Make Solaris privs code build on older systems.

Not all systems with Solaris privs have priv_basicset so factor that out and provide backward compatibility code. Similarly, not all have PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from alex at cooperi.net and djm@ with help from carson at taltos.org and wieland at purdue.edu.
author: Darren Tucker <dtucker@zip.com.au> 2016-02-19 09:05:39 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2016-02-19 09:05:39 +1100
commit: 907091acb188b1057d50c2158f74c3ecf1c2302b (patch)
tree: 62f2c59f51e55a3f49c7c173527425eb1b19a876 /sandbox-solaris.c
parent: 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/sandbox-solaris.c b/sandbox-solaris.c
index 98714e17..343a0102 100644
--- a/sandbox-solaris.c
+++ b/sandbox-solaris.c
@@ -48,19 +48,20 @@ ssh_sandbox_init(struct monitor *monitor)
 	struct ssh_sandbox *box = NULL;
 
 	box = xcalloc(1, sizeof(*box));
-	box->pset = priv_allocset();
+
+	/* Start with "basic" and drop everything we don't need. */
+	box->pset = solaris_basic_privset();
 
 	if (box->pset == NULL) {
 		free(box);
 		return NULL;
 	}
 
-	/* Start with "basic" and drop everything we don't need. */
-	priv_basicset(box->pset);
-
 	/* Drop everything except the ability to use already-opened files */
 	if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
 	    priv_delset(box->pset, PRIV_NET_ACCESS) != 0 ||
+#endif
 	    priv_delset(box->pset, PRIV_PROC_EXEC) != 0 ||
 	    priv_delset(box->pset, PRIV_PROC_FORK) != 0 ||
 	    priv_delset(box->pset, PRIV_PROC_INFO) != 0 ||
author	Darren Tucker <dtucker@zip.com.au>	2016-02-19 09:05:39 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2016-02-19 09:05:39 +1100
commit	907091acb188b1057d50c2158f74c3ecf1c2302b (patch)
tree	62f2c59f51e55a3f49c7c173527425eb1b19a876 /sandbox-solaris.c
parent	292a8dee14e5e67dcd1b49ba5c7b9023e8420d59 (diff)