💾 Archived View for gemini.rmf-dev.com › repo › Vaati › Vgmi › files › fc07f8fcc5c001b1a05e3163b84c5… captured on 2024-02-05 at 10:02:28. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

Go Back

0 /*

1 * ISC License

2 * Copyright (c) 2023 RMF <rawmonk@firemail.cc>

3 */

4 #if defined (__FreeBSD__) && !defined (DISABLE_SANDBOX)

5 #include <stdio.h>

6 #include <stdlib.h>

7 #include <unistd.h>

8 #include <sys/capsicum.h>

9 #include <sys/socket.h>

10 #include <netinet/in.h>

11 #include <netdb.h>

12 #include <strings.h>

13 #define WITH_CASPER

14 #include <sys/nv.h>

15 #include <libcasper.h>

16 #include <casper/cap_net.h>

17 #include <capsicum_helpers.h>

18

19 #include "sandbox.h"

20 #include "storage.h"

21 #include "error.h"

22

23 cap_channel_t *_capnet;

24

25 int sandbox_connect(int s, void *name, int namelen) {

26 return cap_connect(_capnet, s, name, namelen);

27 }

28

29 int sandbox_getaddrinfo(const char *hostname, const char *servname,

30 void *hints, void *res) {

31 return cap_getaddrinfo(_capnet, hostname, servname, hints, res);

32 }

33

34 #include <sys/types.h>

35 #include <signal.h>

36 int sandbox_init(void) {

37

38 int families[] = {AF_INET, AF_INET6};

39 cap_net_limit_t* limit;

40 cap_rights_t rights;

41 cap_channel_t *capcas;

42

43 if (chdir("/var/empty")) return ERROR_SANDBOX_FAILURE;

44

45 cap_rights_init(&rights, CAP_WRITE, CAP_LOOKUP, CAP_READ,

46 CAP_SEEK, CAP_CREATE, CAP_FCNTL, CAP_FTRUNCATE);

47 if (cap_rights_limit(storage_fd, &rights))

48 return ERROR_SANDBOX_FAILURE;

49

50 capcas = cap_init();

51 if (!capcas) return ERROR_SANDBOX_FAILURE;

52

53 caph_cache_catpages();

54 if (caph_enter()) return ERROR_SANDBOX_FAILURE;

55

56 _capnet = cap_service_open(capcas, "system.net");

57 cap_close(capcas);

58 if (!_capnet) return ERROR_SANDBOX_FAILURE;

59

60 limit = cap_net_limit_init(_capnet,

61 CAPNET_NAME2ADDR |

62 CAPNET_CONNECTDNS |

63 CAPNET_CONNECT);

64 if (!limit) return ERROR_SANDBOX_FAILURE;

65

66 cap_net_limit_name2addr_family(limit, families, 2);

67 if (cap_net_limit(limit) < 0) return ERROR_SANDBOX_FAILURE;

68

69 return 0;

70 }

71

72 int sandbox_isolate(void) {

73 if (cap_enter()) return ERROR_SANDBOX_FAILURE;

74 return 0;

75 }

76

77 int sandbox_set_name(const char *name) {

78 setproctitle("%s", name);

79 return 0;

80 }

81 #else

82 typedef int hide_warning;

83 #endif

84