root
/
xz
mirror of https://git.tukaani.org/xz.git
1
0
Fork 0
Code Issues Releases Wiki Activity

xz: Add support for OpenBSD's pledge() sandbox.

This commit is contained in:
Lasse Collin 2022-10-25 21:11:58 +03:00
parent f9913e8ee2
commit 563288ea70
4 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
configure.ac
View File

@ -523,7 +523,8 @@ AM_CONDITIONAL([COND_SYMVERS_GENERIC],
AC_MSG_CHECKING([if sandboxing should be used]) AC_MSG_CHECKING([if sandboxing should be used])
AC_ARG_ENABLE([sandbox], [AS_HELP_STRING([--enable-sandbox=METHOD], AC_ARG_ENABLE([sandbox], [AS_HELP_STRING([--enable-sandbox=METHOD],
[Sandboxing METHOD can be `auto', `no', or `capsicum'. [Sandboxing METHOD can be
`auto', `no', `capsicum', or `pledge'.
The default is `auto' which enables sandboxing if The default is `auto' which enables sandboxing if
a supported sandboxing method is found.])], a supported sandboxing method is found.])],
[], [enable_sandbox=auto]) [], [enable_sandbox=auto])
@ -531,12 +532,12 @@ case $enable_sandbox in
auto) auto)
AC_MSG_RESULT([maybe (autodetect)]) AC_MSG_RESULT([maybe (autodetect)])
;; ;;
no | capsicum) no | capsicum | pledge)
AC_MSG_RESULT([$enable_sandbox]) AC_MSG_RESULT([$enable_sandbox])
;; ;;
*) *)
AC_MSG_RESULT([]) AC_MSG_RESULT([])
AC_MSG_ERROR([--enable-sandbox only accepts `auto', `no', or `capsicum'.]) AC_MSG_ERROR([--enable-sandbox only accepts `auto', `no', `capsicum', or `pledge'.])
;; ;;
esac esac
@ -816,6 +817,11 @@ case $enable_sandbox in
AX_CHECK_CAPSICUM([enable_sandbox=found], [:]) AX_CHECK_CAPSICUM([enable_sandbox=found], [:])
;; ;;
esac esac
case $enable_sandbox in
auto | pledge)
AC_CHECK_FUNCS([pledge], [enable_sandbox=found ; break])
;;
esac
# If a specific sandboxing method was explicitly requested and it wasn't # If a specific sandboxing method was explicitly requested and it wasn't
# found, give an error. # found, give an error.

11
src/xz/file_io.c
View File

@ -212,6 +212,17 @@ io_sandbox_enter(int src_fd)
if (cap_enter()) if (cap_enter())
goto error; goto error;
#elif defined(HAVE_PLEDGE)
// pledge() was introduced in OpenBSD 5.9.
//
// main() unconditionally calls pledge() with fairly relaxed
// promises which work in all situations. Here we make the
// sandbox more strict.
if (pledge("stdio", ""))
goto error;
(void)src_fd;
#else #else
# error ENABLE_SANDBOX is defined but no sandboxing method was found. # error ENABLE_SANDBOX is defined but no sandboxing method was found.
#endif #endif

13
src/xz/main.c
View File

@ -163,6 +163,19 @@ main(int argc, char **argv)
// on the command line, thus this must be done before args_parse(). // on the command line, thus this must be done before args_parse().
hardware_init(); hardware_init();
#ifdef HAVE_PLEDGE
// OpenBSD's pledge() sandbox
//
// Unconditionally enable sandboxing with fairly relaxed promises.
// This is still way better than having no sandbox at all. :-)
// More strict promises will be made later in file_io.c if possible.
//
// This is done only after the above initializations
// as the error message needs locale support.
if (pledge("stdio rpath wpath cpath fattr", ""))
message_fatal(_("Failed to enable the sandbox"));
#endif
// Parse the command line arguments and get an array of filenames. // Parse the command line arguments and get an array of filenames.
// This doesn't return if something is wrong with the command line // This doesn't return if something is wrong with the command line
// arguments. If there are no arguments, one filename ("-") is still // arguments. If there are no arguments, one filename ("-") is still

2
src/xz/private.h
View File

@ -45,7 +45,7 @@
# define STDERR_FILENO (fileno(stderr)) # define STDERR_FILENO (fileno(stderr))
#endif #endif
#ifdef HAVE_CAPSICUM #if defined(HAVE_CAPSICUM) || defined(HAVE_PLEDGE)
# define ENABLE_SANDBOX 1 # define ENABLE_SANDBOX 1
#endif #endif