/*
- * "$Id$"
- *
* Process management routines for the CUPS scheduler.
*
- * Copyright 2007-2014 by Apple Inc.
+ * Copyright 2007-2017 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
- * These coded instructions, statements, and computer programs are the
- * property of Apple Inc. and are protected by Federal copyright
- * law. Distribution and use rights are outlined in the file "LICENSE.txt"
- * which should have been included with this file. If this file is
- * file is missing or damaged, see the license at "http://www.cups.org/".
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
*/
/*
# include <spawn.h>
extern char **environ;
#endif /* HAVE_POSIX_SPAWN */
+#ifdef HAVE_POSIX_SPAWN
+# if !defined(__OpenBSD__) || OpenBSD >= 201505
+# define USE_POSIX_SPAWN 1
+# else
+# define USE_POSIX_SPAWN 0
+# endif /* !__OpenBSD__ || */
+#else
+# define USE_POSIX_SPAWN 0
+#endif /* HAVE_POSIX_SPAWN */
/*
if (LogLevel >= CUPSD_LOG_DEBUG)
cupsFilePuts(fp, "(debug deny)\n");
cupsFilePuts(fp, "(import \"system.sb\")\n");
+ cupsFilePuts(fp, "(import \"com.apple.corefoundation.sb\")\n");
cupsFilePuts(fp, "(system-network)\n");
cupsFilePuts(fp, "(allow mach-per-user-lookup)\n");
cupsFilePuts(fp, "(allow ipc-posix-sem)\n");
/* Also allow access to device files... */
cupsFilePuts(fp, "(allow file-write* file-read-data file-read-metadata file-ioctl\n"
" (regex #\"^/dev/\"))\n");
+
+ /* And allow kernel extensions to be loaded, e.g., SMB */
+ cupsFilePuts(fp, "(allow system-kext-load)\n");
}
else
{
/* Only allow SNMP (UDP) and LPD (TCP) off the machine... */
cupsFilePuts(fp, ")\n");
cupsFilePuts(fp, "(allow network-outbound\n"
- " (remote udp \"*:161\")"
+ " (remote udp \"*:161\")\n"
" (remote tcp \"*:515\"))\n");
cupsFilePuts(fp, "(allow network-inbound\n"
" (local udp \"localhost:*\"))\n");
nice_str[16]; /* FilterNice string */
uid_t user; /* Command UID */
cupsd_proc_t *proc; /* New process record */
-#ifdef HAVE_POSIX_SPAWN
+#if USE_POSIX_SPAWN
posix_spawn_file_actions_t actions; /* Spawn file actions */
posix_spawnattr_t attrs; /* Spawn attributes */
+ sigset_t defsignals; /* Default signals */
#elif defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
struct sigaction action; /* POSIX signal handler */
-#endif /* HAVE_POSIX_SPAWN */
+#endif /* USE_POSIX_SPAWN */
#if defined(__APPLE__)
char processPath[1024], /* CFProcessPath environment variable */
linkpath[1024]; /* Link path for symlinks... */
if (envp)
{
/*
- * Add special voodoo magic for OS X - this allows OS X programs to access
+ * Add special voodoo magic for macOS - this allows macOS programs to access
* their bundle resources properly...
*/
* Use helper program when we have a sandbox profile...
*/
-#ifndef HAVE_POSIX_SPAWN
+#if !USE_POSIX_SPAWN
if (profile)
-#endif /* !HAVE_POSIX_SPAWN */
+#endif /* !USE_POSIX_SPAWN */
{
snprintf(cups_exec, sizeof(cups_exec), "%s/daemon/cups-exec", ServerBin);
snprintf(user_str, sizeof(user_str), "%d", user);
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartProcess: argv[%d] = \"%s\"", i, argv[i]);
}
-#ifdef HAVE_POSIX_SPAWN
+#if USE_POSIX_SPAWN
/*
* Setup attributes and file actions for the spawn...
*/
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartProcess: Setting spawn attributes.");
+ sigemptyset(&defsignals);
+ sigaddset(&defsignals, SIGTERM);
+ sigaddset(&defsignals, SIGCHLD);
+ sigaddset(&defsignals, SIGPIPE);
+
posix_spawnattr_init(&attrs);
posix_spawnattr_setflags(&attrs, POSIX_SPAWN_SETPGROUP | POSIX_SPAWN_SETSIGDEF);
+ posix_spawnattr_setpgroup(&attrs, 0);
+ posix_spawnattr_setsigdefault(&attrs, &defsignals);
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartProcess: Setting file actions.");
posix_spawn_file_actions_init(&actions);
if (infd != 0)
{
if (infd < 0)
- posix_spawn_file_actions_addopen(&actions, 0, "/dev/null", O_WRONLY, 0);
+ posix_spawn_file_actions_addopen(&actions, 0, "/dev/null", O_RDONLY, 0);
else
posix_spawn_file_actions_adddup2(&actions, infd, 0);
}
}
cupsdReleaseSignals();
-#endif /* HAVE_POSIX_SPAWN */
+#endif /* USE_POSIX_SPAWN */
if (*pid)
{
if (ch == '/' && !*src)
break; /* Don't add trailing slash */
- if (strchr(".?*()[]^$\\", ch))
+ if (strchr(".?*()[]^$\\\"", ch))
*dstptr++ = '\\';
*dstptr++ = (char)ch;
return (dst);
}
#endif /* HAVE_SANDBOX_H */
-
-
-/*
- * End of "$Id$".
- */