mirror of https://github.com/omar-polo/gmid.git
gc sandbox_executor_process
This commit is contained in:
Omar Polo
parent
d29a2ee224
commit
1ab7c96bb3
1
gmid.h
1
gmid.h
|
|
@ -368,7 +368,6 @@ void fcgi_req(struct client *);
|
|||
|
||||
/* sandbox.c */
|
||||
void sandbox_server_process(void);
|
||||
void sandbox_executor_process(void);
|
||||
void sandbox_logger_process(void);
|
||||
|
||||
/* utf8.c */
|
||||
|
|
|
|||
77
sandbox.c
77
sandbox.c
|
|
@ -26,13 +26,6 @@ sandbox_server_process(void)
|
|||
return;
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_executor_process(void)
|
||||
{
|
||||
log_notice(NULL, "Sandbox disabled! "
|
||||
"Please report issues upstream instead of disabling the sandbox.");
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_logger_process(void)
|
||||
{
|
||||
|
|
@ -50,16 +43,6 @@ sandbox_server_process(void)
|
|||
fatal("cap_enter");
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_executor_process(void)
|
||||
{
|
||||
/*
|
||||
* We cannot capsicum the executor process because it needs to
|
||||
* fork(2)+execve(2) cgi scripts
|
||||
*/
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_logger_process(void)
|
||||
{
|
||||
|
|
@ -580,18 +563,6 @@ sandbox_server_process(void)
|
|||
__func__, strerror(errno));
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_executor_process(void)
|
||||
{
|
||||
/*
|
||||
* We cannot use seccomp for the executor process because we
|
||||
* don't know what the child will do. Also, our filter will
|
||||
* be inherited so the child cannot set its own seccomp
|
||||
* policy.
|
||||
*/
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_logger_process(void)
|
||||
{
|
||||
|
|
@ -642,48 +613,6 @@ sandbox_server_process(void)
|
|||
fatal("pledge");
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_executor_process(void)
|
||||
{
|
||||
struct vhost *h;
|
||||
struct location *l;
|
||||
struct fcgi *f;
|
||||
size_t i;
|
||||
|
||||
TAILQ_FOREACH(h, &hosts, vhosts) {
|
||||
TAILQ_FOREACH(l, &h->locations, locations) {
|
||||
if (l->dir == NULL)
|
||||
continue;
|
||||
|
||||
/* r so we can chdir into the directory */
|
||||
if (unveil(l->dir, "rx") == -1)
|
||||
fatal("unveil %s for domain %s",
|
||||
l->dir, h->domain);
|
||||
}
|
||||
}
|
||||
|
||||
for (i = 0; i < FCGI_MAX; i++) {
|
||||
f = &fcgi[i];
|
||||
if (f->path != NULL) {
|
||||
if (unveil(f->path, "rw") == -1)
|
||||
fatal("unveil %s", f->path);
|
||||
}
|
||||
|
||||
if (f->prog != NULL) {
|
||||
if (unveil(f->prog, "rx") == -1)
|
||||
fatal("unveil %s", f->prog);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* rpath: to chdir into the correct directory
|
||||
* proc exec: CGI
|
||||
* dns inet unix: FastCGI
|
||||
*/
|
||||
if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
|
||||
err(1, "pledge");
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_logger_process(void)
|
||||
{
|
||||
|
|
@ -701,12 +630,6 @@ sandbox_server_process(void)
|
|||
return;
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_executor_process(void)
|
||||
{
|
||||
log_notice(NULL, "no sandbox method known for this OS");
|
||||
}
|
||||
|
||||
void
|
||||
sandbox_logger_process(void)
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in New Issue