mirror of https://github.com/omar-polo/gmid.git
72 lines
1.0 KiB
C
72 lines
1.0 KiB
C
|
#include "gmid.h"
|
||
|
|
|
||
|
|
#if defined(__FreeBSD__)
|
||
|
|
|
||
|
|
#include <sys/capsicum.h>
|
||
|
|
#include <err.h>
|
||
|
|
|
||
|
|
void
|
||
|
|
sandbox()
|
||
|
|
{
|
||
|
|
struct vhost *h;
|
||
|
|
int has_cgi = 0;
|
||
|
|
|
||
|
|
for (h = hosts; h->domain != NULL; ++h)
|
||
|
|
if (h->cgi != NULL)
|
||
|
|
has_cgi = 1;
|
||
|
|
|
||
|
|
if (has_cgi) {
|
||
|
|
LOGW(NULL, "disabling sandbox because CGI scripts are enabled");
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
if (cap_enter() == -1)
|
||
|
|
err(1, "cap_enter");
|
||
|
|
}
|
||
|
|
|
||
|
|
#elif defined(__linux__)
|
||
|
|
|
||
|
|
void
|
||
|
|
sandbox()
|
||
|
|
{
|
||
|
|
/* TODO: seccomp */
|
||
|
|
}
|
||
|
|
|
||
|
|
#elif defined(__OpenBSD__)
|
||
|
|
|
||
|
|
#include <err.h>
|
||
|
|
#include <unistd.h>
|
||
|
|
|
||
|
|
void
|
||
|
|
sandbox()
|
||
|
|
{
|
||
|
|
struct vhost *h;
|
||
|
|
int has_cgi = 0;
|
||
|
|
|
||
|
|
for (h = hosts; h->domain != NULL; ++h) {
|
||
|
|
if (unveil(h->dir, "rx") == -1)
|
||
|
|
err(1, "unveil %s for domain %s", h->dir, h->domain);
|
||
|
|
|
||
|
|
if (h->cgi != NULL)
|
||
|
|
has_cgi = 1;
|
||
|
|
}
|
||
|
|
|
||
|
|
if (pledge("stdio rpath inet proc exec", NULL) == -1)
|
||
|
|
err(1, "pledge");
|
||
|
|
|
||
|
|
/* drop proc and exec if cgi isn't enabled */
|
||
|
|
if (!has_cgi)
|
||
|
|
if (pledge("stdio rpath inet", NULL) == -1)
|
||
|
|
err(1, "pledge");
|
||
|
|
}
|
||
|
|
|
||
|
|
#else
|
||
|
|
|
||
|
|
void
|
||
|
|
sandbox()
|
||
|
|
{
|
||
|
|
LOGN(NULL, "%s", "no sandbox method known for this OS");
|
||
|
|
}
|
||
|
|
|
||
|
|
#endif
|