configure: add --disable-sandbox Calling `configure' with --disable-sandbox will disable the sandbox support *completely* at compile time. gmid will still complain at compile time and during the startup. Users shouldn't disable the sandbox if possible, but instead report problem upstream so they get fixed (hopefully.) #4 related

reworked seccomp filter * SECCOMP_AUDIT_ARCH extended to support more architectures * relax fcntl policy: allow the syscall regardless of the flags * wrap every syscall in a ifdef, and add some (statx, fcntl64, ...) used in x86 Some bits were taken from dhcpcd[0], thanks! [0]: https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c

cherry-picking commit c928dcc7ba12c5040127e33485b246b13dd63ed9

fix IRI-parsing bug Some particularly crafted IRIs can cause a denial of service (DOS). IRIs which have a trailing `..' segment and resolve to a valid IRI (i.e. a .. that's not escaping the root directory) will make the server process loop forever. This is """just""" an DOS vulnerability, it doesn't expose anything sensitive or give an attacker anything else.

gmid v1.6 -- "Stargazers"

typo

update README

typo

fix signal handling so it works on linux too it seems that linux calls the signal handlers even when we're waiting on sigwait for that signal. Work around that.

[seccomp] allow prlimit64 it's needed by getdtablesize, at least on glibc

fix correct shutdown after SIG{INT,TERM}

sync changelog

kill only $pid during regress testing before we did `pkill gmid', but that would influence also other instances of gmid!

quit every process cleanly when receiving SIGINT or SIGTERM

move all sandbox-related code to sandbox.c while there, add capsicum for the logger process