Calling `configure' with --disable-sandbox will disable the sandbox support *completely* at compile time. gmid will still complain at compile time and during the startup. Users shouldn't disable the sandbox if possible, but instead report problem upstream so they get fixed (hopefully.) #4 related

* SECCOMP_AUDIT_ARCH extended to support more architectures * relax fcntl policy: allow the syscall regardless of the flags * wrap every syscall in a ifdef, and add some (statx, fcntl64, ...) used in x86 Some bits were taken from dhcpcd[0], thanks! [0]: https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c

Some particularly crafted IRIs can cause a denial of service (DOS). IRIs which have a trailing `..' segment and resolve to a valid IRI (i.e. a .. that's not escaping the root directory) will make the server process loop forever. This is """just""" an DOS vulnerability, it doesn't expose anything sensitive or give an attacker anything else.

it seems that linux calls the signal handlers even when we're waiting on sigwait for that signal. Work around that.

it's needed by getdtablesize, at least on glibc

before we did `pkill gmid', but that would influence also other instances of gmid!

while there, add capsicum for the logger process