Minor rework to sandbox code.

author: default 2025-01-06 15:22:13 +0100
committer: default 2025-01-06 15:22:13 +0100
commit: f1295a471fcf2ff351de3001e92c6190c5f7439e (patch)
tree: 55f6ccd2f99db1c0e2de0e8b8267e3ff148116d1 /sandbox.c
parent: Updated RELEASE_NOTES. (diff)
download: penes-snac2-f1295a471fcf2ff351de3001e92c6190c5f7439e.tar.gz
penes-snac2-f1295a471fcf2ff351de3001e92c6190c5f7439e.tar.xz
penes-snac2-f1295a471fcf2ff351de3001e92c6190c5f7439e.zip
1 files changed, 59 insertions, 61 deletions
diff --git a/sandbox.c b/sandbox.c
index efd0db5..0b89205 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -2,32 +2,54 @@
 #include "snac.h"
-#ifdef __linux__
+#if defined(__OpenBSD__)
-#ifndef WITHOUT_SANDBOX
-#include <linux/version.h>
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 13, 0)
+void sbox_enter(const char *basedir)
-#define WITHOUT_SANDBOX
+{
-#endif
+    const char *address = xs_dict_get(srv_config, "address");
-#endif
-#endif /* __linux__ */
+    int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
-#ifdef WITHOUT_SANDBOX
+    if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
+        srv_log(xs_dup("OpenBSD security disabled by admin"));
+        return;
+    }
-void sbox_enter(const char *basedir)
+    srv_debug(1, xs_fmt("Calling unveil()"));
-{
+    unveil(basedir,                "rwc");
-    /* nothing to do */
+    unveil("/tmp",                 "rwc");
-    (void)basedir;
+    unveil("/etc/resolv.conf",     "r");
+    unveil("/etc/hosts",           "r");
+    unveil("/etc/ssl/openssl.cnf", "r");
+    unveil("/etc/ssl/cert.pem",    "r");
+    unveil("/usr/share/zoneinfo",  "r");
+    if (smail)
+        unveil("/usr/sbin/sendmail",   "x");
+    if (*address == '/')
+        unveil(address, "rwc");
+    unveil(NULL,                   NULL);
+    srv_debug(1, xs_fmt("Calling pledge()"));
+    xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
+    if (smail)
+        p = xs_str_cat(p, " exec");
+    if (*address == '/')
+        p = xs_str_cat(p, " unix");
-    srv_debug(0, xs_fmt("Linux sandboxing disabled or unsupported"));
+    pledge(p, NULL);
 }
-#else /* WITHOUT_SANDBOX */
+#elif defined(__linux__)
-#include <unistd.h>
+#if defined(WITH_LINUX_SANDBOX)
-#if defined (__linux__)
+#include <unistd.h>
 #define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__))
 #include "landloc.h"
@@ -85,66 +107,42 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
 } LL_END
-#endif
 void sbox_enter(const char *basedir)
 {
    const char *address = xs_dict_get(srv_config, "address");
    int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
-#if defined (__OpenBSD__)
-    if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
-        srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
-        return;
-    }
    if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
-        srv_debug(0, xs_dup("Sandbox disabled by admin"));
+        srv_debug(1, xs_dup("Linux sandbox disabled by admin"));
        return;
    }
-    srv_debug(1, xs_fmt("Calling unveil()"));
+    if (sbox_enter_linux_(basedir, address, smail) == 0)
-    unveil(basedir,                "rwc");
+        srv_debug(1, xs_dup("Linux sandbox enabled"));
-    unveil("/tmp",                 "rwc");
+    else
-    unveil("/etc/resolv.conf",     "r");
+        srv_debug(1, xs_dup("Linux sandbox failed"));
-    unveil("/etc/hosts",           "r");
+}
-    unveil("/etc/ssl/openssl.cnf", "r");
-    unveil("/etc/ssl/cert.pem",    "r");
-    unveil("/usr/share/zoneinfo",  "r");
-    if (smail)
-        unveil("/usr/sbin/sendmail",   "x");
-    if (*address == '/')
-        unveil(address, "rwc");
-    unveil(NULL,                   NULL);
-    srv_debug(1, xs_fmt("Calling pledge()"));
-    xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
+#else /* defined(WITH_LINUX_SANDBOX) */
-    if (smail)
+void sbox_enter(const char *basedir)
-        p = xs_str_cat(p, " exec");
+{
+    (void)basedir;
-    if (*address == '/')
+    srv_debug(1, xs_fmt("Linux sandbox not compiled in"));
-        p = xs_str_cat(p, " unix");
+}
-    pledge(p, NULL);
+#endif
-#elif defined (__linux__)
+#else
-    
-    if (xs_is_true(xs_dict_get_def(srv_config, "disable_sandbox", xs_stock(XSTYPE_TRUE)))) {
-        srv_debug(0, xs_dup("Sandbox disabled by admin"));
-        return;
-    }
-    if (sbox_enter_linux_(basedir, address, smail) == 0)
+/* other OSs: dummy sbox_enter() */
-        srv_log(xs_dup("landlocked"));
-    else
-        srv_log(xs_dup("landlocking failed"));
-#endif
+void sbox_enter(const char *basedir)
+{
+    (void)basedir;
 }
-#endif /* WITHOUT_SANDBOX */
+#endif /* __OpenBSD__ */
author	default	2025-01-06 15:22:13 +0100
committer	default	2025-01-06 15:22:13 +0100
commit	f1295a471fcf2ff351de3001e92c6190c5f7439e (patch)
tree	55f6ccd2f99db1c0e2de0e8b8267e3ff148116d1 /sandbox.c
