From 15784261dfaece73ef53f5beb5d3917a95dc1ae4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sat, 26 May 2012 01:44:40 +0100 Subject: Add a sandbox fallback mechanism, so that behaviour on Linux depends on whether the running system's kernel has seccomp_filter support, not the build system's kernel (forwarded upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=2011). --- sandbox-rlimit.c | 52 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 11 deletions(-) (limited to 'sandbox-rlimit.c') diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c index 761e9284f..bfd1d446e 100644 --- a/sandbox-rlimit.c +++ b/sandbox-rlimit.c @@ -17,9 +17,12 @@ #include "includes.h" +#include + +#include "ssh-sandbox.h" + #ifdef SANDBOX_RLIMIT -#include #include #include #include @@ -32,7 +35,6 @@ #include #include "log.h" -#include "ssh-sandbox.h" #include "xmalloc.h" /* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */ @@ -41,8 +43,14 @@ struct ssh_sandbox { pid_t child_pid; }; -struct ssh_sandbox * -ssh_sandbox_init(void) +static int +sandbox_rlimit_probe(void) +{ + return 1; +} + +static void * +sandbox_rlimit_init(void) { struct ssh_sandbox *box; @@ -57,8 +65,8 @@ ssh_sandbox_init(void) return box; } -void -ssh_sandbox_child(struct ssh_sandbox *box) +static void +sandbox_rlimit_child(void *vbox) { struct rlimit rl_zero; @@ -77,17 +85,39 @@ ssh_sandbox_child(struct ssh_sandbox *box) #endif } -void -ssh_sandbox_parent_finish(struct ssh_sandbox *box) +static void +sandbox_rlimit_parent_finish(void *vbox) { - free(box); + free(vbox); debug3("%s: finished", __func__); } -void -ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +static void +sandbox_rlimit_parent_preauth(void *vbox, pid_t child_pid) { + struct ssh_sandbox *box = vbox; + box->child_pid = child_pid; } +Sandbox ssh_sandbox_rlimit = { + "rlimit", + sandbox_rlimit_probe, + sandbox_rlimit_init, + sandbox_rlimit_child, + sandbox_rlimit_parent_finish, + sandbox_rlimit_parent_preauth +}; + +#else /* !SANDBOX_RLIMIT */ + +Sandbox ssh_sandbox_rlimit = { + "rlimit", + NULL, + NULL, + NULL, + NULL, + NULL +}; + #endif /* SANDBOX_RLIMIT */ -- cgit v1.2.3