Commits
- Commit:
21f7d2469937a5168542cc12586fb1153d5cc2f4
- From:
- Omar Polo <op@omarpolo.com>
- Date:
allow fstat64
used by glibc on aarch64.
Found and tested by pine, thanks!
- Commit:
a5d822e542a927e88f655842273356225370c11f
- From:
- Omar Polo <op@omarpolo.com>
- Date:
typo
- Commit:
a8a1f439210de9538b196c6bb5470c306379128c
- From:
- Omar Polo <op@omarpolo.com>
- Date:
style(9)-ify
- Commit:
4aa1dd553a8919c61136f8ed7cc775017f628769
- From:
- Omar Polo <op@omarpolo.com>
- Date:
typo
- Commit:
b24021d4a27ec5311490ee51b42dc2dacb18aa23
- From:
- Omar Polo <op@omarpolo.com>
- Date:
fix seccomp filter for ppc64le
before we matched ppc64le as ppc64 (which is big ending I presume), so
the seccomp filter would always kill gmid
#4 related
- Commit:
8bb8cf2ad488151879b1d7e5ec7436d38553b1b5
- From:
- Omar Polo <op@omarpolo.com>
- Date:
configure: add --disable-sandbox
Calling `configure' with --disable-sandbox will disable the sandbox
support *completely* at compile time. gmid will still complain at
compile time and during the startup.
Users shouldn't disable the sandbox if possible, but instead report
problem upstream so they get fixed (hopefully.)
#4 related
- Commit:
137def5ff4c0f9720391ca88191cf9fee6d8ae9a
- From:
- Omar Polo <op@omarpolo.com>
- Date:
reworked seccomp filter
* SECCOMP_AUDIT_ARCH extended to support more architectures
* relax fcntl policy: allow the syscall regardless of the flags
* wrap every syscall in a ifdef, and add some (statx, fcntl64, ...)
used in x86
Some bits were taken from dhcpcd[0], thanks!
#4 related
[0]: https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
- Commit:
e952c5052a0c524eee6d8151b1af96ce2c94ca18
- From:
- Omar Polo <op@omarpolo.com>
- Date:
allow sending fd to log on to the logger process
the logger process now can receive a file descriptor to write logs
to. At the moment the logic is simple, if it receives a file it logs
there, otherwise it logs to syslog. This will allow to log on custom
log files.
- Commit:
8ad1c570242cd93f0802931621b49b2510b338e7
- From:
- Omar Polo <op@omarpolo.com>
- Date:
fastcgi: a first implementation
Not production-ready yet, but it's a start.
This adds a third ``backend'' for gmid: until now there it served
local files or CGI scripts, now FastCGI applications too.
FastCGI is meant to be an improvement over CGI: instead of exec'ing a
script for every request, it allows to open a single connection to an
``application'' and send the requests/receive the responses over that
socket using a simple binary protocol.
At the moment gmid supports three different methods of opening a
fastcgi connection:
- local unix sockets, with: fastcgi "/path/to/sock"
- network sockets, with: fastcgi tcp "host" [port]
port defaults to 9000 and can be either a string or a number
- subprocess, with: fastcgi spawn "/path/to/program"
the fastcgi protocol is done over the executed program stdin
of these, the last is only for testing and may be removed in the
future.
P.S.: the fastcgi rule is per-location of course :)
- Commit:
fdea6aa0bca24f6f947e2126ce101fd59caa7a31
- From:
- Omar Polo <op@omarpolo.com>
- Date:
allow ``root'' rule to be specified per-location block
- Commit:
b8e64ccd44290cdd34bdcd3fd85fb1a9cb7486dd
- From:
- Omar Polo <op@omarpolo.com>
- Date:
list instead of fixed-size array for vhosts and locations
saves some bytes of memory and removes the limit on the maximum number
of vhosts and location blocks.
- Commit:
e3d81f49cc4084f6af16a497cf56d15d79d1c1b8
- From:
- Omar Polo <op@omarpolo.com>
- Date:
[seccomp] allow prlimit64
it's needed by getdtablesize, at least on glibc
- Commit:
62e001b06778c96d0deebceddf1913f7b57ab2d6
- From:
- Omar Polo <op@omarpolo.com>
- Date:
move all sandbox-related code to sandbox.c
while there, add capsicum for the logger process
- Commit:
9899a837afd7e0e35478ee9c7e5a0910205318cd
- From:
- Omar Polo <op@omarpolo.com>
- Date:
[seccomp] allow sendmsg
- Commit:
d278a0c3c50146c703b675ca4dac1d58ef286585
- From:
- Omar Polo <op@omarpolo.com>
- Date:
moving logging to its own process