diff options
Diffstat (limited to 'sandbox-rlimit.c')
-rw-r--r-- | sandbox-rlimit.c | 54 |
1 files changed, 13 insertions, 41 deletions
diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c index bfd1d446e..a00386337 100644 --- a/sandbox-rlimit.c +++ b/sandbox-rlimit.c | |||
@@ -17,12 +17,9 @@ | |||
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | 19 | ||
20 | #include <sys/types.h> | ||
21 | |||
22 | #include "ssh-sandbox.h" | ||
23 | |||
24 | #ifdef SANDBOX_RLIMIT | 20 | #ifdef SANDBOX_RLIMIT |
25 | 21 | ||
22 | #include <sys/types.h> | ||
26 | #include <sys/param.h> | 23 | #include <sys/param.h> |
27 | #include <sys/time.h> | 24 | #include <sys/time.h> |
28 | #include <sys/resource.h> | 25 | #include <sys/resource.h> |
@@ -35,6 +32,7 @@ | |||
35 | #include <unistd.h> | 32 | #include <unistd.h> |
36 | 33 | ||
37 | #include "log.h" | 34 | #include "log.h" |
35 | #include "ssh-sandbox.h" | ||
38 | #include "xmalloc.h" | 36 | #include "xmalloc.h" |
39 | 37 | ||
40 | /* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */ | 38 | /* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */ |
@@ -43,14 +41,8 @@ struct ssh_sandbox { | |||
43 | pid_t child_pid; | 41 | pid_t child_pid; |
44 | }; | 42 | }; |
45 | 43 | ||
46 | static int | 44 | struct ssh_sandbox * |
47 | sandbox_rlimit_probe(void) | 45 | ssh_sandbox_init(void) |
48 | { | ||
49 | return 1; | ||
50 | } | ||
51 | |||
52 | static void * | ||
53 | sandbox_rlimit_init(void) | ||
54 | { | 46 | { |
55 | struct ssh_sandbox *box; | 47 | struct ssh_sandbox *box; |
56 | 48 | ||
@@ -65,16 +57,18 @@ sandbox_rlimit_init(void) | |||
65 | return box; | 57 | return box; |
66 | } | 58 | } |
67 | 59 | ||
68 | static void | 60 | void |
69 | sandbox_rlimit_child(void *vbox) | 61 | ssh_sandbox_child(struct ssh_sandbox *box) |
70 | { | 62 | { |
71 | struct rlimit rl_zero; | 63 | struct rlimit rl_zero; |
72 | 64 | ||
73 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; | 65 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; |
74 | 66 | ||
67 | #ifndef SANDBOX_SKIP_RLIMIT_FSIZE | ||
75 | if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) | 68 | if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) |
76 | fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", | 69 | fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", |
77 | __func__, strerror(errno)); | 70 | __func__, strerror(errno)); |
71 | #endif | ||
78 | if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) | 72 | if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) |
79 | fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", | 73 | fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", |
80 | __func__, strerror(errno)); | 74 | __func__, strerror(errno)); |
@@ -85,39 +79,17 @@ sandbox_rlimit_child(void *vbox) | |||
85 | #endif | 79 | #endif |
86 | } | 80 | } |
87 | 81 | ||
88 | static void | 82 | void |
89 | sandbox_rlimit_parent_finish(void *vbox) | 83 | ssh_sandbox_parent_finish(struct ssh_sandbox *box) |
90 | { | 84 | { |
91 | free(vbox); | 85 | free(box); |
92 | debug3("%s: finished", __func__); | 86 | debug3("%s: finished", __func__); |
93 | } | 87 | } |
94 | 88 | ||
95 | static void | 89 | void |
96 | sandbox_rlimit_parent_preauth(void *vbox, pid_t child_pid) | 90 | ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) |
97 | { | 91 | { |
98 | struct ssh_sandbox *box = vbox; | ||
99 | |||
100 | box->child_pid = child_pid; | 92 | box->child_pid = child_pid; |
101 | } | 93 | } |
102 | 94 | ||
103 | Sandbox ssh_sandbox_rlimit = { | ||
104 | "rlimit", | ||
105 | sandbox_rlimit_probe, | ||
106 | sandbox_rlimit_init, | ||
107 | sandbox_rlimit_child, | ||
108 | sandbox_rlimit_parent_finish, | ||
109 | sandbox_rlimit_parent_preauth | ||
110 | }; | ||
111 | |||
112 | #else /* !SANDBOX_RLIMIT */ | ||
113 | |||
114 | Sandbox ssh_sandbox_rlimit = { | ||
115 | "rlimit", | ||
116 | NULL, | ||
117 | NULL, | ||
118 | NULL, | ||
119 | NULL, | ||
120 | NULL | ||
121 | }; | ||
122 | |||
123 | #endif /* SANDBOX_RLIMIT */ | 95 | #endif /* SANDBOX_RLIMIT */ |