optionally disable the sandbox on some systems

The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy' configuration rules: new sockets needs to be opened and it's either impossible (the former) or a huge pain in the arse (the latter). The sandbox is still always used in case only static files are served.
2022-09-06 16:40:38 +00:00 · 2022-09-06 16:40:38 +00:00 · 7600099513
parent 36e6e793a1
commit 7600099513
4 changed files with 21 additions and 7 deletions
--- a/gmid.h
+++ b/gmid.h
@ -196,6 +196,7 @@ struct conf {
 	/* from command line */
 	int		 foreground;
 	int		 verbose;
+	int		 can_open_sockets;

 	/* in the config */
 	int		 port;
@ -366,7 +367,7 @@ void		 fcgi_error(struct bufferevent *, short, void *);
 void		 fcgi_req(struct client *);

 /* sandbox.c */
-void		 sandbox_server_process(void);
+void		 sandbox_server_process(int);
 void		 sandbox_logger_process(void);

 /* utf8.c */
--- a/parse.y
+++ b/parse.y
@ -1050,6 +1050,8 @@ new_proxy(void)
 {
 	struct proxy *p;

+	conf.can_open_sockets = 1;
+
 	p = xcalloc(1, sizeof(*p));
 	p->protocols = TLS_PROTOCOLS_DEFAULT;
 	return p;
@ -1173,6 +1175,8 @@ fastcgi_conf(char *path, char *port, char *prog)
 	struct fcgi	*f;
 	int		i;

+	conf.can_open_sockets = 1;
+
 	for (i = 0; i < FCGI_MAX; ++i) {
 		f = &fcgi[i];

--- a/sandbox.c
+++ b/sandbox.c
@ -21,7 +21,7 @@
 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."

 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	return;
 }
@ -37,8 +37,12 @@ sandbox_logger_process(void)
 #include <sys/capsicum.h>

 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
+	/* can't capsicum if fastcgi or proxying are used. */
+	if (can_open_sockets)
+		return;
+
 	if (cap_enter() == -1)
 		fatal("cap_enter");
 }
@ -537,13 +541,18 @@ logger_landlock(void)
 #endif

 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	const struct sock_fprog prog = {
 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
 		.filter = filter,
 	};

+	/* can't seccomp/landlock if fastcgi or proxying are used. */
+	if (can_open_sockets)
+		return;
+
+
 #ifdef SC_DEBUG
 	sandbox_seccomp_catch_sigsys();
 #endif
@ -592,7 +601,7 @@ sandbox_logger_process(void)
 #include <unistd.h>

 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	struct vhost	*h;
 	struct location	*l;
@ -625,7 +634,7 @@ sandbox_logger_process(void)
 #warning "No sandbox method known for this OS"

 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	return;
 }
--- a/server.c
+++ b/server.c
@ -1378,7 +1378,7 @@ loop(struct tls *ctx_, int sock4, int sock6, struct imsgbuf *ibuf)
 	signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
 	signal_add(&sigusr2, NULL);

-	sandbox_server_process();
+	sandbox_server_process(conf.can_open_sockets);
 	event_dispatch();
 	_exit(0);
 }