Changeset View
Changeset View
Standalone View
Standalone View
head/crypto/openssh/sandbox-capsicum.c
Show All 25 Lines | |||||
#include <sys/capsicum.h> | #include <sys/capsicum.h> | ||||
#include <errno.h> | #include <errno.h> | ||||
#include <stdarg.h> | #include <stdarg.h> | ||||
#include <stdio.h> | #include <stdio.h> | ||||
#include <stdlib.h> | #include <stdlib.h> | ||||
#include <string.h> | #include <string.h> | ||||
#include <unistd.h> | #include <unistd.h> | ||||
#include <capsicum_helpers.h> | |||||
#include "log.h" | #include "log.h" | ||||
#include "monitor.h" | #include "monitor.h" | ||||
#include "ssh-sandbox.h" | #include "ssh-sandbox.h" | ||||
#include "xmalloc.h" | #include "xmalloc.h" | ||||
/* | /* | ||||
* Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits, | * Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits, | ||||
Show All 23 Lines | ssh_sandbox_init(struct monitor *monitor) | ||||
return box; | return box; | ||||
} | } | ||||
void | void | ||||
ssh_sandbox_child(struct ssh_sandbox *box) | ssh_sandbox_child(struct ssh_sandbox *box) | ||||
{ | { | ||||
struct rlimit rl_zero; | struct rlimit rl_zero; | ||||
cap_rights_t rights; | cap_rights_t rights; | ||||
caph_cache_tzdata(); | |||||
rl_zero.rlim_cur = rl_zero.rlim_max = 0; | rl_zero.rlim_cur = rl_zero.rlim_max = 0; | ||||
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) | if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) | ||||
fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", | fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", | ||||
__func__, strerror(errno)); | __func__, strerror(errno)); | ||||
#ifndef SANDBOX_SKIP_RLIMIT_NOFILE | #ifndef SANDBOX_SKIP_RLIMIT_NOFILE | ||||
if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) | if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) | ||||
▲ Show 20 Lines • Show All 43 Lines • Show Last 20 Lines |