mirror of https://github.com/omar-polo/gmid.git
optionally disable the sandbox on some systems
The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy' configuration rules: new sockets needs to be opened and it's either impossible (the former) or a huge pain in the arse (the latter). The sandbox is still always used in case only static files are served.
This commit is contained in:
parent
36e6e793a1
commit
7600099513
3
gmid.h
3
gmid.h
|
@ -196,6 +196,7 @@ struct conf {
|
|||
/* from command line */
|
||||
int foreground;
|
||||
int verbose;
|
||||
int can_open_sockets;
|
||||
|
||||
/* in the config */
|
||||
int port;
|
||||
|
@ -366,7 +367,7 @@ void fcgi_error(struct bufferevent *, short, void *);
|
|||
void fcgi_req(struct client *);
|
||||
|
||||
/* sandbox.c */
|
||||
void sandbox_server_process(void);
|
||||
void sandbox_server_process(int);
|
||||
void sandbox_logger_process(void);
|
||||
|
||||
/* utf8.c */
|
||||
|
|
4
parse.y
4
parse.y
|
@ -1050,6 +1050,8 @@ new_proxy(void)
|
|||
{
|
||||
struct proxy *p;
|
||||
|
||||
conf.can_open_sockets = 1;
|
||||
|
||||
p = xcalloc(1, sizeof(*p));
|
||||
p->protocols = TLS_PROTOCOLS_DEFAULT;
|
||||
return p;
|
||||
|
@ -1173,6 +1175,8 @@ fastcgi_conf(char *path, char *port, char *prog)
|
|||
struct fcgi *f;
|
||||
int i;
|
||||
|
||||
conf.can_open_sockets = 1;
|
||||
|
||||
for (i = 0; i < FCGI_MAX; ++i) {
|
||||
f = &fcgi[i];
|
||||
|
||||
|
|
19
sandbox.c
19
sandbox.c
|
@ -21,7 +21,7 @@
|
|||
#warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
|
||||
|
||||
void
|
||||
sandbox_server_process(void)
|
||||
sandbox_server_process(int can_open_sockets)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
@ -37,8 +37,12 @@ sandbox_logger_process(void)
|
|||
#include <sys/capsicum.h>
|
||||
|
||||
void
|
||||
sandbox_server_process(void)
|
||||
sandbox_server_process(int can_open_sockets)
|
||||
{
|
||||
/* can't capsicum if fastcgi or proxying are used. */
|
||||
if (can_open_sockets)
|
||||
return;
|
||||
|
||||
if (cap_enter() == -1)
|
||||
fatal("cap_enter");
|
||||
}
|
||||
|
@ -537,13 +541,18 @@ logger_landlock(void)
|
|||
#endif
|
||||
|
||||
void
|
||||
sandbox_server_process(void)
|
||||
sandbox_server_process(int can_open_sockets)
|
||||
{
|
||||
const struct sock_fprog prog = {
|
||||
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
|
||||
.filter = filter,
|
||||
};
|
||||
|
||||
/* can't seccomp/landlock if fastcgi or proxying are used. */
|
||||
if (can_open_sockets)
|
||||
return;
|
||||
|
||||
|
||||
#ifdef SC_DEBUG
|
||||
sandbox_seccomp_catch_sigsys();
|
||||
#endif
|
||||
|
@ -592,7 +601,7 @@ sandbox_logger_process(void)
|
|||
#include <unistd.h>
|
||||
|
||||
void
|
||||
sandbox_server_process(void)
|
||||
sandbox_server_process(int can_open_sockets)
|
||||
{
|
||||
struct vhost *h;
|
||||
struct location *l;
|
||||
|
@ -625,7 +634,7 @@ sandbox_logger_process(void)
|
|||
#warning "No sandbox method known for this OS"
|
||||
|
||||
void
|
||||
sandbox_server_process(void)
|
||||
sandbox_server_process(int can_open_sockets)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue