mirror of
https://github.com/OpenFusionProject/OpenFusion.git
synced 2024-11-21 13:10:05 +00:00
pledge() + unveil() sandbox
This is the OpenBSD sandbox.
This commit is contained in:
parent
3c1e08372d
commit
09e452a09d
1
Makefile
1
Makefile
@ -49,6 +49,7 @@ CXXSRC=\
|
||||
src/db/player.cpp\
|
||||
src/db/email.cpp\
|
||||
src/sandbox/seccomp.cpp\
|
||||
src/sandbox/openbsd.cpp\
|
||||
src/Chat.cpp\
|
||||
src/CustomCommands.cpp\
|
||||
src/Entities.cpp\
|
||||
|
45
src/sandbox/openbsd.cpp
Normal file
45
src/sandbox/openbsd.cpp
Normal file
@ -0,0 +1,45 @@
|
||||
#if defined(__OpenBSD__) && !defined(CONFIG_NOSANDBOX)
|
||||
|
||||
#include "core/Core.hpp"
|
||||
#include "settings.hpp"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <err.h>
|
||||
|
||||
static void eunveil(const char *path, const char *permissions) {
|
||||
if (unveil(path, permissions) < 0)
|
||||
err(1, "unveil");
|
||||
}
|
||||
|
||||
void sandbox_start() {
|
||||
/*
|
||||
* There shouldn't ever be a reason to disable this one, but might as well
|
||||
* be consistent with the Linux sandbox.
|
||||
*/
|
||||
if (!settings::SANDBOX) {
|
||||
std::cout << "[WARN] Running without a sandbox" << std::endl;
|
||||
return;
|
||||
}
|
||||
|
||||
std::cout << "[INFO] Starting pledge+unveil sandbox..." << std::endl;
|
||||
|
||||
if (pledge("stdio rpath wpath cpath inet flock unveil", NULL) < 0)
|
||||
err(1, "pledge");
|
||||
|
||||
// database stuff
|
||||
eunveil(settings::DBPATH.c_str(), "rwc");
|
||||
eunveil((settings::DBPATH + "-journal").c_str(), "rwc");
|
||||
eunveil((settings::DBPATH + "-wal").c_str(), "rwc");
|
||||
|
||||
// tabledata stuff
|
||||
eunveil((settings::TDATADIR + "/" + settings::GRUNTWORKJSON).c_str(), "wc");
|
||||
|
||||
// for bcrypt_gensalt()
|
||||
eunveil("/dev/urandom", "r");
|
||||
|
||||
eunveil(NULL, NULL);
|
||||
}
|
||||
|
||||
#endif
|
Loading…
Reference in New Issue
Block a user