diff options
author | Omar Polo <op@omarpolo.com> | 2021-03-20 08:42:08 +0000 |
---|---|---|
committer | Omar Polo <op@omarpolo.com> | 2021-03-20 08:42:08 +0000 |
commit | 62e001b06778c96d0deebceddf1913f7b57ab2d6 (patch) | |
tree | 086b6df9d90bb36ebc2a6a210966cc2dc158561e | |
parent | ad5301d1a00ba96c920fd89535cf9074b6e92088 (diff) |
move all sandbox-related code to sandbox.c
while there, add capsicum for the logger process
-rw-r--r-- | ex.c | 16 | ||||
-rw-r--r-- | gmid.h | 4 | ||||
-rw-r--r-- | log.c | 5 | ||||
-rw-r--r-- | regress/puny-test.c | 7 | ||||
-rw-r--r-- | sandbox.c | 79 | ||||
-rw-r--r-- | server.c | 2 |
6 files changed, 89 insertions, 24 deletions
@@ -270,23 +270,9 @@ handle_dispatch_imsg(int fd, short ev, void *d) int executor_main(struct imsgbuf *ibuf) { - struct vhost *vhost; struct event evs[PROC_MAX], imsgev; int i; -#ifdef __OpenBSD__ - for (vhost = hosts; vhost->domain != NULL; ++vhost) { - /* r so we can chdir into the correct directory */ - if (unveil(vhost->dir, "rx") == -1) - err(1, "unveil %s for domain %s", - vhost->dir, vhost->domain); - } - - /* rpath to chdir into the correct directory */ - if (pledge("stdio rpath sendfd proc exec", NULL)) - err(1, "pledge"); -#endif - event_init(); if (ibuf != NULL) { @@ -301,6 +287,8 @@ executor_main(struct imsgbuf *ibuf) event_add(&evs[i], NULL); } + sandbox_executor_process(); + event_dispatch(); return 1; @@ -294,7 +294,9 @@ int recv_fd(int); int executor_main(struct imsgbuf*); /* sandbox.c */ -void sandbox(void); +void sandbox_server_process(void); +void sandbox_executor_process(void); +void sandbox_logger_process(void); /* utf8.c */ int valid_multibyte_utf8(struct parser*); @@ -270,10 +270,7 @@ logger_main(int fd, struct imsgbuf *ibuf) event_set(&imsgev, fd, EV_READ | EV_PERSIST, &handle_dispatch_imsg, ibuf); event_add(&imsgev, NULL); -#ifdef __OpenBSD__ - if (pledge("stdio", NULL) == -1) - err(1, "pledge"); -#endif + sandbox_logger_process(); event_dispatch(); diff --git a/regress/puny-test.c b/regress/puny-test.c index 2397e9a..b392335 100644 --- a/regress/puny-test.c +++ b/regress/puny-test.c @@ -48,6 +48,13 @@ struct suite { {NULL, NULL} }; +void +sandbox_logger_process(void) +{ + /* to make the linker happy! */ + return; +} + int main(int argc, char **argv) { @@ -21,7 +21,22 @@ #include <sys/capsicum.h> void -sandbox() +sandbox_server_process(void) +{ + if (cap_enter() == -1) + fatal("cap_enter"); +} + +void +sandbox_executor_process(void) +{ + /* We cannot capsicum the executor process because it needs + * to fork(2)+execve(2) cgi scripts */ + return; +} + +void +sandbox_logger_process(void) { if (cap_enter() == -1) fatal("cap_enter"); @@ -124,7 +139,7 @@ sandbox_seccomp_catch_sigsys(void) #endif /* SC_DEBUG */ void -sandbox() +sandbox_server_process(void) { struct sock_filter filter[] = { /* load the *current* architecture */ @@ -239,12 +254,30 @@ sandbox() __func__, strerror(errno)); } +void +sandbox_executor_process(void) +{ + /* We cannot use seccomp for the executor process because we + * don't know what the child will do. Also, our filter will + * be inherited so the child cannot set its own seccomp + * policy. */ + return; +} + +void +sandbox_logger_process(void) +{ + /* To be honest, here we could use a seccomp policy to only + * allow writev(2) and memory allocations. */ + return; +} + #elif defined(__OpenBSD__) #include <unistd.h> void -sandbox() +sandbox_server_process(void) { struct vhost *h; @@ -257,12 +290,50 @@ sandbox() fatal("pledge"); } +void +sandbox_executor_process(void) +{ + struct vhost *vhost; + + for (vhost = hosts; vhost->domain != NULL; ++vhost) { + /* r so we can chdir into the correct directory */ + if (unveil(vhost->dir, "rx") == -1) + err(1, "unveil %s for domain %s", + vhost->dir, vhost->domain); + } + + /* rpath to chdir into the correct directory */ + if (pledge("stdio rpath sendfd proc exec", NULL)) + err(1, "pledge"); +} + +void +sandbox_logger_process(void) +{ + if (pledge("stdio", NULL) == -1) + err(1, "pledge"); +} + #else +#warning "No sandbox method known for this OS" + +void +sandbox_server_process(void) +{ + return; +} + void -sandbox() +sandbox_executor_process(void) { log_notice(NULL, "no sandbox method known for this OS"); } +void +sandbox_logger_process(void) +{ + return; +} + #endif @@ -1129,7 +1129,7 @@ loop(struct tls *ctx_, int sock4, int sock6, struct imsgbuf *ibuf) signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL); signal_add(&sigusr2, NULL); - sandbox(); + sandbox_server_process(); event_dispatch(); _exit(0); } |