mirror of https://github.com/omar-polo/gmid.git
optionally disable the sandbox on some systems
The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy' configuration rules: new sockets needs to be opened and it's either impossible (the former) or a huge pain in the arse (the latter). The sandbox is still always used in case only static files are served.
This commit is contained in:
parent
36e6e793a1
commit
7600099513
3
gmid.h
3
gmid.h
|
@ -196,6 +196,7 @@ struct conf {
|
||||||
/* from command line */
|
/* from command line */
|
||||||
int foreground;
|
int foreground;
|
||||||
int verbose;
|
int verbose;
|
||||||
|
int can_open_sockets;
|
||||||
|
|
||||||
/* in the config */
|
/* in the config */
|
||||||
int port;
|
int port;
|
||||||
|
@ -366,7 +367,7 @@ void fcgi_error(struct bufferevent *, short, void *);
|
||||||
void fcgi_req(struct client *);
|
void fcgi_req(struct client *);
|
||||||
|
|
||||||
/* sandbox.c */
|
/* sandbox.c */
|
||||||
void sandbox_server_process(void);
|
void sandbox_server_process(int);
|
||||||
void sandbox_logger_process(void);
|
void sandbox_logger_process(void);
|
||||||
|
|
||||||
/* utf8.c */
|
/* utf8.c */
|
||||||
|
|
4
parse.y
4
parse.y
|
@ -1050,6 +1050,8 @@ new_proxy(void)
|
||||||
{
|
{
|
||||||
struct proxy *p;
|
struct proxy *p;
|
||||||
|
|
||||||
|
conf.can_open_sockets = 1;
|
||||||
|
|
||||||
p = xcalloc(1, sizeof(*p));
|
p = xcalloc(1, sizeof(*p));
|
||||||
p->protocols = TLS_PROTOCOLS_DEFAULT;
|
p->protocols = TLS_PROTOCOLS_DEFAULT;
|
||||||
return p;
|
return p;
|
||||||
|
@ -1173,6 +1175,8 @@ fastcgi_conf(char *path, char *port, char *prog)
|
||||||
struct fcgi *f;
|
struct fcgi *f;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
|
conf.can_open_sockets = 1;
|
||||||
|
|
||||||
for (i = 0; i < FCGI_MAX; ++i) {
|
for (i = 0; i < FCGI_MAX; ++i) {
|
||||||
f = &fcgi[i];
|
f = &fcgi[i];
|
||||||
|
|
||||||
|
|
19
sandbox.c
19
sandbox.c
|
@ -21,7 +21,7 @@
|
||||||
#warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
|
#warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
|
||||||
|
|
||||||
void
|
void
|
||||||
sandbox_server_process(void)
|
sandbox_server_process(int can_open_sockets)
|
||||||
{
|
{
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -37,8 +37,12 @@ sandbox_logger_process(void)
|
||||||
#include <sys/capsicum.h>
|
#include <sys/capsicum.h>
|
||||||
|
|
||||||
void
|
void
|
||||||
sandbox_server_process(void)
|
sandbox_server_process(int can_open_sockets)
|
||||||
{
|
{
|
||||||
|
/* can't capsicum if fastcgi or proxying are used. */
|
||||||
|
if (can_open_sockets)
|
||||||
|
return;
|
||||||
|
|
||||||
if (cap_enter() == -1)
|
if (cap_enter() == -1)
|
||||||
fatal("cap_enter");
|
fatal("cap_enter");
|
||||||
}
|
}
|
||||||
|
@ -537,13 +541,18 @@ logger_landlock(void)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
void
|
void
|
||||||
sandbox_server_process(void)
|
sandbox_server_process(int can_open_sockets)
|
||||||
{
|
{
|
||||||
const struct sock_fprog prog = {
|
const struct sock_fprog prog = {
|
||||||
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
|
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
|
||||||
.filter = filter,
|
.filter = filter,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/* can't seccomp/landlock if fastcgi or proxying are used. */
|
||||||
|
if (can_open_sockets)
|
||||||
|
return;
|
||||||
|
|
||||||
|
|
||||||
#ifdef SC_DEBUG
|
#ifdef SC_DEBUG
|
||||||
sandbox_seccomp_catch_sigsys();
|
sandbox_seccomp_catch_sigsys();
|
||||||
#endif
|
#endif
|
||||||
|
@ -592,7 +601,7 @@ sandbox_logger_process(void)
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
void
|
void
|
||||||
sandbox_server_process(void)
|
sandbox_server_process(int can_open_sockets)
|
||||||
{
|
{
|
||||||
struct vhost *h;
|
struct vhost *h;
|
||||||
struct location *l;
|
struct location *l;
|
||||||
|
@ -625,7 +634,7 @@ sandbox_logger_process(void)
|
||||||
#warning "No sandbox method known for this OS"
|
#warning "No sandbox method known for this OS"
|
||||||
|
|
||||||
void
|
void
|
||||||
sandbox_server_process(void)
|
sandbox_server_process(int can_open_sockets)
|
||||||
{
|
{
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
2
server.c
2
server.c
|
@ -1378,7 +1378,7 @@ loop(struct tls *ctx_, int sock4, int sock6, struct imsgbuf *ibuf)
|
||||||
signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
|
signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
|
||||||
signal_add(&sigusr2, NULL);
|
signal_add(&sigusr2, NULL);
|
||||||
|
|
||||||
sandbox_server_process();
|
sandbox_server_process(conf.can_open_sockets);
|
||||||
event_dispatch();
|
event_dispatch();
|
||||||
_exit(0);
|
_exit(0);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue