rdelaage
/
gmid
mirror of https://github.com/omar-polo/gmid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

optionally disable the sandbox on some systems 

The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy'
configuration rules: new sockets needs to be opened and it's either
impossible (the former) or a huge pain in the arse (the latter).

The sandbox is still always used in case only static files are served.
This commit is contained in:
Omar Polo 2022-09-06 16:40:38 +00:00
parent 36e6e793a1
commit 7600099513
4 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gmid.h
View File

@ -196,6 +196,7 @@ struct conf {
/* from command line */ /* from command line */
int foreground; int foreground;
int verbose; int verbose;
int can_open_sockets;
/* in the config */ /* in the config */
int port; int port;
@ -366,7 +367,7 @@ void fcgi_error(struct bufferevent *, short, void *);
void fcgi_req(struct client *); void fcgi_req(struct client *);
/* sandbox.c */ /* sandbox.c */
void sandbox_server_process(void); void sandbox_server_process(int);
void sandbox_logger_process(void); void sandbox_logger_process(void);
/* utf8.c */ /* utf8.c */

4
parse.y
View File

@ -1050,6 +1050,8 @@ new_proxy(void)
{ {
struct proxy *p; struct proxy *p;
conf.can_open_sockets = 1;
p = xcalloc(1, sizeof(*p)); p = xcalloc(1, sizeof(*p));
p->protocols = TLS_PROTOCOLS_DEFAULT; p->protocols = TLS_PROTOCOLS_DEFAULT;
return p; return p;
@ -1173,6 +1175,8 @@ fastcgi_conf(char *path, char *port, char *prog)
struct fcgi *f; struct fcgi *f;
int i; int i;
conf.can_open_sockets = 1;
for (i = 0; i < FCGI_MAX; ++i) { for (i = 0; i < FCGI_MAX; ++i) {
f = &fcgi[i]; f = &fcgi[i];

19
sandbox.c
View File

@ -21,7 +21,7 @@
#warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox." #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
void void
sandbox_server_process(void) sandbox_server_process(int can_open_sockets)
{ {
return; return;
} }
@ -37,8 +37,12 @@ sandbox_logger_process(void)
#include <sys/capsicum.h> #include <sys/capsicum.h>
void void
sandbox_server_process(void) sandbox_server_process(int can_open_sockets)
{ {
/* can't capsicum if fastcgi or proxying are used. */
if (can_open_sockets)
return;
if (cap_enter() == -1) if (cap_enter() == -1)
fatal("cap_enter"); fatal("cap_enter");
} }
@ -537,13 +541,18 @@ logger_landlock(void)
#endif #endif
void void
sandbox_server_process(void) sandbox_server_process(int can_open_sockets)
{ {
const struct sock_fprog prog = { const struct sock_fprog prog = {
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])), .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
.filter = filter, .filter = filter,
}; };
/* can't seccomp/landlock if fastcgi or proxying are used. */
if (can_open_sockets)
return;
#ifdef SC_DEBUG #ifdef SC_DEBUG
sandbox_seccomp_catch_sigsys(); sandbox_seccomp_catch_sigsys();
#endif #endif
@ -592,7 +601,7 @@ sandbox_logger_process(void)
#include <unistd.h> #include <unistd.h>
void void
sandbox_server_process(void) sandbox_server_process(int can_open_sockets)
{ {
struct vhost *h; struct vhost *h;
struct location *l; struct location *l;
@ -625,7 +634,7 @@ sandbox_logger_process(void)
#warning "No sandbox method known for this OS" #warning "No sandbox method known for this OS"
void void
sandbox_server_process(void) sandbox_server_process(int can_open_sockets)
{ {
return; return;
} }

2
server.c
View File

@ -1378,7 +1378,7 @@ loop(struct tls *ctx_, int sock4, int sock6, struct imsgbuf *ibuf)
signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL); signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
signal_add(&sigusr2, NULL); signal_add(&sigusr2, NULL);
sandbox_server_process(); sandbox_server_process(conf.can_open_sockets);
event_dispatch(); event_dispatch();
_exit(0); _exit(0);
} }