#include "xalloc.h"
#include "version.h"
#include "random.h"
+#include "sandbox.h"
/* If nonzero, display usage information and exit. */
static bool show_help = false;
goto exit_fail;
case OPT_CONFIG_FILE:
+ assert(optarg);
free(confbase);
confbase = get_path_arg(optarg);
break;
break;
case OPT_NETNAME:
+ assert(optarg);
free(netname);
netname = xstrdup(optarg);
break;
break;
case OPT_PIDFILE:
+ assert(optarg);
free(pidfilename);
pidfilename = get_path_arg(optarg);
break;
return false;
}
+static bool read_sandbox_level(void) {
+ sandbox_level_t level;
+ char *value = NULL;
+
+ if(get_config_string(lookup_config(&config_tree, "Sandbox"), &value)) {
+ if(!strcasecmp("off", value)) {
+ level = SANDBOX_NONE;
+ } else if(!strcasecmp("normal", value)) {
+ level = SANDBOX_NORMAL;
+ } else if(!strcasecmp("high", value)) {
+ level = SANDBOX_HIGH;
+ } else {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Bad sandbox value %s!", value);
+ free(value);
+ return false;
+ }
+
+ free(value);
+ } else {
+#ifdef HAVE_SANDBOX
+ level = SANDBOX_NORMAL;
+#else
+ level = SANDBOX_NONE;
+#endif
+ }
+
+#ifndef HAVE_SANDBOX
+
+ if(level > SANDBOX_NONE) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Sandbox is used but is not supported on this platform");
+ return false;
+ }
+
+#endif
+ sandbox_set_level(level);
+ return true;
+}
+
static bool drop_privs(void) {
#ifndef HAVE_WINDOWS
uid_t uid = 0;
}
#endif
- return true;
+
+ return sandbox_enter();
}
#ifdef HAVE_WINDOWS
#ifdef HAVE_MINIUPNPC
" miniupnpc"
#endif
+#ifdef HAVE_SANDBOX
+ " sandbox"
+#endif
#ifdef ENABLE_UML
" uml"
#endif
return 1;
}
+ if(!read_sandbox_level()) {
+ return 1;
+ }
+
if(debug_level == DEBUG_NOTHING) {
int level = 0;