1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
#include "xs.h"
#include "snac.h"
#include <unistd.h>
#if defined (__linux__)
#define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__))
#include "landloc.h"
static
LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) {
const unsigned long long
rd = LANDLOCK_ACCESS_FS_READ_DIR,
rf = LANDLOCK_ACCESS_FS_READ_FILE,
w = LANDLOCK_ACCESS_FS_WRITE_FILE |
LANDLOCK_ACCESS_FS_TRUNCATE,
c = LANDLOCK_ACCESS_FS_MAKE_DIR |
LANDLOCK_ACCESS_FS_MAKE_REG |
LANDLOCK_ACCESS_FS_TRUNCATE |
LANDLOCK_ACCESS_FS_MAKE_SYM |
LANDLOCK_ACCESS_FS_REMOVE_DIR |
LANDLOCK_ACCESS_FS_REMOVE_FILE |
LANDLOCK_ACCESS_FS_REFER,
s = LANDLOCK_ACCESS_FS_MAKE_SOCK,
x = LANDLOCK_ACCESS_FS_EXECUTE;
LL_PATH(basedir, rf|rd|w|c);
LL_PATH("/tmp", rf|rd|w|c);
#ifndef WITHOUT_SHM
LL_PATH("/dev/shm", rf|w|c );
#endif
LL_PATH("/etc/resolv.conf", rf );
LL_PATH("/etc/hosts", rf );
LL_PATH("/etc/ssl/openssl.cnf", rf );
LL_PATH("/etc/ssl/cert.pem", rf );
LL_PATH("/usr/share/zoneinfo", rf );
if (*address == '/')
LL_PATH(address, s);
if (smail)
LL_PATH("/usr/sbin/sendmail", x);
if (*address != '/') {
unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));
LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT);
}
LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
} LL_END
#endif
void sbox_enter(const char *basedir)
{
if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
return;
}
if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
srv_debug(0, xs_dup("Sandbox disabled by admin"));
return;
}
const char *address = xs_dict_get(srv_config, "address");
int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
#if defined (__OpenBSD__)
srv_debug(1, xs_fmt("Calling unveil()"));
unveil(basedir, "rwc");
unveil("/tmp", "rwc");
unveil("/etc/resolv.conf", "r");
unveil("/etc/hosts", "r");
unveil("/etc/ssl/openssl.cnf", "r");
unveil("/etc/ssl/cert.pem", "r");
unveil("/usr/share/zoneinfo", "r");
if (smail)
unveil("/usr/sbin/sendmail", "x");
if (*address == '/')
unveil(address, "rwc");
unveil(NULL, NULL);
srv_debug(1, xs_fmt("Calling pledge()"));
xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
if (smail)
p = xs_str_cat(p, " exec");
if (*address == '/')
p = xs_str_cat(p, " unix");
pledge(p, NULL);
xs_free(p);
#elif defined (__linux__)
if (sbox_enter_linux_(basedir, address, smail) == 0)
srv_log(xs_dup("landlocked"));
else
srv_log(xs_dup("landlocking failed"));
#endif
}
|
