diff options
Diffstat (limited to 'sandbox.c')
| -rw-r--r-- | sandbox.c | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/sandbox.c b/sandbox.c new file mode 100644 index 0000000..6dd9360 --- /dev/null +++ b/sandbox.c | |||
| @@ -0,0 +1,106 @@ | |||
| 1 | #include "xs.h" | ||
| 2 | |||
| 3 | #include "snac.h" | ||
| 4 | |||
| 5 | #include <unistd.h> | ||
| 6 | |||
| 7 | #if defined (__linux__) | ||
| 8 | |||
| 9 | #define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__)) | ||
| 10 | #include "landloc.h" | ||
| 11 | |||
| 12 | #define LL_R LANDLOCK_ACCESS_FS_READ_FILE | ||
| 13 | #define LL_X LANDLOCK_ACCESS_FS_EXECUTE | ||
| 14 | #define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER) | ||
| 15 | #define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR) | ||
| 16 | #define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK) | ||
| 17 | #define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP | ||
| 18 | #define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP | ||
| 19 | |||
| 20 | static | ||
| 21 | LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) { | ||
| 22 | |||
| 23 | LL_PATH(basedir, LL_RWCD); | ||
| 24 | LL_PATH("/tmp", LL_RWCD); | ||
| 25 | #ifndef WITHOUT_SHM | ||
| 26 | LL_PATH("/dev/shm", LL_RWCF); | ||
| 27 | #endif | ||
| 28 | LL_PATH("/etc/resolv.conf", LL_R ); | ||
| 29 | LL_PATH("/etc/hosts", LL_R ); | ||
| 30 | LL_PATH("/etc/ssl/openssl.cnf", LL_R ); | ||
| 31 | LL_PATH("/etc/ssl/cert.pem", LL_R ); | ||
| 32 | LL_PATH("/usr/share/zoneinfo", LL_R ); | ||
| 33 | |||
| 34 | if (*address == '/') | ||
| 35 | LL_PATH(address, LL_UNIX); | ||
| 36 | |||
| 37 | if (smail) | ||
| 38 | LL_PATH("/usr/sbin/sendmail", LL_X); | ||
| 39 | |||
| 40 | |||
| 41 | if (*address != '/') { | ||
| 42 | LL_PORT( | ||
| 43 | (unsigned short)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND); | ||
| 44 | } | ||
| 45 | |||
| 46 | LL_PORT(80, LL_CONN); | ||
| 47 | LL_PORT(443, LL_CONN); | ||
| 48 | |||
| 49 | } LL_END | ||
| 50 | |||
| 51 | #endif | ||
| 52 | |||
| 53 | void sbox_enter(const char *basedir) | ||
| 54 | { | ||
| 55 | if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) { | ||
| 56 | srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead.")); | ||
| 57 | return; | ||
| 58 | } | ||
| 59 | if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) { | ||
| 60 | srv_debug(0, xs_dup("Sandbox disabled by admin")); | ||
| 61 | return; | ||
| 62 | } | ||
| 63 | |||
| 64 | const char *address = xs_dict_get(srv_config, "address"); | ||
| 65 | |||
| 66 | int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications")); | ||
| 67 | |||
| 68 | #if defined (__OpenBSD__) | ||
| 69 | srv_debug(1, xs_fmt("Calling unveil()")); | ||
| 70 | unveil(basedir, "rwc"); | ||
| 71 | unveil("/tmp", "rwc"); | ||
| 72 | unveil("/etc/resolv.conf", "r"); | ||
| 73 | unveil("/etc/hosts", "r"); | ||
| 74 | unveil("/etc/ssl/openssl.cnf", "r"); | ||
| 75 | unveil("/etc/ssl/cert.pem", "r"); | ||
| 76 | unveil("/usr/share/zoneinfo", "r"); | ||
| 77 | |||
| 78 | if (smail) | ||
| 79 | unveil("/usr/sbin/sendmail", "x"); | ||
| 80 | |||
| 81 | if (*address == '/') | ||
| 82 | unveil(address, "rwc"); | ||
| 83 | |||
| 84 | unveil(NULL, NULL); | ||
| 85 | |||
| 86 | srv_debug(1, xs_fmt("Calling pledge()")); | ||
| 87 | |||
| 88 | xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr"); | ||
| 89 | |||
| 90 | if (smail) | ||
| 91 | p = xs_str_cat(p, " exec"); | ||
| 92 | |||
| 93 | if (*address == '/') | ||
| 94 | p = xs_str_cat(p, " unix"); | ||
| 95 | |||
| 96 | pledge(p, NULL); | ||
| 97 | |||
| 98 | xs_free(p); | ||
| 99 | #elif defined (__linux__) | ||
| 100 | |||
| 101 | sbox_enter_linux_(basedir, address, smail); | ||
| 102 | |||
| 103 | srv_log(xs_dup("landlocked")); | ||
| 104 | |||
| 105 | #endif | ||
| 106 | } | ||