From ea81780895702b08b0b93ff48bd1876330632b89 Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Thu, 5 Feb 2026 20:58:25 +0100 Subject: strip_exif support for the OpenBSD sandbox Change the strip_exif logic to work with the already existing OpenBSD sandbox and allow ffmpeg and mogrify to be executed. The previous strip_exif implementation relied on system(3), effectively starting "/bin/sh" and executing the required tool within a shell session. Making this work in the sandbox would require to allow executing "/bin/sh", rendering the sandbox useless. Thus, the code now starts determining the absolute path of the tools - unless they are given as ffmpeg_path or mogrify_path - and allowing them to be executed via unveil(2). Then, instead of the system(3) call, the good old fork(2) and execve(2) dance is performed. The sbox_enter code was made aware of strip_exif, which resulted in a pledge(2) violation before when disable_email_notifications was set to false. Furthermore, the detected paths of the tools are now allowed. --- sandbox.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index c6cfdcb..15e4622 100644 --- a/sandbox.c +++ b/sandbox.c @@ -13,6 +13,8 @@ void sbox_enter(const char *basedir) return; } + const xs_val *strip_exif = xs_dict_get(srv_config, "strip_exif"); + int smail; const char *url = xs_dict_get(srv_config, "smtp_url"); @@ -33,6 +35,11 @@ void sbox_enter(const char *basedir) if (*address == '/') unveil(address, "rwc"); + if (strip_exif) { + unveil(xs_dict_get(srv_config, "ffmpeg_path"), "x"); + unveil(xs_dict_get(srv_config, "mogrify_path"), "x"); + } + if (smail) unveil("/usr/sbin/sendmail", "x"); @@ -45,7 +52,7 @@ void sbox_enter(const char *basedir) if (*address == '/') p = xs_str_cat(p, " unix"); - if (smail) + if (smail || strip_exif) p = xs_str_cat(p, " exec"); pledge(p, NULL); -- cgit v1.2.3