diff options
author | Darren Tucker <dtucker@zip.com.au> | 2016-02-19 09:05:39 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2016-02-19 09:05:39 +1100 |
commit | 907091acb188b1057d50c2158f74c3ecf1c2302b (patch) | |
tree | 62f2c59f51e55a3f49c7c173527425eb1b19a876 /sandbox-solaris.c | |
parent | 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59 (diff) |
Make Solaris privs code build on older systems.
Not all systems with Solaris privs have priv_basicset so factor that
out and provide backward compatibility code. Similarly, not all have
PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from
alex at cooperi.net and djm@ with help from carson at taltos.org and
wieland at purdue.edu.
Diffstat (limited to 'sandbox-solaris.c')
-rw-r--r-- | sandbox-solaris.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/sandbox-solaris.c b/sandbox-solaris.c index 98714e170..343a01022 100644 --- a/sandbox-solaris.c +++ b/sandbox-solaris.c | |||
@@ -48,19 +48,20 @@ ssh_sandbox_init(struct monitor *monitor) | |||
48 | struct ssh_sandbox *box = NULL; | 48 | struct ssh_sandbox *box = NULL; |
49 | 49 | ||
50 | box = xcalloc(1, sizeof(*box)); | 50 | box = xcalloc(1, sizeof(*box)); |
51 | box->pset = priv_allocset(); | 51 | |
52 | /* Start with "basic" and drop everything we don't need. */ | ||
53 | box->pset = solaris_basic_privset(); | ||
52 | 54 | ||
53 | if (box->pset == NULL) { | 55 | if (box->pset == NULL) { |
54 | free(box); | 56 | free(box); |
55 | return NULL; | 57 | return NULL; |
56 | } | 58 | } |
57 | 59 | ||
58 | /* Start with "basic" and drop everything we don't need. */ | ||
59 | priv_basicset(box->pset); | ||
60 | |||
61 | /* Drop everything except the ability to use already-opened files */ | 60 | /* Drop everything except the ability to use already-opened files */ |
62 | if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 || | 61 | if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 || |
62 | #ifdef PRIV_NET_ACCESS | ||
63 | priv_delset(box->pset, PRIV_NET_ACCESS) != 0 || | 63 | priv_delset(box->pset, PRIV_NET_ACCESS) != 0 || |
64 | #endif | ||
64 | priv_delset(box->pset, PRIV_PROC_EXEC) != 0 || | 65 | priv_delset(box->pset, PRIV_PROC_EXEC) != 0 || |
65 | priv_delset(box->pset, PRIV_PROC_FORK) != 0 || | 66 | priv_delset(box->pset, PRIV_PROC_FORK) != 0 || |
66 | priv_delset(box->pset, PRIV_PROC_INFO) != 0 || | 67 | priv_delset(box->pset, PRIV_PROC_INFO) != 0 || |