Commits
- Commit:
0b62f4842d7c65b8f64c5f676a0a05333fd7db6f
- From:
- Omar Polo <op@omarpolo.com>
- Date:
drop landlock/seccomp and capsicum support
it reached a point where this stuff is not maintenable. I'd like
to move forward with gmid, but the restriction of capsicum and the
linux environment at large that make landlock unusable (how can you
resolve DNS portably when under landlock?) -and don't get me started
on seccomp- makes it impossible for me to do any work.
So, I prefer removing the crap, resuming working on gmid by cleaning
stuff and consolidating the features, improving various things
etc... and then eventually see how to introduce some sandboxing
again on other systems. Patches to resume sandboxing are, as always,
welcome!
- Commit:
b24c6fcc1c81fa2a6b71048a9d2fc532402448b7
- From:
- Omar Polo <op@omarpolo.com>
- Date:
adjust pledge/unveil on OpenBSD
to connect to unix-domain sockets the `unix' pledge is needed and also
unveil "w". gmid can't mutate files because it doesn't pledge `wpath'
nor `cpath'.
- Commit:
534afd0ddcba7c3d2f8478e89db026010c6190c5
- From:
- Omar Polo <op@omarpolo.com>
- Date:
make the various strings in the config fixed-length
will help in future restructuring to have fixed-size objects.
- Commit:
760009951357d4c36991c4c6a62db973289b32d9
- From:
- Omar Polo <op@omarpolo.com>
- Date:
optionally disable the sandbox on some systems
The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy'
configuration rules: new sockets needs to be opened and it's either
impossible (the former) or a huge pain in the arse (the latter).
The sandbox is still always used in case only static files are served.
- Commit:
1ab7c96bb305e818b5dfa3b525d5ff635ad12a0a
- From:
- Omar Polo <op@omarpolo.com>
- Date:
gc sandbox_executor_process
- Commit:
d29a2ee2246e1b1b0c5222a823820e42422c894e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
get rid of the CGI support
I really want to get rid of the `executor' process hack for CGI scripts
and its escalation to allow fastcgi and proxying to work on non-OpenBSD.
This drops the CGI support and the `executor' process entirely and is
the first step towards gmid 2.0. It also allows to have more secure
defaults.
On non-OpenBSD systems this means that the sandbox will be deactivated
as soon as fastcgi or proxying are used: you can't open sockets under
FreeBSD' capsicum(4) and I don't want to go thru the pain of making it
work under linux' seccomp/landlock. Patches are always welcome however.
For folks using CGI scripts (hey, I'm one of you!) not all hope is lost:
fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were
FastCGI applications.
fixes for the documentation and to the non-OpenBSD sandboxes will
follow.
- Commit:
e5d82d9472513ef742dbb0b5ac451337625feb58
- From:
- Omar Polo <op@omarpolo.com>
- Date:
const-ify some tables
matches found with
% grep -R '=[ ]*{' . | fgrep -v const
- Commit:
4f0e893cd3889acb8e3d40d359610749189adc25
- From:
- Omar Polo <op@omarpolo.com>
- Date:
tightens seccomp filter: allow only openat(O_RDONLY)
be more strict and allow an openat only with the O_RDONLY flag. This
is kind of redundant with landlock, but still good to have. Landlock
is not yet widely available and won't kill the process upon policy
violation; furthermore, landlock can be disabled at boot time.
tested on GNU and musl libc on arch and alpine amd64.
- Commit:
94c5f99ab038efafa5f5a841d8092a995d9ee03c
- From:
- Omar Polo <op@omarpolo.com>
- Date:
sort syscalls in seccomp filter
- Commit:
d0e0be1e43e6628e6215e1803c7a2415dd58c9bd
- From:
- Tobias Berger <tobi.berger13@gmail.com>
- Via:
- omar-polo <op@omarpolo.com>
- Date:
Allow Arch-Armv7 syscalls in sandbox.c
- Commit:
98c6f8de41647ba565dcbdaccf876277b404161e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
fix landlock usage
Mickaël Salaün, the landlock author, pointed out the same error on the
got implementation. The assumption that not listed access
capabilities are implicitly denied is completely wrong:
> In a nutshell, the ruleset's handled_access_fs is required for
> backward and forward compatibility (i.e. the kernel and user space may
> not know each other's supported restrictions), hence the need to be
> explicit about the denied-by-default access rights.
- Commit:
63bf54b646f65a798b56905313ed15cd97a32fbf
- From:
- Max <vdrummer@posteo.net>
- Date:
[seccomp] allow ugetrlimit(2), needed by glibc on armv7l
- Commit:
4842c72d9f3f45478cb641e15a3272e541fb8a18
- From:
- Omar Polo <op@omarpolo.com>
- Date:
fmt
- Commit:
5eb3fc905f5e3bd2f2d586fb1e0ceda879500b3e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
don't work around a missing -Wno-unused-parameter
It's been there for a long time, and it's frankly annoying to pretend
to use parameters. Most of the time, they're there to satisfy an
interface and nothings more.
- Commit:
f7ee799023657126a89134cd64ab6a7638b4d1bf
- From:
- Omar Polo <op@omarpolo.com>
- Date:
enforce PR_SET_NO_NEW_PRIVS in the logger process
otherwise landlock will refuse to enable itself and the logger process
dies.