Commits


const-ify some tables matches found with % grep -R '=[ ]*{' . | fgrep -v const


tightens seccomp filter: allow only openat(O_RDONLY) be more strict and allow an openat only with the O_RDONLY flag. This is kind of redundant with landlock, but still good to have. Landlock is not yet widely available and won't kill the process upon policy violation; furthermore, landlock can be disabled at boot time. tested on GNU and musl libc on arch and alpine amd64.


sort syscalls in seccomp filter


Allow Arch-Armv7 syscalls in sandbox.c


fix landlock usage Mickaël Salaün, the landlock author, pointed out the same error on the got implementation. The assumption that not listed access capabilities are implicitly denied is completely wrong: > In a nutshell, the ruleset's handled_access_fs is required for > backward and forward compatibility (i.e. the kernel and user space may > not know each other's supported restrictions), hence the need to be > explicit about the denied-by-default access rights.


[seccomp] allow ugetrlimit(2), needed by glibc on armv7l


fmt


don't work around a missing -Wno-unused-parameter It's been there for a long time, and it's frankly annoying to pretend to use parameters. Most of the time, they're there to satisfy an interface and nothings more.


enforce PR_SET_NO_NEW_PRIVS in the logger process otherwise landlock will refuse to enable itself and the logger process dies.


forgot include


[seccomp] allow ioctl(FIONREAD) it's needed by bufferevent_read


refactor landlock refactor the landlock-related code into something more manageable. The only real difference is that before the logger process would try to landlock itself to "/" without perms, something that landlock doesn't support (now it enables landlock and then restrict itself, which is the correct move.)


landlock the logger process too Disallow everything landlock can handle. The logger process doesn't need any fs access (on OpenBSD it runs with pledge("stdio recvfd")).


add helper function gmid_create_landlock_rs


landlock the server process Trying to implement some landlock policies (rules?) where possible. The server process is, of course, the most dangerous process so start with that. The following should be equivalent to the unveil(2) call on OpenBSD: allows only to read files and directories inside the vhost roots. I'm assuming seccomp is enabled so I'm not trying to disallow actions such as LANDLOCK_ACCESS_FS_EXECUTE or LANDLOCK_ACCESS_FS_REMOVE_FILE which require syscalls that are already disallowed. I'm only trying to limit the damage that the currently allowed system calls can do. e.g. since write(2) is allowed, gmid could modify *any* file it has access to; this is now forbidden by landlock. There are still too many #ifdefs for my tastes, but it's still better than the seccomp code.