add port parsing for sandboxing

author: shtrophic 2025-01-20 22:59:30 +0100
committer: shtrophic 2025-01-20 22:59:30 +0100
commit: 4c1a2d24d374d00c656c4489db7d28f80d64f9dc (patch)
tree: 81f7ba7093202247ec51861aa3a6d304d3068d84
parent: add xs_smtp_request (diff)
download: penes-snac2-4c1a2d24d374d00c656c4489db7d28f80d64f9dc.tar.gz
penes-snac2-4c1a2d24d374d00c656c4489db7d28f80d64f9dc.tar.xz
penes-snac2-4c1a2d24d374d00c656c4489db7d28f80d64f9dc.zip
4 files changed, 70 insertions, 18 deletions
diff --git a/activitypub.c b/activitypub.c
index ca5cc3e..e5fc715 100644
--- a/activitypub.c
+++ b/activitypub.c
@@ -2465,9 +2465,9 @@ int process_input_message(snac *snac, const xs_dict *msg, const xs_dict *req)
 int send_email(const xs_dict *mailinfo)
-/* invoke sendmail with email headers and body in msg */
+/* invoke curl */
 {
-    const xs_dict *smtp_cfg = xs_dict_get(srv_config, "smtp");
+    const xs_dict *smtp_cfg = xs_dict_get(srv_config, "email_notifications");
    const char 
        *url  = xs_dict_get(smtp_cfg, "url"),
        *user = xs_dict_get(smtp_cfg, "username"),
diff --git a/sandbox.c b/sandbox.c
index cbe0043..875ae4e 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -8,8 +8,6 @@ void sbox_enter(const char *basedir)
 {
    const char *address = xs_dict_get(srv_config, "address");
-    int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
    if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
        srv_log(xs_dup("OpenBSD security disabled by admin"));
        return;
@@ -24,9 +22,6 @@ void sbox_enter(const char *basedir)
    unveil("/etc/ssl/cert.pem",    "r");
    unveil("/usr/share/zoneinfo",  "r");
-    if (smail)
-        unveil("/usr/sbin/sendmail",   "x");
    if (*address == '/')
        unveil(address, "rwc");
@@ -36,9 +31,6 @@ void sbox_enter(const char *basedir)
    xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
-    if (smail)
-        p = xs_str_cat(p, " exec");
    if (*address == '/')
        p = xs_str_cat(p, " unix");
@@ -55,7 +47,7 @@ void sbox_enter(const char *basedir)
 #include "landloc.h"
 static
-LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) {
+LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smtp_port) {
    const unsigned long long
        rd = LANDLOCK_ACCESS_FS_READ_DIR,
@@ -94,9 +86,6 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
        LL_PATH(sdir, s);
    }
-    if (smail && mtime("/usr/sbin/sendmail") > 0)
-        LL_PATH("/usr/sbin/sendmail", x);
    if (*address != '/') {
        unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));
        LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT);
@@ -104,24 +93,34 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
    LL_PORT(80,  LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
    LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
+    if (smtp_port > 0)
+        LL_PORT((unsigned short)smtp_port, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
 } LL_END
 void sbox_enter(const char *basedir)
 {
+    const xs_val *v;
+    const char *errstr;
    const char *address = xs_dict_get(srv_config, "address");
+    int smtp_port = -1;
-    int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
    if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
        srv_debug(1, xs_dup("Linux sandbox disabled by admin"));
        return;
    }
-    if (sbox_enter_linux_(basedir, address, smail) == 0)
+    if ((v = xs_dict_get(srv_config, "email_notifications")) && 
+        (v = xs_dict_get(v, "url"))) {
+        smtp_port = parse_port((const char *)v, &errstr);
+        if (errstr)
+            srv_debug(0, xs_fmt("Couldn't determine port from '%s': %s", (const char *)v, errstr));
+    }
+    if (sbox_enter_linux_(basedir, address, smtp_port) == 0)
        srv_debug(1, xs_dup("Linux sandbox enabled"));
    else
-        srv_debug(1, xs_dup("Linux sandbox failed"));
+        srv_debug(0, xs_dup("Linux sandbox failed"));
 }
 #else /* defined(WITH_LINUX_SANDBOX) */
diff --git a/snac.h b/snac.h
index 65ece5d..3db7b63 100644
--- a/snac.h
+++ b/snac.h
@@ -417,6 +417,7 @@ void import_blocked_accounts_csv(snac *user, const char *fn);
 void import_following_accounts_csv(snac *user, const char *fn);
 void import_list_csv(snac *user, const char *fn);
 void import_csv(snac *user);
+int parse_port(const char *url, const char **errstr);
 typedef enum {
 #define HTTP_STATUS(code, name, text) HTTP_STATUS_ ## name = code,
diff --git a/utils.c b/utils.c
index a5b1124..3b0a78f 100644
--- a/utils.c
+++ b/utils.c
@@ -904,3 +904,55 @@ void import_csv(snac *user)
    else
        snac_log(user, xs_fmt("Cannot open file %s", fn));
 }
+static const struct {
+        const char *proto;
+        unsigned short default_port;
+} FALLBACK_PORTS[] = {
+        /* caution: https > http, smpts > smtp */
+        {"https", 443},
+        {"http",  80},
+    {"smtps", 465},
+        {"smtp", 25}
+};
+int parse_port(const char *url, const char **errstr)
+{
+        const char *col, *rcol;
+        int tmp, ret = -1;
+    if (errstr)
+            *errstr = NULL;
+        if (!(col = strchr(url, ':'))) {
+        if (errstr)
+                    *errstr = "bad url";
+                return -1;
+        }
+        
+        for (size_t i = 0; i < sizeof(FALLBACK_PORTS) / sizeof(*FALLBACK_PORTS); ++i) {
+                if (memcmp(url, FALLBACK_PORTS[i].proto, strlen(FALLBACK_PORTS[i].proto)) == 0) {
+                        ret = FALLBACK_PORTS[i].default_port;
+                        break;
+                }
+        }
+        if (!(rcol = strchr(col + 1, ':')))
+                rcol = col;
+        if (rcol) {
+                tmp = atoi(rcol + 1);
+        if (tmp == 0) {
+            if (ret != -1) 
+                return ret;
+            
+            *errstr = strerror(errno);
+            return -1;
+        }
+                
+                return tmp;
+        }
+        *errstr = "unknown protocol";
+        return -1;
+}
author	shtrophic	2025-01-20 22:59:30 +0100
committer	shtrophic	2025-01-20 22:59:30 +0100
commit	4c1a2d24d374d00c656c4489db7d28f80d64f9dc (patch)
tree	81f7ba7093202247ec51861aa3a6d304d3068d84
parent	add xs_smtp_request (diff)
download	penes-snac2-4c1a2d24d374d00c656c4489db7d28f80d64f9dc.tar.gz penes-snac2-4c1a2d24d374d00c656c4489db7d28f80d64f9dc.tar.xz penes-snac2-4c1a2d24d374d00c656c4489db7d28f80d64f9dc.zip

