diff options
| author |  shtrophic | 2024-12-08 08:48:44 +0100 |
|---|---|---|
| committer | shtrophic | 2024-12-08 08:51:02 +0100 |
| commit | 7d07d3bffd2994055165d10a57e93327fc86d961 (patch) | |
| tree | 33a975794882e38f569fc3a657b844a19ea3f572 /sandbox.c | |
| parent | Merge branch 'master' into master (diff) | |
| download | penes-snac2-7d07d3bffd2994055165d10a57e93327fc86d961.tar.gz penes-snac2-7d07d3bffd2994055165d10a57e93327fc86d961.tar.xz penes-snac2-7d07d3bffd2994055165d10a57e93327fc86d961.zip | |
cleanup rules
Diffstat (limited to 'sandbox.c')
| -rw-r--r-- | sandbox.c | 52 |
1 files changed, 29 insertions, 23 deletions
| @@ -9,42 +9,48 @@ | |||
| 9 | #define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__)) | 9 | #define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__)) |
| 10 | #include "landloc.h" | 10 | #include "landloc.h" |
| 11 | 11 | ||
| 12 | #define LL_R LANDLOCK_ACCESS_FS_READ_FILE | ||
| 13 | #define LL_X LANDLOCK_ACCESS_FS_EXECUTE | ||
| 14 | #define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER) | ||
| 15 | #define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR) | ||
| 16 | #define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK) | ||
| 17 | #define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP | ||
| 18 | #define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP | ||
| 19 | |||
| 20 | static | 12 | static |
| 21 | LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) { | 13 | LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) { |
| 22 | 14 | ||
| 23 | LL_PATH(basedir, LL_RWCD); | 15 | const unsigned long long |
| 24 | LL_PATH("/tmp", LL_RWCD); | 16 | r = LANDLOCK_ACCESS_FS_READ_DIR | |
| 17 | LANDLOCK_ACCESS_FS_READ_FILE, | ||
| 18 | w = LANDLOCK_ACCESS_FS_WRITE_FILE | | ||
| 19 | LANDLOCK_ACCESS_FS_TRUNCATE, | ||
| 20 | c = LANDLOCK_ACCESS_FS_MAKE_DIR | | ||
| 21 | LANDLOCK_ACCESS_FS_MAKE_REG | | ||
| 22 | LANDLOCK_ACCESS_FS_TRUNCATE | | ||
| 23 | LANDLOCK_ACCESS_FS_MAKE_SYM | | ||
| 24 | LANDLOCK_ACCESS_FS_REMOVE_DIR | | ||
| 25 | LANDLOCK_ACCESS_FS_REMOVE_FILE | | ||
| 26 | LANDLOCK_ACCESS_FS_REFER, | ||
| 27 | s = LANDLOCK_ACCESS_FS_MAKE_SOCK, | ||
| 28 | x = LANDLOCK_ACCESS_FS_EXECUTE; | ||
| 29 | |||
| 30 | LL_PATH(basedir, r|w|c); | ||
| 31 | LL_PATH("/tmp", r|w|c); | ||
| 25 | #ifndef WITHOUT_SHM | 32 | #ifndef WITHOUT_SHM |
| 26 | LL_PATH("/dev/shm", LL_RWCF); | 33 | LL_PATH("/dev/shm", r|w|c); |
| 27 | #endif | 34 | #endif |
| 28 | LL_PATH("/etc/resolv.conf", LL_R ); | 35 | LL_PATH("/etc/resolv.conf", r ); |
| 29 | LL_PATH("/etc/hosts", LL_R ); | 36 | LL_PATH("/etc/hosts", r ); |
| 30 | LL_PATH("/etc/ssl/openssl.cnf", LL_R ); | 37 | LL_PATH("/etc/ssl/openssl.cnf", r ); |
| 31 | LL_PATH("/etc/ssl/cert.pem", LL_R ); | 38 | LL_PATH("/etc/ssl/cert.pem", r ); |
| 32 | LL_PATH("/usr/share/zoneinfo", LL_R ); | 39 | LL_PATH("/usr/share/zoneinfo", r ); |
| 33 | 40 | ||
| 34 | if (*address == '/') | 41 | if (*address == '/') |
| 35 | LL_PATH(address, LL_UNIX); | 42 | LL_PATH(address, s); |
| 36 | 43 | ||
| 37 | if (smail) | 44 | if (smail) |
| 38 | LL_PATH("/usr/sbin/sendmail", LL_X); | 45 | LL_PATH("/usr/sbin/sendmail", x); |
| 39 | |||
| 40 | 46 | ||
| 41 | if (*address != '/') { | 47 | if (*address != '/') { |
| 42 | LL_PORT( | 48 | unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port")); |
| 43 | (unsigned short)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND); | 49 | LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP); |
| 44 | } | 50 | } |
| 45 | 51 | ||
| 46 | LL_PORT(80, LL_CONN); | 52 | LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP); |
| 47 | LL_PORT(443, LL_CONN); | 53 | LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP); |
| 48 | 54 | ||
| 49 | } LL_END | 55 | } LL_END |
| 50 | 56 | ||