Add basic pledge/unveil sandbox on OpenBSD

[tinc] / src / bsd / openbsd / sandbox.c

diff --git a/src/bsd/openbsd/sandbox.c b/src/bsd/openbsd/sandbox.c
new file mode 100644 (file)
index 0000000..180571b
--- /dev/null
+++ b/src/bsd/openbsd/sandbox.c
@@ -0,0 +1,31 @@
+#include "../../system.h"
+
+#include "sandbox.h"
+#include "../../logger.h"
+
+void allow_path(const char *path, const char *priv) {
+       if(path) {
+               logger(DEBUG_ALWAYS, LOG_DEBUG, "Allowing path %s with %s", path, priv);
+
+               if(unveil(path, priv)) {
+                       logger(DEBUG_ALWAYS, LOG_ERR, "unveil(%s, %s) failed: %s", path, priv, strerror(errno));
+               }
+       }
+}
+
+void allow_paths(const unveil_path_t paths[]) {
+       // Since some path variables may contain NULL, we check priv here.
+       // If a NULL path is seen, just skip it.
+       for(const unveil_path_t *p = paths; p->priv; ++p) {
+               allow_path(p->path, p->priv);
+       }
+}
+
+bool restrict_privs(const char *promises, const char *execpromises) {
+       if(pledge(promises, execpromises)) {
+               logger(DEBUG_ALWAYS, LOG_ERR, "pledge(%s, %s) failed: %s", promises, execpromises, strerror(errno));
+               return false;
+       } else {
+               return true;
+       }
+}