configure: add --disable-sandbox

Calling `configure' with --disable-sandbox will disable the sandbox support *completely* at compile time. gmid will still complain at compile time and during the startup. Users shouldn't disable the sandbox if possible, but instead report problem upstream so they get fixed (hopefully.) #4 related
omar-polo · Jul 3, 2021 · 75c6959 · 75c6959
1 parent 6c0b847
commit 75c6959
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/configure b/configure
@@ -44,6 +44,8 @@ LEX=lex
 STATIC=
 YACC=yacc
 
+DISABLE_SANDBOX=0
+
 NEED_GNU_SOURCE=0
 NEED_OPENBSD_SOURCE=0
 
@@ -100,6 +102,11 @@ which ${YACC} 2>/dev/null 1>&2 || {
 # allow certain variables to be overridden on the command line
 
 for keyvals in "$@"; do
+	if [ "$keyvals" = "--disable-sandbox" ]; then
+		DISABLE_SANDBOX=1
+		continue
+	fi
+
 	key=`echo $keyvals | cut -s -d '=' -f1`
 	if [ -z "$key" ]; then
 		echo "$0: invalid key-value: $keyvals" 1>&2
@@ -287,6 +294,8 @@ echo "#include <imsg.h>"
 
 cat <<__HEREDOC__
 
+#define DISABLE_SANDBOX		${DISABLE_SANDBOX}
+
 #define HAVE_ERR		${HAVE_ERR}
 #define HAVE_EXPLICIT_BZERO	${HAVE_EXPLICIT_BZERO}
 #define HAVE_FREEZERO		${HAVE_FREEZERO}

diff --git a/sandbox.c b/sandbox.c
@@ -16,7 +16,30 @@
 
 #include "gmid.h"
 
-#if defined(__FreeBSD__)
+#if DISABLE_SANDBOX
+
+#warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
+
+void
+sandbox_server_process(void)
+{
+	return;
+}
+
+void
+sandbox_executor_process(void)
+{
+        log_notice(NULL, "Sandbox disabled!  "
+	    "Please report issues upstream instead of disabling the sandbox.");
+}
+
+void
+sandbox_logger_process(void)
+{
+	return;
+}
+
+#elif defined(__FreeBSD__)
 
 #include <sys/capsicum.h>