diff options
| author | David Carlier <[email protected]> | 2020-07-08 16:51:17 +0100 |
|---|---|---|
| committer | David Carlier <[email protected]> | 2020-07-08 16:51:17 +0100 |
| commit | 32dfe9b0ee9bf88563d28caf9a7e6c83ab7f70e1 (patch) | |
| tree | 6f1e5c3936dc5094a31053c95e2a0862d52f6c7e /src | |
| parent | 66851a3c6dcc5de83db47221003bdc6034e020dc (diff) | |
using smart ptr over raw C workflow.
looping over permissions.
Diffstat (limited to 'src')
| -rw-r--r-- | src/cli/sandbox.cpp | 71 |
1 files changed, 29 insertions, 42 deletions
diff --git a/src/cli/sandbox.cpp b/src/cli/sandbox.cpp index bb65a4100..6ac8007af 100644 --- a/src/cli/sandbox.cpp +++ b/src/cli/sandbox.cpp @@ -18,6 +18,16 @@ namespace Botan_CLI { +#if defined(BOTAN_TARGET_OS_HAS_SETPPRIV) +struct SandboxPrivDelete { + void operator()(priv_set_t *ps) + { + ::priv_emptyset(ps); + ::priv_freeset(ps); + } +}; +#endif + Sandbox::Sandbox() { #if defined(BOTAN_TARGET_OS_HAS_PLEDGE) @@ -68,54 +78,31 @@ bool Sandbox::init() return (::cap_enter() == 0); #elif defined(BOTAN_TARGET_OS_HAS_SETPPRIV) - priv_set_t *ps; - - if ((ps = ::priv_allocset()) == nullptr) - { - return false; - } - - ::priv_basicset(ps); - - if (::priv_delset(ps, PRIV_PROC_FORK) == -1) + priv_set_t *tmp; + std::unique_ptr<priv_set_t, SandboxPrivDelete> ps; + const char *const priv_perms[] = { + PRIV_PROC_FORK, + PRIV_PROC_EXEC, + PRIV_PROC_INFO, + PRIV_PROC_SESSION, + }; + + if ((tmp = ::priv_allocset()) == nullptr) { - ::priv_freeset(ps); return false; } - if (::priv_delset(ps, PRIV_PROC_EXEC) == -1) - { - ::priv_freeset(ps); - return false; - } - - if (::priv_delset(ps, PRIV_PROC_INFO) == -1) - { - ::priv_freeset(ps); - return false; - } + ps = std::unique_ptr<priv_set_t, SandboxPrivDelete>(tmp); + ::priv_basicset(ps.get()); - if (::priv_delset(ps, PRIV_PROC_SESSION) == -1) - { - ::priv_freeset(ps); - return false; - } - - if (::setppriv(PRIV_SET, PRIV_PERMITTED, ps) == -1) - { - ::priv_freeset(ps); - return false; - } - - if (::setppriv(PRIV_SET, PRIV_INHERITABLE, ps) == -1) - { - ::priv_freeset(ps); - return false; - } - - ::priv_emptyset(ps); + for (auto perm: priv_perms) + { + if (::priv_delset(ps.get(), perm) == -1) + { + return false; + } + } - ::priv_freeset(ps); return true; #else return true; |