diff options
| author | June McEnroe <june@causal.agency> | 2021-10-05 22:02:19 -0400 |
|---|---|---|
| committer | June McEnroe <june@causal.agency> | 2021-10-05 22:02:19 -0400 |
| commit | 4910f996d39788b9cacd34f2ae560cf74eee85de (patch) | |
| tree | 035243221737f2f179d090e486055de2c40afc70 | |
| parent | Remove certbot default paths (diff) | |
| download | pounce-4910f996d39788b9cacd34f2ae560cf74eee85de.tar.gz pounce-4910f996d39788b9cacd34f2ae560cf74eee85de.zip | |
FreeBSD: Remove capsicum support
capsicum is too impractical and removing it will allow much more straightforward code.
| -rw-r--r-- | bounce.c | 37 | ||||
| -rw-r--r-- | dispatch.c | 38 | ||||
| -rw-r--r-- | local.c | 10 |
3 files changed, 1 insertions, 84 deletions
diff --git a/bounce.c b/bounce.c index 2e52428..beab2bc 100644 --- a/bounce.c +++ b/bounce.c @@ -47,10 +47,6 @@ #include <tls.h> #include <unistd.h> -#ifdef __FreeBSD__ -#include <sys/capsicum.h> -#endif - #ifndef SIGINFO #define SIGINFO SIGUSR2 #endif @@ -121,13 +117,6 @@ static void saveLoad(const char *path) { atexit(saveSave); } -#ifdef __FreeBSD__ -static void capLimit(int fd, const cap_rights_t *rights) { - int error = cap_rights_limit(fd, rights); - if (error) err(EX_OSERR, "cap_rights_limit"); -} -#endif - #ifdef __OpenBSD__ static void unveilParent(const char *path, const char *mode) { char buf[PATH_MAX]; @@ -419,32 +408,6 @@ int main(int argc, char *argv[]) { if (error) err(EX_OSERR, "pledge"); #endif -#ifdef __FreeBSD__ - error = cap_enter(); - if (error) err(EX_OSERR, "cap_enter"); - - cap_rights_t saveRights, fileRights, sockRights, bindRights; - cap_rights_init(&saveRights, CAP_WRITE); - cap_rights_init(&fileRights, CAP_FCNTL, CAP_FSTAT, CAP_LOOKUP, CAP_PREAD); - cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT); - cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT); - cap_rights_merge(&bindRights, &sockRights); - - if (saveFile) capLimit(fileno(saveFile), &saveRights); - capLimit(cert.parent, &fileRights); - capLimit(cert.target, &fileRights); - capLimit(priv.parent, &fileRights); - capLimit(priv.target, &fileRights); - if (caPath) { - capLimit(localCA.parent, &fileRights); - capLimit(localCA.target, &fileRights); - } - for (size_t i = 0; i < binds; ++i) { - capLimit(bind[i], &bindRights); - } - capLimit(server, &sockRights); -#endif - stateLogin(pass, blindReq, plain, nick, user, real); if (pass) explicit_bzero(pass, strlen(pass)); if (plain) explicit_bzero(plain, strlen(plain)); diff --git a/dispatch.c b/dispatch.c index 2b85857..512bca2 100644 --- a/dispatch.c +++ b/dispatch.c @@ -41,10 +41,6 @@ #include <sysexits.h> #include <unistd.h> -#ifdef __FreeBSD__ -#include <sys/capsicum.h> -#endif - static struct { uint8_t buf[4096]; uint8_t *ptr; @@ -169,10 +165,7 @@ int main(int argc, char *argv[]) { if (error) err(EX_OSERR, "pledge"); #endif - int dir = open(path, O_DIRECTORY); - if (dir < 0) err(EX_NOINPUT, "%s", path); - - error = fchdir(dir); + error = chdir(path); if (error) err(EX_NOINPUT, "%s", path); enum { Cap = 1024 }; @@ -212,25 +205,6 @@ int main(int argc, char *argv[]) { if (!binds) errx(EX_UNAVAILABLE, "could not bind any sockets"); freeaddrinfo(head); -#ifdef __FreeBSD__ - error = cap_enter(); - if (error) err(EX_OSERR, "cap_enter"); - - cap_rights_t dirRights, sockRights, unixRights, bindRights; - cap_rights_init(&dirRights, CAP_CONNECTAT); - cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT); - cap_rights_init(&unixRights, CAP_CONNECT, CAP_SEND); - cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT); - cap_rights_merge(&bindRights, &sockRights); - - error = cap_rights_limit(dir, &dirRights); - if (error) err(EX_OSERR, "cap_rights_limit"); - for (size_t i = 0; i < binds; ++i) { - error = cap_rights_limit(fds[i].fd, &bindRights); - if (error) err(EX_OSERR, "cap_rights_limit"); - } -#endif - for (size_t i = 0; i < binds; ++i) { error = listen(fds[i].fd, -1); if (error) err(EX_IOERR, "listen"); @@ -290,17 +264,7 @@ int main(int argc, char *argv[]) { int sock = socket(PF_UNIX, SOCK_STREAM, 0); if (sock < 0) err(EX_OSERR, "socket"); -#ifdef __FreeBSD__ - error = cap_rights_limit(sock, &unixRights); - if (error) err(EX_OSERR, "cap_rights_limit"); - - error = connectat( - dir, sock, (struct sockaddr *)&addr, SUN_LEN(&addr) - ); -#else error = connect(sock, (struct sockaddr *)&addr, SUN_LEN(&addr)); -#endif - if (error) { warn("%s", name); alert(fds[i].fd); diff --git a/local.c b/local.c index 8d3ff4d..954c015 100644 --- a/local.c +++ b/local.c @@ -42,10 +42,6 @@ #include <tls.h> #include <unistd.h> -#ifdef __FreeBSD__ -#include <sys/capsicum.h> -#endif - #include "bounce.h" static struct tls *server; @@ -200,12 +196,6 @@ size_t localUnix(int fds[], size_t cap, const char *path) { if (unixDir < 0) err(EX_UNAVAILABLE, "%s", dir); atexit(unixUnlink); -#ifdef __FreeBSD__ - cap_rights_t rights; - error = cap_rights_limit(unixDir, cap_rights_init(&rights, CAP_UNLINKAT)); - if (error) err(EX_OSERR, "cap_rights_limit"); -#endif - unix = true; fds[0] = sock; return 1; |