about summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2021-10-05 22:02:19 -0400
committerJune McEnroe <june@causal.agency>2021-10-05 22:02:19 -0400
commit4910f996d39788b9cacd34f2ae560cf74eee85de (patch)
tree035243221737f2f179d090e486055de2c40afc70
parentRemove certbot default paths (diff)
downloadpounce-4910f996d39788b9cacd34f2ae560cf74eee85de.tar.gz
pounce-4910f996d39788b9cacd34f2ae560cf74eee85de.zip
FreeBSD: Remove capsicum support
capsicum is too impractical and removing it will allow much more
straightforward code.
-rw-r--r--bounce.c37
-rw-r--r--dispatch.c38
-rw-r--r--local.c10
3 files changed, 1 insertions, 84 deletions
diff --git a/bounce.c b/bounce.c
index 2e52428..beab2bc 100644
--- a/bounce.c
+++ b/bounce.c
@@ -47,10 +47,6 @@
 #include <tls.h>
 #include <unistd.h>
 
-#ifdef __FreeBSD__
-#include <sys/capsicum.h>
-#endif
-
 #ifndef SIGINFO
 #define SIGINFO SIGUSR2
 #endif
@@ -121,13 +117,6 @@ static void saveLoad(const char *path) {
 	atexit(saveSave);
 }
 
-#ifdef __FreeBSD__
-static void capLimit(int fd, const cap_rights_t *rights) {
-	int error = cap_rights_limit(fd, rights);
-	if (error) err(EX_OSERR, "cap_rights_limit");
-}
-#endif
-
 #ifdef __OpenBSD__
 static void unveilParent(const char *path, const char *mode) {
 	char buf[PATH_MAX];
@@ -419,32 +408,6 @@ int main(int argc, char *argv[]) {
 	if (error) err(EX_OSERR, "pledge");
 #endif
 
-#ifdef __FreeBSD__
-	error = cap_enter();
-	if (error) err(EX_OSERR, "cap_enter");
-
-	cap_rights_t saveRights, fileRights, sockRights, bindRights;
-	cap_rights_init(&saveRights, CAP_WRITE);
-	cap_rights_init(&fileRights, CAP_FCNTL, CAP_FSTAT, CAP_LOOKUP, CAP_PREAD);
-	cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT);
-	cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT);
-	cap_rights_merge(&bindRights, &sockRights);
-
-	if (saveFile) capLimit(fileno(saveFile), &saveRights);
-	capLimit(cert.parent, &fileRights);
-	capLimit(cert.target, &fileRights);
-	capLimit(priv.parent, &fileRights);
-	capLimit(priv.target, &fileRights);
-	if (caPath) {
-		capLimit(localCA.parent, &fileRights);
-		capLimit(localCA.target, &fileRights);
-	}
-	for (size_t i = 0; i < binds; ++i) {
-		capLimit(bind[i], &bindRights);
-	}
-	capLimit(server, &sockRights);
-#endif
-
 	stateLogin(pass, blindReq, plain, nick, user, real);
 	if (pass) explicit_bzero(pass, strlen(pass));
 	if (plain) explicit_bzero(plain, strlen(plain));
diff --git a/dispatch.c b/dispatch.c
index 2b85857..512bca2 100644
--- a/dispatch.c
+++ b/dispatch.c
@@ -41,10 +41,6 @@
 #include <sysexits.h>
 #include <unistd.h>
 
-#ifdef __FreeBSD__
-#include <sys/capsicum.h>
-#endif
-
 static struct {
 	uint8_t buf[4096];
 	uint8_t *ptr;
@@ -169,10 +165,7 @@ int main(int argc, char *argv[]) {
 	if (error) err(EX_OSERR, "pledge");
 #endif
 
-	int dir = open(path, O_DIRECTORY);
-	if (dir < 0) err(EX_NOINPUT, "%s", path);
-
-	error = fchdir(dir);
+	error = chdir(path);
 	if (error) err(EX_NOINPUT, "%s", path);
 
 	enum { Cap = 1024 };
@@ -212,25 +205,6 @@ int main(int argc, char *argv[]) {
 	if (!binds) errx(EX_UNAVAILABLE, "could not bind any sockets");
 	freeaddrinfo(head);
 
-#ifdef __FreeBSD__
-	error = cap_enter();
-	if (error) err(EX_OSERR, "cap_enter");
-
-	cap_rights_t dirRights, sockRights, unixRights, bindRights;
-	cap_rights_init(&dirRights, CAP_CONNECTAT);
-	cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT);
-	cap_rights_init(&unixRights, CAP_CONNECT, CAP_SEND);
-	cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT);
-	cap_rights_merge(&bindRights, &sockRights);
-
-	error = cap_rights_limit(dir, &dirRights);
-	if (error) err(EX_OSERR, "cap_rights_limit");
-	for (size_t i = 0; i < binds; ++i) {
-		error = cap_rights_limit(fds[i].fd, &bindRights);
-		if (error) err(EX_OSERR, "cap_rights_limit");
-	}
-#endif
-
 	for (size_t i = 0; i < binds; ++i) {
 		error = listen(fds[i].fd, -1);
 		if (error) err(EX_IOERR, "listen");
@@ -290,17 +264,7 @@ int main(int argc, char *argv[]) {
 			int sock = socket(PF_UNIX, SOCK_STREAM, 0);
 			if (sock < 0) err(EX_OSERR, "socket");
 
-#ifdef __FreeBSD__
-			error = cap_rights_limit(sock, &unixRights);
-			if (error) err(EX_OSERR, "cap_rights_limit");
-
-			error = connectat(
-				dir, sock, (struct sockaddr *)&addr, SUN_LEN(&addr)
-			);
-#else
 			error = connect(sock, (struct sockaddr *)&addr, SUN_LEN(&addr));
-#endif
-
 			if (error) {
 				warn("%s", name);
 				alert(fds[i].fd);
diff --git a/local.c b/local.c
index 8d3ff4d..954c015 100644
--- a/local.c
+++ b/local.c
@@ -42,10 +42,6 @@
 #include <tls.h>
 #include <unistd.h>
 
-#ifdef __FreeBSD__
-#include <sys/capsicum.h>
-#endif
-
 #include "bounce.h"
 
 static struct tls *server;
@@ -200,12 +196,6 @@ size_t localUnix(int fds[], size_t cap, const char *path) {
 	if (unixDir < 0) err(EX_UNAVAILABLE, "%s", dir);
 	atexit(unixUnlink);
 
-#ifdef __FreeBSD__
-	cap_rights_t rights;
-	error = cap_rights_limit(unixDir, cap_rights_init(&rights, CAP_UNLINKAT));
-	if (error) err(EX_OSERR, "cap_rights_limit");
-#endif
-
 	unix = true;
 	fds[0] = sock;
 	return 1;