fastcgi: a first implementation

Not production-ready yet, but it's a start.

This adds a third ``backend'' for gmid: until now there it served
local files or CGI scripts, now FastCGI applications too.

FastCGI is meant to be an improvement over CGI: instead of exec'ing a
script for every request, it allows to open a single connection to an
``application'' and send the requests/receive the responses over that
socket using a simple binary protocol.

At the moment gmid supports three different methods of opening a
fastcgi connection:

 - local unix sockets, with: fastcgi "/path/to/sock"
 - network sockets, with: fastcgi tcp "host" [port]
   port defaults to 9000 and can be either a string or a number
 - subprocess, with: fastcgi spawn "/path/to/program"
   the fastcgi protocol is done over the executed program stdin

of these, the last is only for testing and may be removed in the
future.

P.S.: the fastcgi rule is per-location of course :)

1 files changed, 21 insertions, 2 deletions

diff --git a/sandbox.c b/sandbox.c
index 4e10739..d2236d7 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -304,6 +304,8 @@ sandbox_executor_process(void)
 {
 	struct vhost	*h;
 	struct location	*l;
+	struct fcgi	*f;
+	size_t		 i;
 
 	TAILQ_FOREACH(h, &hosts, vhosts) {
 		TAILQ_FOREACH(l, &h->locations, locations) {
@@ -317,8 +319,25 @@ sandbox_executor_process(void)
 		}
 	}
 
-	/* rpath to chdir into the correct directory */
-	if (pledge("stdio rpath sendfd proc exec", NULL))
+	for (i = 0; i < FCGI_MAX; i++) {
+                f = &fcgi[i];
+		if (f->path != NULL) {
+			if (unveil(f->path, "rw") == -1)
+				fatal("unveil %s", f->path);
+		}
+
+		if (f->prog != NULL) {
+			if (unveil(f->prog, "rx") == -1)
+				fatal("unveil %s", f->prog);
+		}
+	}
+
+	/*
+	 * rpath: to chdir into the correct directory
+	 * proc exec: CGI
+	 * dns inet unix: FastCGI
+	 */
+	if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
 		err(1, "pledge");
 }