aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOmar Polo <op@omarpolo.com>2021-03-20 08:42:08 +0000
committerOmar Polo <op@omarpolo.com>2021-03-20 08:42:08 +0000
commit62e001b06778c96d0deebceddf1913f7b57ab2d6 (patch)
tree086b6df9d90bb36ebc2a6a210966cc2dc158561e
parentad5301d1a00ba96c920fd89535cf9074b6e92088 (diff)
move all sandbox-related code to sandbox.c
while there, add capsicum for the logger process
-rw-r--r--ex.c16
-rw-r--r--gmid.h4
-rw-r--r--log.c5
-rw-r--r--regress/puny-test.c7
-rw-r--r--sandbox.c79
-rw-r--r--server.c2
6 files changed, 89 insertions, 24 deletions
diff --git a/ex.c b/ex.c
index 6817024..645e865 100644
--- a/ex.c
+++ b/ex.c
@@ -270,23 +270,9 @@ handle_dispatch_imsg(int fd, short ev, void *d)
int
executor_main(struct imsgbuf *ibuf)
{
- struct vhost *vhost;
struct event evs[PROC_MAX], imsgev;
int i;
-#ifdef __OpenBSD__
- for (vhost = hosts; vhost->domain != NULL; ++vhost) {
- /* r so we can chdir into the correct directory */
- if (unveil(vhost->dir, "rx") == -1)
- err(1, "unveil %s for domain %s",
- vhost->dir, vhost->domain);
- }
-
- /* rpath to chdir into the correct directory */
- if (pledge("stdio rpath sendfd proc exec", NULL))
- err(1, "pledge");
-#endif
-
event_init();
if (ibuf != NULL) {
@@ -301,6 +287,8 @@ executor_main(struct imsgbuf *ibuf)
event_add(&evs[i], NULL);
}
+ sandbox_executor_process();
+
event_dispatch();
return 1;
diff --git a/gmid.h b/gmid.h
index dad7b4c..7e9bba0 100644
--- a/gmid.h
+++ b/gmid.h
@@ -294,7 +294,9 @@ int recv_fd(int);
int executor_main(struct imsgbuf*);
/* sandbox.c */
-void sandbox(void);
+void sandbox_server_process(void);
+void sandbox_executor_process(void);
+void sandbox_logger_process(void);
/* utf8.c */
int valid_multibyte_utf8(struct parser*);
diff --git a/log.c b/log.c
index b66aa19..2ff2158 100644
--- a/log.c
+++ b/log.c
@@ -270,10 +270,7 @@ logger_main(int fd, struct imsgbuf *ibuf)
event_set(&imsgev, fd, EV_READ | EV_PERSIST, &handle_dispatch_imsg, ibuf);
event_add(&imsgev, NULL);
-#ifdef __OpenBSD__
- if (pledge("stdio", NULL) == -1)
- err(1, "pledge");
-#endif
+ sandbox_logger_process();
event_dispatch();
diff --git a/regress/puny-test.c b/regress/puny-test.c
index 2397e9a..b392335 100644
--- a/regress/puny-test.c
+++ b/regress/puny-test.c
@@ -48,6 +48,13 @@ struct suite {
{NULL, NULL}
};
+void
+sandbox_logger_process(void)
+{
+ /* to make the linker happy! */
+ return;
+}
+
int
main(int argc, char **argv)
{
diff --git a/sandbox.c b/sandbox.c
index 8990850..509d6bb 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -21,7 +21,22 @@
#include <sys/capsicum.h>
void
-sandbox()
+sandbox_server_process(void)
+{
+ if (cap_enter() == -1)
+ fatal("cap_enter");
+}
+
+void
+sandbox_executor_process(void)
+{
+ /* We cannot capsicum the executor process because it needs
+ * to fork(2)+execve(2) cgi scripts */
+ return;
+}
+
+void
+sandbox_logger_process(void)
{
if (cap_enter() == -1)
fatal("cap_enter");
@@ -124,7 +139,7 @@ sandbox_seccomp_catch_sigsys(void)
#endif /* SC_DEBUG */
void
-sandbox()
+sandbox_server_process(void)
{
struct sock_filter filter[] = {
/* load the *current* architecture */
@@ -239,12 +254,30 @@ sandbox()
__func__, strerror(errno));
}
+void
+sandbox_executor_process(void)
+{
+ /* We cannot use seccomp for the executor process because we
+ * don't know what the child will do. Also, our filter will
+ * be inherited so the child cannot set its own seccomp
+ * policy. */
+ return;
+}
+
+void
+sandbox_logger_process(void)
+{
+ /* To be honest, here we could use a seccomp policy to only
+ * allow writev(2) and memory allocations. */
+ return;
+}
+
#elif defined(__OpenBSD__)
#include <unistd.h>
void
-sandbox()
+sandbox_server_process(void)
{
struct vhost *h;
@@ -257,12 +290,50 @@ sandbox()
fatal("pledge");
}
+void
+sandbox_executor_process(void)
+{
+ struct vhost *vhost;
+
+ for (vhost = hosts; vhost->domain != NULL; ++vhost) {
+ /* r so we can chdir into the correct directory */
+ if (unveil(vhost->dir, "rx") == -1)
+ err(1, "unveil %s for domain %s",
+ vhost->dir, vhost->domain);
+ }
+
+ /* rpath to chdir into the correct directory */
+ if (pledge("stdio rpath sendfd proc exec", NULL))
+ err(1, "pledge");
+}
+
+void
+sandbox_logger_process(void)
+{
+ if (pledge("stdio", NULL) == -1)
+ err(1, "pledge");
+}
+
#else
+#warning "No sandbox method known for this OS"
+
+void
+sandbox_server_process(void)
+{
+ return;
+}
+
void
-sandbox()
+sandbox_executor_process(void)
{
log_notice(NULL, "no sandbox method known for this OS");
}
+void
+sandbox_logger_process(void)
+{
+ return;
+}
+
#endif
diff --git a/server.c b/server.c
index b059412..0080b17 100644
--- a/server.c
+++ b/server.c
@@ -1129,7 +1129,7 @@ loop(struct tls *ctx_, int sock4, int sock6, struct imsgbuf *ibuf)
signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
signal_add(&sigusr2, NULL);
- sandbox();
+ sandbox_server_process();
event_dispatch();
_exit(0);
}