Usage of unveil() and pledge() can be disabled from config.

This commit is contained in:
default 2023-01-13 14:18:23 +01:00
parent ed6a94ee14
commit 6406877af1

11
data.c
View file

@ -87,7 +87,13 @@ int srv_open(char *basedir, int auto_upgrade)
srv_log(error); srv_log(error);
#ifdef __OpenBSD__ #ifdef __OpenBSD__
srv_debug(2, xs_fmt("Calling unveil()")); char *v = xs_dict_get(srv_config, "disable_openbsd_security");
if (v && xs_type(v) == XSTYPE_TRUE) {
srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
}
else {
srv_debug(1, xs_fmt("Calling unveil()"));
unveil(basedir, "rwc"); unveil(basedir, "rwc");
unveil("/usr/sbin/sendmail", "x"); unveil("/usr/sbin/sendmail", "x");
unveil("/etc/resolv.conf", "r"); unveil("/etc/resolv.conf", "r");
@ -96,8 +102,9 @@ int srv_open(char *basedir, int auto_upgrade)
unveil("/etc/ssl/cert.pem", "r"); unveil("/etc/ssl/cert.pem", "r");
unveil("/usr/share/zoneinfo", "r"); unveil("/usr/share/zoneinfo", "r");
unveil(NULL, NULL); unveil(NULL, NULL);
srv_debug(2, xs_fmt("Calling pledge()")); srv_debug(1, xs_fmt("Calling pledge()"));
pledge("stdio rpath wpath cpath flock inet proc exec dns", NULL); pledge("stdio rpath wpath cpath flock inet proc exec dns", NULL);
}
#endif /* __OpenBSD__ */ #endif /* __OpenBSD__ */
return ret; return ret;