mirror of
https://github.com/omar-polo/gmid.git
synced 2024-08-18 00:43:22 +02:00
881a9dd9c2
this way, we can sandbox the listener with seccomp (todo) or capsicum (already done) and still have CGI scripts. When we want to exec, we tell the executor what to do, the executor executes the scripts and send the fd backt to the listener.
58 lines
754 B
C
58 lines
754 B
C
#include "gmid.h"
|
|
|
|
#if defined(__FreeBSD__)
|
|
|
|
#include <sys/capsicum.h>
|
|
#include <err.h>
|
|
|
|
void
|
|
sandbox()
|
|
{
|
|
struct vhost *h;
|
|
int has_cgi = 0;
|
|
|
|
for (h = hosts; h->domain != NULL; ++h)
|
|
if (h->cgi != NULL)
|
|
has_cgi = 1;
|
|
|
|
if (cap_enter() == -1)
|
|
err(1, "cap_enter");
|
|
}
|
|
|
|
#elif defined(__linux__)
|
|
|
|
void
|
|
sandbox()
|
|
{
|
|
/* TODO: seccomp */
|
|
}
|
|
|
|
#elif defined(__OpenBSD__)
|
|
|
|
#include <err.h>
|
|
#include <unistd.h>
|
|
|
|
void
|
|
sandbox()
|
|
{
|
|
struct vhost *h;
|
|
|
|
for (h = hosts; h->domain != NULL; ++h) {
|
|
if (unveil(h->dir, "rx") == -1)
|
|
err(1, "unveil %s for domain %s", h->dir, h->domain);
|
|
}
|
|
|
|
if (pledge("stdio recvfd rpath inet", NULL) == -1)
|
|
err(1, "pledge");
|
|
}
|
|
|
|
#else
|
|
|
|
void
|
|
sandbox()
|
|
{
|
|
LOGN(NULL, "%s", "no sandbox method known for this OS");
|
|
}
|
|
|
|
#endif
|