Commit Briefs
typo
Since there was 0 reports in a month can I assume it's not actually used anywhere?
allow fstat64
used by glibc on aarch64. Found and tested by pine, thanks!
fix seccomp filter for ppc64le
before we matched ppc64le as ppc64 (which is big ending I presume), so the seccomp filter would always kill gmid #4 related
configure: add --disable-sandbox
Calling `configure' with --disable-sandbox will disable the sandbox support *completely* at compile time. gmid will still complain at compile time and during the startup. Users shouldn't disable the sandbox if possible, but instead report problem upstream so they get fixed (hopefully.) #4 related
reworked seccomp filter
* SECCOMP_AUDIT_ARCH extended to support more architectures * relax fcntl policy: allow the syscall regardless of the flags * wrap every syscall in a ifdef, and add some (statx, fcntl64, ...) used in x86 Some bits were taken from dhcpcd[0], thanks! #4 related [0]: https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
allow sending fd to log on to the logger process
the logger process now can receive a file descriptor to write logs to. At the moment the logic is simple, if it receives a file it logs there, otherwise it logs to syslog. This will allow to log on custom log files.
fastcgi: a first implementation (github/master, origin/master)
Not production-ready yet, but it's a start. This adds a third ``backend'' for gmid: until now there it served local files or CGI scripts, now FastCGI applications too. FastCGI is meant to be an improvement over CGI: instead of exec'ing a script for every request, it allows to open a single connection to an ``application'' and send the requests/receive the responses over that socket using a simple binary protocol. At the moment gmid supports three different methods of opening a fastcgi connection: - local unix sockets, with: fastcgi "/path/to/sock" - network sockets, with: fastcgi tcp "host" [port] port defaults to 9000 and can be either a string or a number - subprocess, with: fastcgi spawn "/path/to/program" the fastcgi protocol is done over the executed program stdin of these, the last is only for testing and may be removed in the future. P.S.: the fastcgi rule is per-location of course :)
list instead of fixed-size array for vhosts and locations
saves some bytes of memory and removes the limit on the maximum number of vhosts and location blocks.
[seccomp] allow prlimit64
it's needed by getdtablesize, at least on glibc
move all sandbox-related code to sandbox.c
while there, add capsicum for the logger process