Tweaked unveil() / pledge() to deal with UNIX sockets.

This commit is contained in:
default 2024-08-05 06:54:47 +02:00
parent 54edf4e9d8
commit b856664663

22
data.c
View file

@ -114,13 +114,12 @@ int srv_open(const char *basedir, int auto_upgrade)
#endif #endif
#ifdef __OpenBSD__ #ifdef __OpenBSD__
const char *v = xs_dict_get(srv_config, "disable_openbsd_security"); if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
if (v && xs_type(v) == XSTYPE_TRUE) {
srv_debug(1, xs_dup("OpenBSD security disabled by admin")); srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
} }
else { else {
int smail = xs_type(xs_dict_get(srv_config, "disable_email_notifications")) != XSTYPE_TRUE; int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
const char *address = xs_dict_get(srv_config, "address");
srv_debug(1, xs_fmt("Calling unveil()")); srv_debug(1, xs_fmt("Calling unveil()"));
unveil(basedir, "rwc"); unveil(basedir, "rwc");
@ -134,13 +133,22 @@ int srv_open(const char *basedir, int auto_upgrade)
if (smail) if (smail)
unveil("/usr/sbin/sendmail", "x"); unveil("/usr/sbin/sendmail", "x");
if (*address == '/')
unveil(address, "rwc");
unveil(NULL, NULL); unveil(NULL, NULL);
srv_debug(1, xs_fmt("Calling pledge()")); srv_debug(1, xs_fmt("Calling pledge()"));
xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
if (smail) if (smail)
pledge("stdio rpath wpath cpath flock inet proc exec dns fattr", NULL); p = xs_str_cat(p, " exec");
else
pledge("stdio rpath wpath cpath flock inet proc dns fattr", NULL); if (*address == '/')
p = xs_str_cat(p, " unix");
pledge(p, NULL);
} }
#endif /* __OpenBSD__ */ #endif /* __OpenBSD__ */