Make Solaris privs code build on older systems.

Not all systems with Solaris privs have priv_basicset so factor that out and provide backward compatibility code. Similarly, not all have PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from alex at cooperi.net and djm@ with help from carson at taltos.org and wieland at purdue.edu.
author: Darren Tucker <dtucker@zip.com.au> 2016-02-19 09:05:39 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2016-02-19 09:05:39 +1100
commit: 907091acb188b1057d50c2158f74c3ecf1c2302b (patch)
tree: 62f2c59f51e55a3f49c7c173527425eb1b19a876 /sandbox-solaris.c
parent: 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/sandbox-solaris.c b/sandbox-solaris.c
index 98714e170..343a01022 100644
--- a/sandbox-solaris.c
+++ b/sandbox-solaris.c
@@ -48,19 +48,20 @@ ssh_sandbox_init(struct monitor *monitor)
        struct ssh_sandbox *box = NULL;
        box = xcalloc(1, sizeof(*box));
-        box->pset = priv_allocset();
+        /* Start with "basic" and drop everything we don't need. */
+        box->pset = solaris_basic_privset();
        if (box->pset == NULL) {
                free(box);
                return NULL;
        }
-        /* Start with "basic" and drop everything we don't need. */
-        priv_basicset(box->pset);
        /* Drop everything except the ability to use already-opened files */
        if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
            priv_delset(box->pset, PRIV_NET_ACCESS) != 0 ||
+#endif
            priv_delset(box->pset, PRIV_PROC_EXEC) != 0 ||
            priv_delset(box->pset, PRIV_PROC_FORK) != 0 ||
            priv_delset(box->pset, PRIV_PROC_INFO) != 0 ||
author	Darren Tucker <dtucker@zip.com.au>	2016-02-19 09:05:39 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2016-02-19 09:05:39 +1100
commit	907091acb188b1057d50c2158f74c3ecf1c2302b (patch)
tree	62f2c59f51e55a3f49c7c173527425eb1b19a876 /sandbox-solaris.c
parent	292a8dee14e5e67dcd1b49ba5c7b9023e8420d59 (diff)

diff --git a/sandbox-solaris.c b/sandbox-solaris.c index 98714e170..343a01022 100644 --- a/sandbox-solaris.c +++ b/sandbox-solaris.c
@@ -48,19 +48,20 @@ ssh_sandbox_init(struct monitor *monitor)
48	struct ssh_sandbox *box = NULL;	48	struct ssh_sandbox *box = NULL;
49		49
50	box = xcalloc(1, sizeof(*box));	50	box = xcalloc(1, sizeof(*box));
51	box->pset = priv_allocset();	51
		52	/* Start with "basic" and drop everything we don't need. */
		53	box->pset = solaris_basic_privset();
52		54
53	if (box->pset == NULL) {	55	if (box->pset == NULL) {
54	free(box);	56	free(box);
55	return NULL;	57	return NULL;
56	}	58	}
57		59
58	/* Start with "basic" and drop everything we don't need. */
59	priv_basicset(box->pset);
60
61	/* Drop everything except the ability to use already-opened files */	60	/* Drop everything except the ability to use already-opened files */
62	if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 \|\|	61	if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 \|\|
		62	#ifdef PRIV_NET_ACCESS
63	priv_delset(box->pset, PRIV_NET_ACCESS) != 0 \|\|	63	priv_delset(box->pset, PRIV_NET_ACCESS) != 0 \|\|
		64	#endif
64	priv_delset(box->pset, PRIV_PROC_EXEC) != 0 \|\|	65	priv_delset(box->pset, PRIV_PROC_EXEC) != 0 \|\|
65	priv_delset(box->pset, PRIV_PROC_FORK) != 0 \|\|	66	priv_delset(box->pset, PRIV_PROC_FORK) != 0 \|\|
66	priv_delset(box->pset, PRIV_PROC_INFO) != 0 \|\|	67	priv_delset(box->pset, PRIV_PROC_INFO) != 0 \|\|