Commits


make the various strings in the config fixed-length will help in future restructuring to have fixed-size objects.


optionally disable the sandbox on some systems The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy' configuration rules: new sockets needs to be opened and it's either impossible (the former) or a huge pain in the arse (the latter). The sandbox is still always used in case only static files are served.


gc sandbox_executor_process


get rid of the CGI support I really want to get rid of the `executor' process hack for CGI scripts and its escalation to allow fastcgi and proxying to work on non-OpenBSD. This drops the CGI support and the `executor' process entirely and is the first step towards gmid 2.0. It also allows to have more secure defaults. On non-OpenBSD systems this means that the sandbox will be deactivated as soon as fastcgi or proxying are used: you can't open sockets under FreeBSD' capsicum(4) and I don't want to go thru the pain of making it work under linux' seccomp/landlock. Patches are always welcome however. For folks using CGI scripts (hey, I'm one of you!) not all hope is lost: fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were FastCGI applications. fixes for the documentation and to the non-OpenBSD sandboxes will follow.


const-ify some tables matches found with % grep -R '=[ ]*{' . | fgrep -v const


tightens seccomp filter: allow only openat(O_RDONLY) be more strict and allow an openat only with the O_RDONLY flag. This is kind of redundant with landlock, but still good to have. Landlock is not yet widely available and won't kill the process upon policy violation; furthermore, landlock can be disabled at boot time. tested on GNU and musl libc on arch and alpine amd64.


sort syscalls in seccomp filter


Allow Arch-Armv7 syscalls in sandbox.c


fix landlock usage Mickaël Salaün, the landlock author, pointed out the same error on the got implementation. The assumption that not listed access capabilities are implicitly denied is completely wrong: > In a nutshell, the ruleset's handled_access_fs is required for > backward and forward compatibility (i.e. the kernel and user space may > not know each other's supported restrictions), hence the need to be > explicit about the denied-by-default access rights.


[seccomp] allow ugetrlimit(2), needed by glibc on armv7l


fmt


don't work around a missing -Wno-unused-parameter It's been there for a long time, and it's frankly annoying to pretend to use parameters. Most of the time, they're there to satisfy an interface and nothings more.


enforce PR_SET_NO_NEW_PRIVS in the logger process otherwise landlock will refuse to enable itself and the logger process dies.


forgot include


[seccomp] allow ioctl(FIONREAD) it's needed by bufferevent_read