Commits
- Commit:
760009951357d4c36991c4c6a62db973289b32d9
- From:
- Omar Polo <op@omarpolo.com>
- Date:
optionally disable the sandbox on some systems
The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy'
configuration rules: new sockets needs to be opened and it's either
impossible (the former) or a huge pain in the arse (the latter).
The sandbox is still always used in case only static files are served.
- Commit:
1ab7c96bb305e818b5dfa3b525d5ff635ad12a0a
- From:
- Omar Polo <op@omarpolo.com>
- Date:
gc sandbox_executor_process
- Commit:
d29a2ee2246e1b1b0c5222a823820e42422c894e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
get rid of the CGI support
I really want to get rid of the `executor' process hack for CGI scripts
and its escalation to allow fastcgi and proxying to work on non-OpenBSD.
This drops the CGI support and the `executor' process entirely and is
the first step towards gmid 2.0. It also allows to have more secure
defaults.
On non-OpenBSD systems this means that the sandbox will be deactivated
as soon as fastcgi or proxying are used: you can't open sockets under
FreeBSD' capsicum(4) and I don't want to go thru the pain of making it
work under linux' seccomp/landlock. Patches are always welcome however.
For folks using CGI scripts (hey, I'm one of you!) not all hope is lost:
fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were
FastCGI applications.
fixes for the documentation and to the non-OpenBSD sandboxes will
follow.
- Commit:
e5d82d9472513ef742dbb0b5ac451337625feb58
- From:
- Omar Polo <op@omarpolo.com>
- Date:
const-ify some tables
matches found with
% grep -R '=[ ]*{' . | fgrep -v const
- Commit:
4f0e893cd3889acb8e3d40d359610749189adc25
- From:
- Omar Polo <op@omarpolo.com>
- Date:
tightens seccomp filter: allow only openat(O_RDONLY)
be more strict and allow an openat only with the O_RDONLY flag. This
is kind of redundant with landlock, but still good to have. Landlock
is not yet widely available and won't kill the process upon policy
violation; furthermore, landlock can be disabled at boot time.
tested on GNU and musl libc on arch and alpine amd64.
- Commit:
94c5f99ab038efafa5f5a841d8092a995d9ee03c
- From:
- Omar Polo <op@omarpolo.com>
- Date:
sort syscalls in seccomp filter
- Commit:
d0e0be1e43e6628e6215e1803c7a2415dd58c9bd
- From:
- Tobias Berger <tobi.berger13@gmail.com>
- Via:
- omar-polo <op@omarpolo.com>
- Date:
Allow Arch-Armv7 syscalls in sandbox.c
- Commit:
98c6f8de41647ba565dcbdaccf876277b404161e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
fix landlock usage
Mickaël Salaün, the landlock author, pointed out the same error on the
got implementation. The assumption that not listed access
capabilities are implicitly denied is completely wrong:
> In a nutshell, the ruleset's handled_access_fs is required for
> backward and forward compatibility (i.e. the kernel and user space may
> not know each other's supported restrictions), hence the need to be
> explicit about the denied-by-default access rights.
- Commit:
63bf54b646f65a798b56905313ed15cd97a32fbf
- From:
- Max <vdrummer@posteo.net>
- Date:
[seccomp] allow ugetrlimit(2), needed by glibc on armv7l
- Commit:
4842c72d9f3f45478cb641e15a3272e541fb8a18
- From:
- Omar Polo <op@omarpolo.com>
- Date:
fmt
- Commit:
5eb3fc905f5e3bd2f2d586fb1e0ceda879500b3e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
don't work around a missing -Wno-unused-parameter
It's been there for a long time, and it's frankly annoying to pretend
to use parameters. Most of the time, they're there to satisfy an
interface and nothings more.
- Commit:
f7ee799023657126a89134cd64ab6a7638b4d1bf
- From:
- Omar Polo <op@omarpolo.com>
- Date:
enforce PR_SET_NO_NEW_PRIVS in the logger process
otherwise landlock will refuse to enable itself and the logger process
dies.
- Commit:
0c66b6ad55416d9fca326c04b038784a9e59a84e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
forgot include
- Commit:
6f27d2595ae350dc6f9ce226d079370645dbff03
- From:
- Omar Polo <op@omarpolo.com>
- Date:
[seccomp] allow ioctl(FIONREAD)
it's needed by bufferevent_read
- Commit:
cb28978f0a91612f91f0bf4b8bda365941b5df25
- From:
- Omar Polo <op@omarpolo.com>
- Date:
refactor landlock
refactor the landlock-related code into something more manageable.
The only real difference is that before the logger process would try
to landlock itself to "/" without perms, something that landlock
doesn't support (now it enables landlock and then restrict itself,
which is the correct move.)