Commits
Commit:
e5d82d9472513ef742dbb0b5ac451337625feb58
From:
Omar Polo <op@omarpolo.com>
Date:
Sat Mar 19 11:02:42 2022 UTC
const-ify some tables matches found with % grep -R '=[ ]*{' . | fgrep -v const
Commit:
4f0e893cd3889acb8e3d40d359610749189adc25
From:
Omar Polo <op@omarpolo.com>
Date:
Sun Feb 13 16:20:27 2022 UTC
tightens seccomp filter: allow only openat(O_RDONLY) be more strict and allow an openat only with the O_RDONLY flag. This is kind of redundant with landlock, but still good to have. Landlock is not yet widely available and won't kill the process upon policy violation; furthermore, landlock can be disabled at boot time. tested on GNU and musl libc on arch and alpine amd64.
Commit:
94c5f99ab038efafa5f5a841d8092a995d9ee03c
From:
Omar Polo <op@omarpolo.com>
Date:
Sun Feb 13 15:32:10 2022 UTC
sort syscalls in seccomp filter
Commit:
d0e0be1e43e6628e6215e1803c7a2415dd58c9bd
From:
Tobias Berger <tobi.berger13@gmail.com>
Via:
omar-polo <op@omarpolo.com>
Date:
Sun Feb 13 14:29:33 2022 UTC
Allow Arch-Armv7 syscalls in sandbox.c
Commit:
98c6f8de41647ba565dcbdaccf876277b404161e
From:
Omar Polo <op@omarpolo.com>
Date:
Thu Feb 10 22:29:51 2022 UTC
fix landlock usage Mickaël Salaün, the landlock author, pointed out the same error on the got implementation. The assumption that not listed access capabilities are implicitly denied is completely wrong: > In a nutshell, the ruleset's handled_access_fs is required for > backward and forward compatibility (i.e. the kernel and user space may > not know each other's supported restrictions), hence the need to be > explicit about the denied-by-default access rights.
Commit:
63bf54b646f65a798b56905313ed15cd97a32fbf
From:
Max <vdrummer@posteo.net>
Date:
Sat Dec 11 09:08:50 2021 UTC
[seccomp] allow ugetrlimit(2), needed by glibc on armv7l
Commit:
4842c72d9f3f45478cb641e15a3272e541fb8a18
From:
Omar Polo <op@omarpolo.com>
Date:
Mon Oct 18 10:05:55 2021 UTC
fmt
Commit:
5eb3fc905f5e3bd2f2d586fb1e0ceda879500b3e
From:
Omar Polo <op@omarpolo.com>
Date:
Sat Oct 9 18:54:41 2021 UTC
don't work around a missing -Wno-unused-parameter It's been there for a long time, and it's frankly annoying to pretend to use parameters. Most of the time, they're there to satisfy an interface and nothings more.
Commit:
f7ee799023657126a89134cd64ab6a7638b4d1bf
From:
Omar Polo <op@omarpolo.com>
Date:
Sat Oct 2 17:20:10 2021 UTC
enforce PR_SET_NO_NEW_PRIVS in the logger process otherwise landlock will refuse to enable itself and the logger process dies.
Commit:
0c66b6ad55416d9fca326c04b038784a9e59a84e
From:
Omar Polo <op@omarpolo.com>
Date:
Sun Sep 26 20:01:32 2021 UTC
forgot include
Commit:
6f27d2595ae350dc6f9ce226d079370645dbff03
From:
Omar Polo <op@omarpolo.com>
Date:
Sun Sep 26 20:00:38 2021 UTC
[seccomp] allow ioctl(FIONREAD) it's needed by bufferevent_read
Commit:
cb28978f0a91612f91f0bf4b8bda365941b5df25
From:
Omar Polo <op@omarpolo.com>
Date:
Sat Sep 25 08:47:29 2021 UTC
refactor landlock refactor the landlock-related code into something more manageable. The only real difference is that before the logger process would try to landlock itself to "/" without perms, something that landlock doesn't support (now it enables landlock and then restrict itself, which is the correct move.)
Commit:
b0be0653909864ac2ea070184f6fc4f0dcc62299
From:
Omar Polo <op@omarpolo.com>
Date:
Sun Sep 19 17:08:12 2021 UTC
landlock the logger process too Disallow everything landlock can handle. The logger process doesn't need any fs access (on OpenBSD it runs with pledge("stdio recvfd")).
Commit:
0ea22af2805935f4562fb537eb57d85809e70a84
From:
Omar Polo <op@omarpolo.com>
Date:
Sun Sep 19 17:08:12 2021 UTC
add helper function gmid_create_landlock_rs
Commit:
3499ce5a9ac180a805d8e507207accf8ea352f48
From:
Omar Polo <op@omarpolo.com>
Date:
Sun Sep 19 17:08:12 2021 UTC
landlock the server process Trying to implement some landlock policies (rules?) where possible. The server process is, of course, the most dangerous process so start with that. The following should be equivalent to the unveil(2) call on OpenBSD: allows only to read files and directories inside the vhost roots. I'm assuming seccomp is enabled so I'm not trying to disallow actions such as LANDLOCK_ACCESS_FS_EXECUTE or LANDLOCK_ACCESS_FS_REMOVE_FILE which require syscalls that are already disallowed. I'm only trying to limit the damage that the currently allowed system calls can do. e.g. since write(2) is allowed, gmid could modify *any* file it has access to; this is now forbidden by landlock. There are still too many #ifdefs for my tastes, but it's still better than the seccomp code.
Omar Polo