From f542fd5ca7a16165d80c5f968777e7a4bf71e6f1 Mon Sep 17 00:00:00 2001 From: Kristaps Dzonsons Date: Tue, 12 Jul 2016 05:18:38 +0000 Subject: Add support for Mac OS X's sandbox_init(3) sandbox functionality, which is marked as DEPRECATED in OS X after 2011 or so, but has not been removed and has no replacement. ok schwarze@ --- Makefile | 3 ++- configure | 3 +++ main.c | 10 +++++++++- mandocdb.c | 12 +++++++++++- test-sandbox_init.c | 13 +++++++++++++ 5 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 test-sandbox_init.c diff --git a/Makefile b/Makefile index 91a671fc..f76b1376 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -# $Id: Makefile,v 1.487 2016/07/10 18:24:23 schwarze Exp $ +# $Id: Makefile,v 1.488 2016/07/12 05:18:38 kristaps Exp $ # # Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons # Copyright (c) 2011, 2013-2016 Ingo Schwarze @@ -33,6 +33,7 @@ TESTSRCS = test-dirent-namlen.c \ test-reallocarray.c \ test-rewb-bsd.c \ test-rewb-sysv.c \ + test-sandbox_init.c \ test-sqlite3.c \ test-sqlite3_errstr.c \ test-strcasestr.c \ diff --git a/configure b/configure index 13fd1409..6f2c4116 100755 --- a/configure +++ b/configure @@ -58,6 +58,7 @@ HAVE_PROGNAME= HAVE_REALLOCARRAY= HAVE_REWB_BSD= HAVE_REWB_SYSV= +HAVE_SANDBOX_INIT= HAVE_STRCASESTR= HAVE_STRINGLIST= HAVE_STRLCAT= @@ -186,6 +187,7 @@ runtest isblank ISBLANK || true runtest mkdtemp MKDTEMP || true runtest mmap MMAP || true runtest pledge PLEDGE || true +runtest sandbox_init SANDBOX_INIT || true runtest progname PROGNAME || true runtest reallocarray REALLOCARRAY || true runtest rewb-bsd REWB_BSD || true @@ -317,6 +319,7 @@ cat << __HEREDOC__ #define HAVE_REALLOCARRAY ${HAVE_REALLOCARRAY} #define HAVE_REWB_BSD ${HAVE_REWB_BSD} #define HAVE_REWB_SYSV ${HAVE_REWB_SYSV} +#define HAVE_SANDBOX_INIT ${HAVE_SANDBOX_INIT} #define HAVE_STRCASESTR ${HAVE_STRCASESTR} #define HAVE_STRINGLIST ${HAVE_STRINGLIST} #define HAVE_STRLCAT ${HAVE_STRLCAT} diff --git a/main.c b/main.c index a03ab0fe..527db244 100644 --- a/main.c +++ b/main.c @@ -1,4 +1,4 @@ -/* $Id: main.c,v 1.268 2016/07/10 14:05:13 schwarze Exp $ */ +/* $Id: main.c,v 1.269 2016/07/12 05:18:38 kristaps Exp $ */ /* * Copyright (c) 2008-2012 Kristaps Dzonsons * Copyright (c) 2010-2012, 2014-2016 Ingo Schwarze @@ -30,6 +30,9 @@ #include #include #include +#if HAVE_SANDBOX_INIT +#include +#endif #include #include #include @@ -159,6 +162,11 @@ main(int argc, char *argv[]) err((int)MANDOCLEVEL_SYSERR, "pledge"); #endif +#if HAVE_SANDBOX_INIT + if (sandbox_init(kSBXProfileNoInternet, SANDBOX_NAMED, NULL) == -1) + errx((int)MANDOCLEVEL_SYSERR, "sandbox_init"); +#endif + /* Search options. */ memset(&conf, 0, sizeof(conf)); diff --git a/mandocdb.c b/mandocdb.c index fa23ad0e..6c04cb05 100644 --- a/mandocdb.c +++ b/mandocdb.c @@ -1,4 +1,4 @@ -/* $Id: mandocdb.c,v 1.217 2016/07/09 15:24:19 schwarze Exp $ */ +/* $Id: mandocdb.c,v 1.218 2016/07/12 05:18:38 kristaps Exp $ */ /* * Copyright (c) 2011, 2012 Kristaps Dzonsons * Copyright (c) 2011-2016 Ingo Schwarze @@ -34,6 +34,9 @@ #include "compat_fts.h" #endif #include +#if HAVE_SANDBOX_INIT +#include +#endif #include #include #include @@ -345,6 +348,13 @@ mandocdb(int argc, char *argv[]) } #endif +#if HAVE_SANDBOX_INIT + if (sandbox_init(kSBXProfileNoInternet, SANDBOX_NAMED, NULL) == -1) { + warnx("sandbox_init"); + return (int)MANDOCLEVEL_SYSERR; + } +#endif + memset(&conf, 0, sizeof(conf)); memset(stmts, 0, STMT__MAX * sizeof(sqlite3_stmt *)); diff --git a/test-sandbox_init.c b/test-sandbox_init.c new file mode 100644 index 00000000..a4902ee6 --- /dev/null +++ b/test-sandbox_init.c @@ -0,0 +1,13 @@ +#include + +int +main(void) +{ + char *ep; + int rc; + + rc = sandbox_init(kSBXProfileNoInternet, SANDBOX_NAMED, &ep); + if (-1 == rc) + sandbox_free_error(ep); + return(-1 == rc); +} -- cgit v1.2.3-56-ge451