void WorkerDebuggerGlobalScope::LoadSubScript(JSContext* aCx, const nsAString& aURL, const Optional<JS::Handle<JSObject*>>& aSandbox, ErrorResult& aRv) { mWorkerPrivate->AssertIsOnWorkerThread(); Maybe<JSAutoCompartment> ac; if (aSandbox.WasPassed()) { JS::Rooted<JSObject*> sandbox(aCx, js::CheckedUnwrap(aSandbox.Value())); if (!IsDebuggerSandbox(sandbox)) { aRv.Throw(NS_ERROR_INVALID_ARG); return; } ac.emplace(aCx, sandbox); } nsTArray<nsString> urls; urls.AppendElement(aURL); workerinternals::Load(mWorkerPrivate, urls, DebuggerScript, aRv); }
void WorkerDebuggerGlobalScope::LoadSubScript( JSContext* aCx, const nsAString& aURL, const Optional<JS::Handle<JSObject*>>& aSandbox, ErrorResult& aRv) { mWorkerPrivate->AssertIsOnWorkerThread(); Maybe<JSAutoRealm> ar; if (aSandbox.WasPassed()) { // We only care about worker debugger sandbox objects here, so // CheckedUnwrapStatic is fine. JS::Rooted<JSObject*> sandbox(aCx, js::CheckedUnwrapStatic(aSandbox.Value())); if (!sandbox || !IsWorkerDebuggerSandbox(sandbox)) { aRv.Throw(NS_ERROR_INVALID_ARG); return; } ar.emplace(aCx, sandbox); } nsTArray<nsString> urls; urls.AppendElement(aURL); workerinternals::Load(mWorkerPrivate, urls, DebuggerScript, aRv); }
static void tls_exec_client(const char *user, int startfd, const char *srcaddr, const char *dstaddr, const char *fingerprint, const char *defport, int timeout, int debuglevel) { struct proto_conn *tcp; char *saddr, *daddr; SSL_CTX *sslctx; SSL *ssl; long ret; int sockfd, tcpfd; uint8_t connected; pjdlog_debug_set(debuglevel); pjdlog_prefix_set("[TLS sandbox] (client) "); #ifdef HAVE_SETPROCTITLE setproctitle("[TLS sandbox] (client) "); #endif proto_set("tcp:port", defport); sockfd = startfd; /* Change tls:// to tcp://. */ if (srcaddr == NULL) { saddr = NULL; } else { saddr = strdup(srcaddr); if (saddr == NULL) pjdlog_exitx(EX_TEMPFAIL, "Unable to allocate memory."); bcopy("tcp://", saddr, 6); } daddr = strdup(dstaddr); if (daddr == NULL) pjdlog_exitx(EX_TEMPFAIL, "Unable to allocate memory."); bcopy("tcp://", daddr, 6); /* Establish TCP connection. */ if (proto_connect(saddr, daddr, timeout, &tcp) == -1) exit(EX_TEMPFAIL); SSL_load_error_strings(); SSL_library_init(); /* * TODO: On FreeBSD we could move this below sandbox() once libc and * libcrypto use sysctl kern.arandom to obtain random data * instead of /dev/urandom and friends. */ sslctx = SSL_CTX_new(TLSv1_client_method()); if (sslctx == NULL) pjdlog_exitx(EX_TEMPFAIL, "SSL_CTX_new() failed."); if (sandbox(user, true, "proto_tls client: %s", dstaddr) != 0) pjdlog_exitx(EX_CONFIG, "Unable to sandbox TLS client."); pjdlog_debug(1, "Privileges successfully dropped."); SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); /* Load CA certs. */ /* TODO */ //SSL_CTX_load_verify_locations(sslctx, cacerts_file, NULL); ssl = SSL_new(sslctx); if (ssl == NULL) pjdlog_exitx(EX_TEMPFAIL, "SSL_new() failed."); tcpfd = proto_descriptor(tcp); block(tcpfd); if (SSL_set_fd(ssl, tcpfd) != 1) pjdlog_exitx(EX_TEMPFAIL, "SSL_set_fd() failed."); ret = SSL_connect(ssl); ssl_check_error(ssl, (int)ret); nonblock(sockfd); nonblock(tcpfd); tls_certificate_verify(ssl, fingerprint); /* * The following byte is send to make proto_connect_wait() to work. */ connected = 1; for (;;) { switch (send(sockfd, &connected, sizeof(connected), 0)) { case -1: if (errno == EINTR || errno == ENOBUFS) continue; if (errno == EAGAIN) { (void)wait_for_fd(sockfd, -1); continue; } pjdlog_exit(EX_TEMPFAIL, "send() failed"); case 0: pjdlog_debug(1, "Connection terminated."); exit(0); case 1: break; } break; } tls_loop(sockfd, ssl); }
static VALUE rb_sandbox_s_from_file(VALUE klass, VALUE filename) { return sandbox(StringValuePtr(filename), SANDBOX_NAMED_EXTERNAL); }
static inline VALUE predefined_sandbox(const char * name) { return sandbox(name, SANDBOX_NAMED); }