diff options
| author | Hiroki Tagato <tagattie@FreeBSD.org> | 2025-10-06 14:22:11 +0000 |
|---|---|---|
| committer | Hiroki Tagato <tagattie@FreeBSD.org> | 2025-10-06 14:23:41 +0000 |
| commit | d2ab390665a9e408af8689afb02643adf87484bf (patch) | |
| tree | a6cf1149b5c8539f9b707400c867b62dfe2bcb72 /misc/codex/files/patch-codex-rs_cli_src_pre__main__hardening.rs | |
| parent | d816c0fc9ac77414ce43bda353441ace73bd74c8 (diff) | |
Diffstat (limited to 'misc/codex/files/patch-codex-rs_cli_src_pre__main__hardening.rs')
| -rw-r--r-- | misc/codex/files/patch-codex-rs_cli_src_pre__main__hardening.rs | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/misc/codex/files/patch-codex-rs_cli_src_pre__main__hardening.rs b/misc/codex/files/patch-codex-rs_cli_src_pre__main__hardening.rs deleted file mode 100644 index 7302568f4512..000000000000 --- a/misc/codex/files/patch-codex-rs_cli_src_pre__main__hardening.rs +++ /dev/null @@ -1,60 +0,0 @@ ---- codex-rs/cli/src/pre_main_hardening.rs.orig 2025-09-26 18:28:59 UTC -+++ codex-rs/cli/src/pre_main_hardening.rs -@@ -4,9 +4,12 @@ const PTRACE_DENY_ATTACH_FAILED_EXIT_CODE: i32 = 6; - #[cfg(target_os = "macos")] - const PTRACE_DENY_ATTACH_FAILED_EXIT_CODE: i32 = 6; - --#[cfg(any(target_os = "linux", target_os = "android", target_os = "macos"))] -+#[cfg(any(target_os = "linux", target_os = "android", target_os = "macos", target_os = "freebsd"))] - const SET_RLIMIT_CORE_FAILED_EXIT_CODE: i32 = 7; - -+#[cfg(target_os = "freebsd")] -+const PROCCTL_PROC_TRACE_CTL_FAILED_EXIT_CODE: i32 = 8; -+ - #[cfg(any(target_os = "linux", target_os = "android"))] - pub(crate) fn pre_main_hardening_linux() { - // Disable ptrace attach / mark process non-dumpable. -@@ -69,6 +72,43 @@ pub(crate) fn pre_main_hardening_macos() { - .collect(); - - for key in dyld_keys { -+ unsafe { -+ std::env::remove_var(key); -+ } -+ } -+} -+ -+#[cfg(target_os = "freebsd")] -+pub(crate) fn pre_main_hardening_freebsd() { -+ // Prevent debuggers from attaching to this process -+ let mut arg = libc::PROC_TRACE_CTL_DISABLE_EXEC; -+ let ret_code = unsafe { -+ libc::procctl(libc::P_PID, 0, libc::PROC_TRACE_CTL, &mut arg as *mut _ as *mut libc::c_void) -+ }; -+ if ret_code == -1 { -+ eprintln!( -+ "ERROR: procctl(PROC_TRACE_CTL) failed: {}", -+ std::io::Error::last_os_error() -+ ); -+ std::process::exit(PROCCTL_PROC_TRACE_CTL_FAILED_EXIT_CODE); -+ } -+ -+ // Set the core file size limit to 0 to prevent core dumps. -+ set_core_file_size_limit_to_zero(); -+ -+ // Remove all LD_ environment variables, which can be used to subvert -+ // library loading. -+ let ld_keys: Vec<String> = std::env::vars() -+ .filter_map(|(key, _)| { -+ if key.starts_with("LD_") { -+ Some(key) -+ } else { -+ None -+ } -+ }) -+ .collect(); -+ -+ for key in ld_keys { - unsafe { - std::env::remove_var(key); - } |