pem",    "r");
+        unveil("/usr/share/zoneinfo",  "r");
+        unveil(NULL,                   NULL);
+        srv_debug(1, xs_fmt("Calling pledge()"));
+        pledge("stdio rpath wpath cpath flock inet proc exec dns", NULL);
+    }
 #endif /* __OpenBSD__ */
    return ret;
author	default	2023-01-13 14:18:23 +0100
committer	default	2023-01-13 14:18:23 +0100
commit	6406877af1177398c0c6087b39a745abb86b2c17 (patch)
tree	f20e36a2e08874767a503e130877c34334e9cc23
parent	Updated RELEASE_NOTES. (diff)
download	penes-snac2-6406877af1177398c0c6087b39a745abb86b2c17.tar.gz penes-snac2-6406877af1177398c0c6087b39a745abb86b2c17.tar.xz penes-snac2-6406877af1177398c0c6087b39a745abb86b2c17.zip

diff --git a/data.c b/data.c index 5e6ce63..f90036d 100644 --- a/data.c +++ b/data.c
@@ -87,17 +87,24 @@ int srv_open(char *basedir, int auto_upgrade)
87	srv_log(error);	87	srv_log(error);
88		88
89	#ifdef __OpenBSD__	89	#ifdef __OpenBSD__
90	srv_debug(2, xs_fmt("Calling unveil()"));	90	char *v = xs_dict_get(srv_config, "disable_openbsd_security");
91	unveil(basedir, "rwc");	91
92	unveil("/usr/sbin/sendmail", "x");	92	if (v && xs_type(v) == XSTYPE_TRUE) {
93	unveil("/etc/resolv.conf", "r");	93	srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
94	unveil("/etc/hosts", "r");	94	}
95	unveil("/etc/ssl/openssl.cnf", "r");	95	else {
96	unveil("/etc/ssl/cert.pem", "r");	96	srv_debug(1, xs_fmt("Calling unveil()"));
97	unveil("/usr/share/zoneinfo", "r");	97	unveil(basedir, "rwc");
98	unveil(NULL, NULL);	98	unveil("/usr/sbin/sendmail", "x");
99	srv_debug(2, xs_fmt("Calling pledge()"));	99	unveil("/etc/resolv.conf", "r");
100	pledge("stdio rpath wpath cpath flock inet proc exec dns", NULL);	100	unveil("/etc/hosts", "r");
		101	unveil("/etc/ssl/openssl.cnf", "r");
		102	unveil("/etc/ssl/cert.pem", "r");
		103	unveil("/usr/share/zoneinfo", "r");
		104	unveil(NULL, NULL);
		105	srv_debug(1, xs_fmt("Calling pledge()"));
		106	pledge("stdio rpath wpath cpath flock inet proc exec dns", NULL);
		107	}
101	#endif /* __OpenBSD__ */	108	#endif /* __OpenBSD__ */
102		109
103	return ret;	110	return ret;