From 15784261dfaece73ef53f5beb5d3917a95dc1ae4 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sat, 26 May 2012 01:44:40 +0100
Subject: Add a sandbox fallback mechanism, so that behaviour on Linux depends
 on whether the running system's kernel has seccomp_filter support, not the
 build system's kernel (forwarded upstream as
 https://bugzilla.mindrot.org/show_bug.cgi?id=2011).

---
 sandbox-darwin.c | 54 ++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 42 insertions(+), 12 deletions(-)

(limited to 'sandbox-darwin.c')

diff --git a/sandbox-darwin.c b/sandbox-darwin.c
index 69901ef14..49330642b 100644
--- a/sandbox-darwin.c
+++ b/sandbox-darwin.c
@@ -16,10 +16,12 @@
 
 #include "includes.h"
 
-#ifdef SANDBOX_DARWIN
-
 #include <sys/types.h>
 
+#include "ssh-sandbox.h"
+
+#ifdef SANDBOX_DARWIN
+
 #include <sandbox.h>
 
 #include <errno.h>
@@ -30,7 +32,6 @@
 #include <unistd.h>
 
 #include "log.h"
-#include "sandbox.h"
 #include "xmalloc.h"
 
 /* Darwin/OS X sandbox */
@@ -39,8 +40,14 @@ struct ssh_sandbox {
 	pid_t child_pid;
 };
 
-struct ssh_sandbox *
-ssh_sandbox_init(void)
+static int
+sandbox_darwin_probe(void)
+{
+	return 1;
+}
+
+static void *
+sandbox_darwin_init(void)
 {
 	struct ssh_sandbox *box;
 
@@ -55,9 +62,10 @@ ssh_sandbox_init(void)
 	return box;
 }
 
-void
-ssh_sandbox_child(struct ssh_sandbox *box)
+static void
+sandbox_darwin_child(void *vbox)
 {
+	struct ssh_sandbox *box = vbox;
 	char *errmsg;
 	struct rlimit rl_zero;
 
@@ -82,17 +90,39 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 			__func__, strerror(errno));
 }
 
-void
-ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+static void
+sandbox_darwin_parent_finish(void *vbox)
 {
-	free(box);
+	free(vbox);
 	debug3("%s: finished", __func__);
 }
 
-void
-ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+static void
+sandbox_darwin_parent_preauth(void *box, pid_t child_pid)
 {
+	struct ssh_sandbox *box = vbox;
+
 	box->child_pid = child_pid;
 }
 
+Sandbox ssh_sandbox_darwin = {
+	"darwin",
+	sandbox_darwin_probe,
+	sandbox_darwin_init,
+	sandbox_darwin_child,
+	sandbox_darwin_parent_finish,
+	sandbox_darwin_parent_preauth
+};
+
+#else /* !SANDBOX_DARWIN */
+
+Sandbox ssh_sandbox_darwin = {
+	"darwin",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+};
+
 #endif /* SANDBOX_DARWIN */
-- 
cgit v1.2.3