parent	Updated RELEASE_NOTES. (diff)
download	penes-snac2-f1295a471fcf2ff351de3001e92c6190c5f7439e.tar.gz penes-snac2-f1295a471fcf2ff351de3001e92c6190c5f7439e.tar.xz penes-snac2-f1295a471fcf2ff351de3001e92c6190c5f7439e.zip

diff --git a/sandbox.c b/sandbox.c index efd0db5..0b89205 100644 --- a/sandbox.c +++ b/sandbox.c
@@ -2,32 +2,54 @@
2		2
3	#include "snac.h"	3	#include "snac.h"
4		4
5	#ifdef __linux__	5	#if defined(__OpenBSD__)
6	#ifndef WITHOUT_SANDBOX
7	#include <linux/version.h>
8		6
9	#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 13, 0)	7	void sbox_enter(const char *basedir)
10	#define WITHOUT_SANDBOX	8	{
11	#endif	9	const char *address = xs_dict_get(srv_config, "address");
12	#endif
13	#endif /* __linux__ */
14		10
		11	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
15		12
16	#ifdef WITHOUT_SANDBOX	13	if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
		14	srv_log(xs_dup("OpenBSD security disabled by admin"));
		15	return;
		16	}
17		17
18	void sbox_enter(const char *basedir)	18	srv_debug(1, xs_fmt("Calling unveil()"));
19	{	19	unveil(basedir, "rwc");
20	/* nothing to do */	20	unveil("/tmp", "rwc");
21	(void)basedir;	21	unveil("/etc/resolv.conf", "r");
		22	unveil("/etc/hosts", "r");
		23	unveil("/etc/ssl/openssl.cnf", "r");
		24	unveil("/etc/ssl/cert.pem", "r");
		25	unveil("/usr/share/zoneinfo", "r");
		26
		27	if (smail)
		28	unveil("/usr/sbin/sendmail", "x");
		29
		30	if (*address == '/')
		31	unveil(address, "rwc");
		32
		33	unveil(NULL, NULL);
		34
		35	srv_debug(1, xs_fmt("Calling pledge()"));
		36
		37	xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
		38
		39	if (smail)
		40	p = xs_str_cat(p, " exec");
		41
		42	if (*address == '/')
		43	p = xs_str_cat(p, " unix");
22		44
23	srv_debug(0, xs_fmt("Linux sandboxing disabled or unsupported"));	45	pledge(p, NULL);
24	}	46	}
25		47
26	#else /* WITHOUT_SANDBOX */	48	#elif defined(__linux__)
27		49
28	#include <unistd.h>	50	#if defined(WITH_LINUX_SANDBOX)
29		51
30	#if defined (__linux__)	52	#include <unistd.h>
31		53
32	#define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__))	54	#define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__))
33	#include "landloc.h"	55	#include "landloc.h"
@@ -85,66 +107,42 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
85		107
86	} LL_END	108	} LL_END
87		109
88	#endif
89
90	void sbox_enter(const char *basedir)	110	void sbox_enter(const char *basedir)
91	{	111	{
92	const char *address = xs_dict_get(srv_config, "address");	112	const char *address = xs_dict_get(srv_config, "address");
93		113
94	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));	114	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
95		115
96	#if defined (__OpenBSD__)
97	if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
98	srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
99	return;
100	}
101	if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {	116	if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
102	srv_debug(0, xs_dup("Sandbox disabled by admin"));	117	srv_debug(1, xs_dup("Linux sandbox disabled by admin"));
103	return;	118	return;
104	}	119	}
105		120
106	srv_debug(1, xs_fmt("Calling unveil()"));	121	if (sbox_enter_linux_(basedir, address, smail) == 0)
107	unveil(basedir, "rwc");	122	srv_debug(1, xs_dup("Linux sandbox enabled"));
108	unveil("/tmp", "rwc");	123	else
109	unveil("/etc/resolv.conf", "r");	124	srv_debug(1, xs_dup("Linux sandbox failed"));
110	unveil("/etc/hosts", "r");	125	}
111	unveil("/etc/ssl/openssl.cnf", "r");
112	unveil("/etc/ssl/cert.pem", "r");
113	unveil("/usr/share/zoneinfo", "r");
114
115	if (smail)
116	unveil("/usr/sbin/sendmail", "x");
117
118	if (*address == '/')
119	unveil(address, "rwc");
120
121	unveil(NULL, NULL);
122
123	srv_debug(1, xs_fmt("Calling pledge()"));
124		126
125	xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");	127	#else /* defined(WITH_LINUX_SANDBOX) */
126		128
127	if (smail)	129	void sbox_enter(const char *basedir)
128	p = xs_str_cat(p, " exec");	130	{
		131	(void)basedir;
129		132
130	if (*address == '/')	133	srv_debug(1, xs_fmt("Linux sandbox not compiled in"));
131	p = xs_str_cat(p, " unix");	134	}
132		135
133	pledge(p, NULL);	136	#endif
134		137
135	#elif defined (__linux__)	138	#else
136
137	if (xs_is_true(xs_dict_get_def(srv_config, "disable_sandbox", xs_stock(XSTYPE_TRUE)))) {
138	srv_debug(0, xs_dup("Sandbox disabled by admin"));
139	return;
140	}
141		139
142	if (sbox_enter_linux_(basedir, address, smail) == 0)	140	/* other OSs: dummy sbox_enter() */
143	srv_log(xs_dup("landlocked"));
144	else
145	srv_log(xs_dup("landlocking failed"));
146		141
147	#endif	142	void sbox_enter(const char *basedir)
		143	{
		144	(void)basedir;
148	}	145	}
149		146
150	#endif /* WITHOUT_SANDBOX */	147
		148	#endif /* __OpenBSD__ */