Proposal of sandboxing feature.

For now only used by the TLS server.

2 files changed, 25 insertions, 0 deletions

diff --git a/src/lib/utils/os_utils.cpp b/src/lib/utils/os_utils.cpp
index f373ece99..9ec45a8c1 100644
--- a/src/lib/utils/os_utils.cpp
+++ b/src/lib/utils/os_utils.cpp
@@ -45,6 +45,10 @@
   #include <windows.h>
 #endif
 
+#if defined(BOTAN_TARGET_OS_CAP_ENTER)
+  #include <sys/capsicum.h>
+#endif
+
 namespace Botan {
 
 // Not defined in OS namespace for historical reasons
@@ -102,6 +106,18 @@ bool OS::running_in_privileged_state()
 #endif
    }
 
+bool OS::sandbox_start()
+   {
+#if defined(BOTAN_TARGET_OS_HAS_PLEDGE)
+   const static char *opts = "stdio rpath inet";
+   return (::pledge(opts, nullptr) == 0);
+#elif defined(BOTAN_TARGET_OS_HAS_CAP_ENTER)
+   return (::cap_enter() == 0);
+#else
+   return true;
+#endif
+   }
+
 uint64_t OS::get_cpu_cycle_counter()
    {
    uint64_t rtc = 0;
diff --git a/src/lib/utils/os_utils.h b/src/lib/utils/os_utils.h
index 6ec64b2fd..53471db88 100644
--- a/src/lib/utils/os_utils.h
+++ b/src/lib/utils/os_utils.h
@@ -34,6 +34,14 @@ namespace OS {
 uint32_t BOTAN_TEST_API get_process_id();
 
 /**
+* Running current context in a sandboxed manner
+* Usually any sandbox solution might allow to
+* adjust down the permissions but never allow
+* to expand them.
+*/
+bool BOTAN_TEST_API sandbox_start();
+
+/**
 * Test if we are currently running with elevated permissions
 * eg setuid, setgid, or with POSIX caps set.
 */
@@ -122,6 +130,7 @@ void page_prohibit_access(void* page);
 */
 void page_allow_access(void* page);
 
+
 /**
 * Run a probe instruction to test for support for a CPU instruction.
 * Runs in system-specific env that catches illegal instructions; this