diff --git a/ex.c b/ex.c index 6817024..645e865 100644 --- a/ex.c +++ b/ex.c @@ -270,23 +270,9 @@ handle_dispatch_imsg(int fd, short ev, void *d) int executor_main(struct imsgbuf *ibuf) { - struct vhost *vhost; struct event evs[PROC_MAX], imsgev; int i; -#ifdef __OpenBSD__ - for (vhost = hosts; vhost->domain != NULL; ++vhost) { - /* r so we can chdir into the correct directory */ - if (unveil(vhost->dir, "rx") == -1) - err(1, "unveil %s for domain %s", - vhost->dir, vhost->domain); - } - - /* rpath to chdir into the correct directory */ - if (pledge("stdio rpath sendfd proc exec", NULL)) - err(1, "pledge"); -#endif - event_init(); if (ibuf != NULL) { @@ -301,6 +287,8 @@ executor_main(struct imsgbuf *ibuf) event_add(&evs[i], NULL); } + sandbox_executor_process(); + event_dispatch(); return 1; diff --git a/gmid.h b/gmid.h index dad7b4c..7e9bba0 100644 --- a/gmid.h +++ b/gmid.h @@ -294,7 +294,9 @@ int recv_fd(int); int executor_main(struct imsgbuf*); /* sandbox.c */ -void sandbox(void); +void sandbox_server_process(void); +void sandbox_executor_process(void); +void sandbox_logger_process(void); /* utf8.c */ int valid_multibyte_utf8(struct parser*); diff --git a/log.c b/log.c index b66aa19..2ff2158 100644 --- a/log.c +++ b/log.c @@ -270,10 +270,7 @@ logger_main(int fd, struct imsgbuf *ibuf) event_set(&imsgev, fd, EV_READ | EV_PERSIST, &handle_dispatch_imsg, ibuf); event_add(&imsgev, NULL); -#ifdef __OpenBSD__ - if (pledge("stdio", NULL) == -1) - err(1, "pledge"); -#endif + sandbox_logger_process(); event_dispatch(); diff --git a/regress/puny-test.c b/regress/puny-test.c index 2397e9a..b392335 100644 --- a/regress/puny-test.c +++ b/regress/puny-test.c @@ -48,6 +48,13 @@ struct suite { {NULL, NULL} }; +void +sandbox_logger_process(void) +{ + /* to make the linker happy! */ + return; +} + int main(int argc, char **argv) { diff --git a/sandbox.c b/sandbox.c index 8990850..509d6bb 100644 --- a/sandbox.c +++ b/sandbox.c @@ -21,7 +21,22 @@ #include void -sandbox() +sandbox_server_process(void) +{ + if (cap_enter() == -1) + fatal("cap_enter"); +} + +void +sandbox_executor_process(void) +{ + /* We cannot capsicum the executor process because it needs + * to fork(2)+execve(2) cgi scripts */ + return; +} + +void +sandbox_logger_process(void) { if (cap_enter() == -1) fatal("cap_enter"); @@ -124,7 +139,7 @@ sandbox_seccomp_catch_sigsys(void) #endif /* SC_DEBUG */ void -sandbox() +sandbox_server_process(void) { struct sock_filter filter[] = { /* load the *current* architecture */ @@ -239,12 +254,30 @@ sandbox() __func__, strerror(errno)); } +void +sandbox_executor_process(void) +{ + /* We cannot use seccomp for the executor process because we + * don't know what the child will do. Also, our filter will + * be inherited so the child cannot set its own seccomp + * policy. */ + return; +} + +void +sandbox_logger_process(void) +{ + /* To be honest, here we could use a seccomp policy to only + * allow writev(2) and memory allocations. */ + return; +} + #elif defined(__OpenBSD__) #include void -sandbox() +sandbox_server_process(void) { struct vhost *h; @@ -257,12 +290,50 @@ sandbox() fatal("pledge"); } -#else +void +sandbox_executor_process(void) +{ + struct vhost *vhost; + + for (vhost = hosts; vhost->domain != NULL; ++vhost) { + /* r so we can chdir into the correct directory */ + if (unveil(vhost->dir, "rx") == -1) + err(1, "unveil %s for domain %s", + vhost->dir, vhost->domain); + } + + /* rpath to chdir into the correct directory */ + if (pledge("stdio rpath sendfd proc exec", NULL)) + err(1, "pledge"); +} void -sandbox() +sandbox_logger_process(void) +{ + if (pledge("stdio", NULL) == -1) + err(1, "pledge"); +} + +#else + +#warning "No sandbox method known for this OS" + +void +sandbox_server_process(void) +{ + return; +} + +void +sandbox_executor_process(void) { log_notice(NULL, "no sandbox method known for this OS"); } +void +sandbox_logger_process(void) +{ + return; +} + #endif diff --git a/server.c b/server.c index b059412..0080b17 100644 --- a/server.c +++ b/server.c @@ -1129,7 +1129,7 @@ loop(struct tls *ctx_, int sock4, int sock6, struct imsgbuf *ibuf) signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL); signal_add(&sigusr2, NULL); - sandbox(); + sandbox_server_process(); event_dispatch(); _exit(0); }