diff --git a/activitypub.c b/activitypub.c index ca5cc3e..e5fc715 100644 --- a/activitypub.c +++ b/activitypub.c
@@ -2465,9 +2465,9 @@ int process_input_message(snac snac, const xs_dict msg, const xs_dict *req)
2465		2465
2466		2466
2467	int send_email(const xs_dict *mailinfo)	2467	int send_email(const xs_dict *mailinfo)
2468	/* invoke sendmail with email headers and body in msg */	2468	/* invoke curl */
2469	{	2469	{
2470	const xs_dict *smtp_cfg = xs_dict_get(srv_config, "smtp");	2470	const xs_dict *smtp_cfg = xs_dict_get(srv_config, "email_notifications");
2471	const char	2471	const char
2472	*url = xs_dict_get(smtp_cfg, "url"),	2472	*url = xs_dict_get(smtp_cfg, "url"),
2473	*user = xs_dict_get(smtp_cfg, "username"),	2473	*user = xs_dict_get(smtp_cfg, "username"),


diff --git a/sandbox.c b/sandbox.c index cbe0043..875ae4e 100644 --- a/sandbox.c +++ b/sandbox.c
@@ -8,8 +8,6 @@ void sbox_enter(const char *basedir)
8	{	8	{
9	const char *address = xs_dict_get(srv_config, "address");	9	const char *address = xs_dict_get(srv_config, "address");
10		10
11	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
12
13	if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {	11	if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
14	srv_log(xs_dup("OpenBSD security disabled by admin"));	12	srv_log(xs_dup("OpenBSD security disabled by admin"));
15	return;	13	return;
@@ -24,9 +22,6 @@ void sbox_enter(const char *basedir)
24	unveil("/etc/ssl/cert.pem", "r");	22	unveil("/etc/ssl/cert.pem", "r");
25	unveil("/usr/share/zoneinfo", "r");	23	unveil("/usr/share/zoneinfo", "r");
26		24
27	if (smail)
28	unveil("/usr/sbin/sendmail", "x");
29
30	if (*address == '/')	25	if (*address == '/')
31	unveil(address, "rwc");	26	unveil(address, "rwc");
32		27
@@ -36,9 +31,6 @@ void sbox_enter(const char *basedir)
36		31
37	xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");	32	xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
38		33
39	if (smail)
40	p = xs_str_cat(p, " exec");
41
42	if (*address == '/')	34	if (*address == '/')
43	p = xs_str_cat(p, " unix");	35	p = xs_str_cat(p, " unix");
44		36
@@ -55,7 +47,7 @@ void sbox_enter(const char *basedir)
55	#include "landloc.h"	47	#include "landloc.h"
56		48
57	static	49	static
58	LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) {	50	LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smtp_port) {
59		51
60	const unsigned long long	52	const unsigned long long
61	rd = LANDLOCK_ACCESS_FS_READ_DIR,	53	rd = LANDLOCK_ACCESS_FS_READ_DIR,
@@ -94,9 +86,6 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
94	LL_PATH(sdir, s);	86	LL_PATH(sdir, s);
95	}	87	}
96		88
97	if (smail && mtime("/usr/sbin/sendmail") > 0)
98	LL_PATH("/usr/sbin/sendmail", x);
99
100	if (*address != '/') {	89	if (*address != '/') {
101	unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));	90	unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));
102	LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT);	91	LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT);
@@ -104,24 +93,34 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
104		93
105	LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);	94	LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
106	LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);	95	LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
		96	if (smtp_port > 0)
		97	LL_PORT((unsigned short)smtp_port, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
107		98
108	} LL_END	99	} LL_END
109		100
