Usage of unveil() and pledge() can be disabled from config.

This commit is contained in:
default 2023-01-13 14:18:23 +01:00
parent ed6a94ee14
commit 6406877af1

29
data.c
View file

@ -87,17 +87,24 @@ int srv_open(char *basedir, int auto_upgrade)
srv_log(error); srv_log(error);
#ifdef __OpenBSD__ #ifdef __OpenBSD__
srv_debug(2, xs_fmt("Calling unveil()")); char *v = xs_dict_get(srv_config, "disable_openbsd_security");
unveil(basedir, "rwc");
unveil("/usr/sbin/sendmail", "x"); if (v && xs_type(v) == XSTYPE_TRUE) {
unveil("/etc/resolv.conf", "r"); srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
unveil("/etc/hosts", "r"); }
unveil("/etc/ssl/openssl.cnf", "r"); else {
unveil("/etc/ssl/cert.pem", "r"); srv_debug(1, xs_fmt("Calling unveil()"));
unveil("/usr/share/zoneinfo", "r"); unveil(basedir, "rwc");
unveil(NULL, NULL); unveil("/usr/sbin/sendmail", "x");
srv_debug(2, xs_fmt("Calling pledge()")); unveil("/etc/resolv.conf", "r");
pledge("stdio rpath wpath cpath flock inet proc exec dns", NULL); unveil("/etc/hosts", "r");
unveil("/etc/ssl/openssl.cnf", "r");
unveil("/etc/ssl/cert.pem", "r");
unveil("/usr/share/zoneinfo", "r");
unveil(NULL, NULL);
srv_debug(1, xs_fmt("Calling pledge()"));
pledge("stdio rpath wpath cpath flock inet proc exec dns", NULL);
}
#endif /* __OpenBSD__ */ #endif /* __OpenBSD__ */
return ret; return ret;