4 files changed, 21 insertions, 7 deletions

diff --git a/gmid.h b/gmid.h
index a9e8552..38b99ad 100644
--- a/gmid.h
+++ b/gmid.h
@@ -196,6 +196,7 @@ struct conf {
 	/* from command line */
 	int		 foreground;
 	int		 verbose;
+	int		 can_open_sockets;
 
 	/* in the config */
 	int		 port;
@@ -366,7 +367,7 @@ void		 fcgi_error(struct bufferevent *, short, void *);
 void		 fcgi_req(struct client *);
 
 /* sandbox.c */
-void		 sandbox_server_process(void);
+void		 sandbox_server_process(int);
 void		 sandbox_logger_process(void);
 
 /* utf8.c */
diff --git a/parse.y b/parse.y
index 1eaf0c7..96ab053 100644
--- a/parse.y
+++ b/parse.y
@@ -1050,6 +1050,8 @@ new_proxy(void)
 {
 	struct proxy *p;
 
+	conf.can_open_sockets = 1;
+
 	p = xcalloc(1, sizeof(*p));
 	p->protocols = TLS_PROTOCOLS_DEFAULT;
 	return p;
@@ -1173,6 +1175,8 @@ fastcgi_conf(char *path, char *port, char *prog)
 	struct fcgi	*f;
 	int		i;
 
+	conf.can_open_sockets = 1;
+
 	for (i = 0; i < FCGI_MAX; ++i) {
 		f = &fcgi[i];
 
diff --git a/sandbox.c b/sandbox.c
index 78fc079..52a161d 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -21,7 +21,7 @@
 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	return;
 }
@@ -37,8 +37,12 @@ sandbox_logger_process(void)
 #include <sys/capsicum.h>
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
+	/* can't capsicum if fastcgi or proxying are used. */
+	if (can_open_sockets)
+		return;
+
 	if (cap_enter() == -1)
 		fatal("cap_enter");
 }
@@ -537,13 +541,18 @@ logger_landlock(void)
 #endif
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	const struct sock_fprog prog = {
 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
 		.filter = filter,
 	};
 
+	/* can't seccomp/landlock if fastcgi or proxying are used. */
+	if (can_open_sockets)
+		return;
+
+
 #ifdef SC_DEBUG
 	sandbox_seccomp_catch_sigsys();
 #endif
@@ -592,7 +601,7 @@ sandbox_logger_process(void)
 #include <unistd.h>
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	struct vhost	*h;
 	struct location	*l;
@@ -625,7 +634,7 @@ sandbox_logger_process(void)
 #warning "No sandbox method known for this OS"
 
 void
-sandbox_server_process(void)
+sandbox_server_process(int can_open_sockets)
 {
 	return;
 }
diff --git a/server.c b/server.c
index 4e62ad3..b87974e 100644
--- a/server.c
+++ b/server.c
@@ -1378,7 +1378,7 @@ loop(struct tls *ctx_, int sock4, int sock6, struct imsgbuf *ibuf)
 	signal_set(&sigusr2, SIGUSR2, &handle_siginfo, NULL);
 	signal_add(&sigusr2, NULL);
 
-	sandbox_server_process();
+	sandbox_server_process(conf.can_open_sockets);
 	event_dispatch();
 	_exit(0);
 }