110	void sbox_enter(const char *basedir)	101	void sbox_enter(const char *basedir)
111	{	102	{
		103	const xs_val *v;
		104	const char *errstr;
112	const char *address = xs_dict_get(srv_config, "address");	105	const char *address = xs_dict_get(srv_config, "address");
113		106	int smtp_port = -1;
114	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
115		107
116	if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {	108	if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
117	srv_debug(1, xs_dup("Linux sandbox disabled by admin"));	109	srv_debug(1, xs_dup("Linux sandbox disabled by admin"));
118	return;	110	return;
119	}	111	}
120		112
121	if (sbox_enter_linux_(basedir, address, smail) == 0)	113	if ((v = xs_dict_get(srv_config, "email_notifications")) &&
		114	(v = xs_dict_get(v, "url"))) {
		115	smtp_port = parse_port((const char *)v, &errstr);
		116	if (errstr)
		117	srv_debug(0, xs_fmt("Couldn't determine port from '%s': %s", (const char *)v, errstr));
		118	}
		119
		120	if (sbox_enter_linux_(basedir, address, smtp_port) == 0)
122	srv_debug(1, xs_dup("Linux sandbox enabled"));	121	srv_debug(1, xs_dup("Linux sandbox enabled"));
123	else	122	else
124	srv_debug(1, xs_dup("Linux sandbox failed"));	123	srv_debug(0, xs_dup("Linux sandbox failed"));
125	}	124	}
126		125
127	#else /* defined(WITH_LINUX_SANDBOX) */	126	#else /* defined(WITH_LINUX_SANDBOX) */


diff --git a/snac.h b/snac.h index 65ece5d..3db7b63 100644 --- a/snac.h +++ b/snac.h
@@ -417,6 +417,7 @@ void import_blocked_accounts_csv(snac user, const char fn);
417	void import_following_accounts_csv(snac user, const char fn);	417	void import_following_accounts_csv(snac user, const char fn);
418	void import_list_csv(snac user, const char fn);	418	void import_list_csv(snac user, const char fn);
419	void import_csv(snac *user);	419	void import_csv(snac *user);
		420	int parse_port(const char url, const char *errstr);
420		421
421	typedef enum {	422	typedef enum {
422	#define HTTP_STATUS(code, name, text) HTTP_STATUS_ ## name = code,	423	#define HTTP_STATUS(code, name, text) HTTP_STATUS_ ## name = code,


diff --git a/utils.c b/utils.c index a5b1124..3b0a78f 100644 --- a/utils.c +++ b/utils.c
@@ -904,3 +904,55 @@ void import_csv(snac *user)
904	else	904	else
905	snac_log(user, xs_fmt("Cannot open file %s", fn));	905	snac_log(user, xs_fmt("Cannot open file %s", fn));
906	}	906	}
		907
		908	static const struct {
		909	const char *proto;
		910	unsigned short default_port;
		911	} FALLBACK_PORTS[] = {
		912	/* caution: https > http, smpts > smtp */
		913	{"https", 443},
		914	{"http", 80},
		915	{"smtps", 465},
		916	{"smtp", 25}
		917	};
		918
		919	int parse_port(const char url, const char *errstr)
		920	{
		921	const char col, rcol;
		922	int tmp, ret = -1;
		923
		924	if (errstr)
		925	*errstr = NULL;
		926
		927	if (!(col = strchr(url, ':'))) {
		928	if (errstr)
		929	*errstr = "bad url";
		930	return -1;
		931	}
		932
		933	for (size_t i = 0; i < sizeof(FALLBACK_PORTS) / sizeof(*FALLBACK_PORTS); ++i) {
		934	if (memcmp(url, FALLBACK_PORTS[i].proto, strlen(FALLBACK_PORTS[i].proto)) == 0) {
		935	ret = FALLBACK_PORTS[i].default_port;
		936	break;
		937	}
		938	}
		939
		940	if (!(rcol = strchr(col + 1, ':')))
		941	rcol = col;
		942
		943	if (rcol) {
		944	tmp = atoi(rcol + 1);
		945	if (tmp == 0) {
		946	if (ret != -1)
		947	return ret;
		948
		949	*errstr = strerror(errno);
		950	return -1;
		951	}
		952
		953	return tmp;
		954	}
		955
		956	*errstr = "unknown protocol";
		957	return -1;
		958	}