mirror of
https://github.com/OpenFusionProject/OpenFusion.git
synced 2024-11-05 06:50:04 +00:00
pledge() + unveil() sandbox
This is the OpenBSD sandbox.
This commit is contained in:
parent
3c1e08372d
commit
09e452a09d
1
Makefile
1
Makefile
@ -49,6 +49,7 @@ CXXSRC=\
|
|||||||
src/db/player.cpp\
|
src/db/player.cpp\
|
||||||
src/db/email.cpp\
|
src/db/email.cpp\
|
||||||
src/sandbox/seccomp.cpp\
|
src/sandbox/seccomp.cpp\
|
||||||
|
src/sandbox/openbsd.cpp\
|
||||||
src/Chat.cpp\
|
src/Chat.cpp\
|
||||||
src/CustomCommands.cpp\
|
src/CustomCommands.cpp\
|
||||||
src/Entities.cpp\
|
src/Entities.cpp\
|
||||||
|
45
src/sandbox/openbsd.cpp
Normal file
45
src/sandbox/openbsd.cpp
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
#if defined(__OpenBSD__) && !defined(CONFIG_NOSANDBOX)
|
||||||
|
|
||||||
|
#include "core/Core.hpp"
|
||||||
|
#include "settings.hpp"
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include <err.h>
|
||||||
|
|
||||||
|
static void eunveil(const char *path, const char *permissions) {
|
||||||
|
if (unveil(path, permissions) < 0)
|
||||||
|
err(1, "unveil");
|
||||||
|
}
|
||||||
|
|
||||||
|
void sandbox_start() {
|
||||||
|
/*
|
||||||
|
* There shouldn't ever be a reason to disable this one, but might as well
|
||||||
|
* be consistent with the Linux sandbox.
|
||||||
|
*/
|
||||||
|
if (!settings::SANDBOX) {
|
||||||
|
std::cout << "[WARN] Running without a sandbox" << std::endl;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
std::cout << "[INFO] Starting pledge+unveil sandbox..." << std::endl;
|
||||||
|
|
||||||
|
if (pledge("stdio rpath wpath cpath inet flock unveil", NULL) < 0)
|
||||||
|
err(1, "pledge");
|
||||||
|
|
||||||
|
// database stuff
|
||||||
|
eunveil(settings::DBPATH.c_str(), "rwc");
|
||||||
|
eunveil((settings::DBPATH + "-journal").c_str(), "rwc");
|
||||||
|
eunveil((settings::DBPATH + "-wal").c_str(), "rwc");
|
||||||
|
|
||||||
|
// tabledata stuff
|
||||||
|
eunveil((settings::TDATADIR + "/" + settings::GRUNTWORKJSON).c_str(), "wc");
|
||||||
|
|
||||||
|
// for bcrypt_gensalt()
|
||||||
|
eunveil("/dev/urandom", "r");
|
||||||
|
|
||||||
|
eunveil(NULL, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif
|
Loading…
Reference in New Issue
Block a user