From 4c1a2d24d374d00c656c4489db7d28f80d64f9dc Mon Sep 17 00:00:00 2001
From: shtrophic
Date: Mon, 20 Jan 2025 22:59:30 +0100
Subject: add port parsing for sandboxing

---
 sandbox.c | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

(limited to 'sandbox.c')

diff --git a/sandbox.c b/sandbox.c
index cbe0043..875ae4e 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -8,8 +8,6 @@ void sbox_enter(const char *basedir)
 {
     const char *address = xs_dict_get(srv_config, "address");
 
-    int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
-
     if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
         srv_log(xs_dup("OpenBSD security disabled by admin"));
         return;
@@ -24,9 +22,6 @@ void sbox_enter(const char *basedir)
     unveil("/etc/ssl/cert.pem",    "r");
     unveil("/usr/share/zoneinfo",  "r");
 
-    if (smail)
-        unveil("/usr/sbin/sendmail",   "x");
-
     if (*address == '/')
         unveil(address, "rwc");
 
@@ -36,9 +31,6 @@ void sbox_enter(const char *basedir)
 
     xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
 
-    if (smail)
-        p = xs_str_cat(p, " exec");
-
     if (*address == '/')
         p = xs_str_cat(p, " unix");
 
@@ -55,7 +47,7 @@ void sbox_enter(const char *basedir)
 #include "landloc.h"
 
 static
-LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) {
+LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smtp_port) {
 
     const unsigned long long
         rd = LANDLOCK_ACCESS_FS_READ_DIR,
@@ -94,9 +86,6 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
         LL_PATH(sdir, s);
     }
 
-    if (smail && mtime("/usr/sbin/sendmail") > 0)
-        LL_PATH("/usr/sbin/sendmail", x);
-
     if (*address != '/') {
         unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));
         LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT);
@@ -104,24 +93,34 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
 
     LL_PORT(80,  LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
     LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
+    if (smtp_port > 0)
+        LL_PORT((unsigned short)smtp_port, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
 
 } LL_END
 
 void sbox_enter(const char *basedir)
 {
+    const xs_val *v;
+    const char *errstr;
     const char *address = xs_dict_get(srv_config, "address");
-
-    int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
+    int smtp_port = -1;
 
     if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
         srv_debug(1, xs_dup("Linux sandbox disabled by admin"));
         return;
     }
 
-    if (sbox_enter_linux_(basedir, address, smail) == 0)
+    if ((v = xs_dict_get(srv_config, "email_notifications")) && 
+        (v = xs_dict_get(v, "url"))) {
+        smtp_port = parse_port((const char *)v, &errstr);
+        if (errstr)
+            srv_debug(0, xs_fmt("Couldn't determine port from '%s': %s", (const char *)v, errstr));
+    }
+
+    if (sbox_enter_linux_(basedir, address, smtp_port) == 0)
         srv_debug(1, xs_dup("Linux sandbox enabled"));
     else
-        srv_debug(1, xs_dup("Linux sandbox failed"));
+        srv_debug(0, xs_dup("Linux sandbox failed"));
 }
 
 #else /* defined(WITH_LINUX_SANDBOX) */
-- 
cgit v1.2.3