diff options
| author | Colin Watson <cjwatson@debian.org> | 2012-05-26 01:44:40 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2012-05-26 01:44:40 +0100 |
| commit | 15784261dfaece73ef53f5beb5d3917a95dc1ae4 (patch) | |
| tree | c39ee6c8ff10efca0e0060d6db07780667832eeb /sandbox-darwin.c | |
| parent | 9fce61538243d8d04d6cf174e118df6c4ece351d (diff) | |
Add a sandbox fallback mechanism, so that behaviour on Linux depends on
whether the running system's kernel has seccomp_filter support, not the
build system's kernel (forwarded upstream as
https://bugzilla.mindrot.org/show_bug.cgi?id=2011).
Diffstat (limited to 'sandbox-darwin.c')
| -rw-r--r-- | sandbox-darwin.c | 54 |
1 files changed, 42 insertions, 12 deletions
diff --git a/sandbox-darwin.c b/sandbox-darwin.c index 69901ef14..49330642b 100644 --- a/sandbox-darwin.c +++ b/sandbox-darwin.c | |||
| @@ -16,10 +16,12 @@ | |||
| 16 | 16 | ||
| 17 | #include "includes.h" | 17 | #include "includes.h" |
| 18 | 18 | ||
| 19 | #ifdef SANDBOX_DARWIN | ||
| 20 | |||
| 21 | #include <sys/types.h> | 19 | #include <sys/types.h> |
| 22 | 20 | ||
| 21 | #include "ssh-sandbox.h" | ||
| 22 | |||
| 23 | #ifdef SANDBOX_DARWIN | ||
| 24 | |||
| 23 | #include <sandbox.h> | 25 | #include <sandbox.h> |
| 24 | 26 | ||
| 25 | #include <errno.h> | 27 | #include <errno.h> |
| @@ -30,7 +32,6 @@ | |||
| 30 | #include <unistd.h> | 32 | #include <unistd.h> |
| 31 | 33 | ||
| 32 | #include "log.h" | 34 | #include "log.h" |
| 33 | #include "sandbox.h" | ||
| 34 | #include "xmalloc.h" | 35 | #include "xmalloc.h" |
| 35 | 36 | ||
| 36 | /* Darwin/OS X sandbox */ | 37 | /* Darwin/OS X sandbox */ |
| @@ -39,8 +40,14 @@ struct ssh_sandbox { | |||
| 39 | pid_t child_pid; | 40 | pid_t child_pid; |
| 40 | }; | 41 | }; |
| 41 | 42 | ||
| 42 | struct ssh_sandbox * | 43 | static int |
| 43 | ssh_sandbox_init(void) | 44 | sandbox_darwin_probe(void) |
| 45 | { | ||
| 46 | return 1; | ||
| 47 | } | ||
| 48 | |||
| 49 | static void * | ||
| 50 | sandbox_darwin_init(void) | ||
| 44 | { | 51 | { |
| 45 | struct ssh_sandbox *box; | 52 | struct ssh_sandbox *box; |
| 46 | 53 | ||
| @@ -55,9 +62,10 @@ ssh_sandbox_init(void) | |||
| 55 | return box; | 62 | return box; |
| 56 | } | 63 | } |
| 57 | 64 | ||
| 58 | void | 65 | static void |
| 59 | ssh_sandbox_child(struct ssh_sandbox *box) | 66 | sandbox_darwin_child(void *vbox) |
| 60 | { | 67 | { |
| 68 | struct ssh_sandbox *box = vbox; | ||
| 61 | char *errmsg; | 69 | char *errmsg; |
| 62 | struct rlimit rl_zero; | 70 | struct rlimit rl_zero; |
| 63 | 71 | ||
| @@ -82,17 +90,39 @@ ssh_sandbox_child(struct ssh_sandbox *box) | |||
| 82 | __func__, strerror(errno)); | 90 | __func__, strerror(errno)); |
| 83 | } | 91 | } |
| 84 | 92 | ||
| 85 | void | 93 | static void |
| 86 | ssh_sandbox_parent_finish(struct ssh_sandbox *box) | 94 | sandbox_darwin_parent_finish(void *vbox) |
| 87 | { | 95 | { |
| 88 | free(box); | 96 | free(vbox); |
| 89 | debug3("%s: finished", __func__); | 97 | debug3("%s: finished", __func__); |
| 90 | } | 98 | } |
| 91 | 99 | ||
| 92 | void | 100 | static void |
| 93 | ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) | 101 | sandbox_darwin_parent_preauth(void *box, pid_t child_pid) |
| 94 | { | 102 | { |
| 103 | struct ssh_sandbox *box = vbox; | ||
| 104 | |||
| 95 | box->child_pid = child_pid; | 105 | box->child_pid = child_pid; |
| 96 | } | 106 | } |
| 97 | 107 | ||
| 108 | Sandbox ssh_sandbox_darwin = { | ||
| 109 | "darwin", | ||
| 110 | sandbox_darwin_probe, | ||
| 111 | sandbox_darwin_init, | ||
| 112 | sandbox_darwin_child, | ||
| 113 | sandbox_darwin_parent_finish, | ||
| 114 | sandbox_darwin_parent_preauth | ||
| 115 | }; | ||
| 116 | |||
| 117 | #else /* !SANDBOX_DARWIN */ | ||
| 118 | |||
| 119 | Sandbox ssh_sandbox_darwin = { | ||
| 120 | "darwin", | ||
| 121 | NULL, | ||
| 122 | NULL, | ||
| 123 | NULL, | ||
| 124 | NULL, | ||
| 125 | NULL | ||
| 126 | }; | ||
| 127 | |||
| 98 | #endif /* SANDBOX_DARWIN */ | 128 | #endif /* SANDBOX_DARWIN */ |