Commits
- Commit:
226f13ece0b309abeee0ae8a4d8c9f049fe896a7
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add ability to log to files with log access <path>
- Commit:
eac9287d295719131cbc346503dd2a0612e54b4b
- From:
- Omar Polo <op@omarpolo.com>
- Date:
copyright years++
- Commit:
c5ded53a8e37b5812d3648c4247ba9f4cc6f2028
- From:
- Omar Polo <op@omarpolo.com>
- Date:
sort pledge promises as per pledge(2)
- Commit:
b692d8bd5b24045832657a01b7ad6fa15793ef68
- From:
- Omar Polo <op@omarpolo.com>
- Date:
drop `proc' pledge in the main process
unlike the name might suggest, proc_kill() doesn't use kill(2) so
proc is not needed.
- Commit:
7604fc903a0eda71255ea8f878a615ac216b7e9a
- From:
- Omar Polo <op@omarpolo.com>
- Date:
drop questionable #warning
- Commit:
86693a33abd5e8c31530adb3045c9f4664d4d6c9
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add a privsep crypto engine
Incorporate the OpenSMTPD' privsep crypto engine. The idea behind
it is to never load the certificate' private keys in a networked
process, instead they are loaded in a separate process (the `crypto'
one) which signs payloads on the behalf of the server processes.
This way, we greatly reduce the risk of leaking the certificate'
private key should the server process be compromised.
This currently compiles only on LibreSSL (portable fix is in the
way).
- Commit:
1962764c6292e845cec17393e1c46c1473ca1eeb
- From:
- Omar Polo <op@omarpolo.com>
- Date:
fix sandbox_server_process
it does the unveil(2)ing based on the first config, which breaks
config-reloading.
- Commit:
fc440833adbcdb96e6846bc0e1b021c5376473eb
- From:
- Omar Polo <op@omarpolo.com>
- Date:
provide sandbox_main_process on !OpenBSD
- Commit:
c26f2460e42aa0822c283c805958989f339e7d8b
- From:
- Omar Polo <op@omarpolo.com>
- Date:
rework the daemon to do fork+exec
It uses the 'common' proc.c from various OpenBSD-daemons.
gmid grew organically bit by bit and it was also the first place where I
tried to implement privsep. It wasn't done very well, in fact the
parent process (that retains root privileges) just fork()s a generation
of servers, all sharing *exactly* the same address space. No good!
Now, we fork() and re-exec() ourselves, so that each process has a fresh
address space.
Some features (require client ca for example) are temporarly disabled,
will be fixed in subsequent commits. The "ge" program is also
temporarly disabled as it needs tweaks to do privsep too.
- Commit:
2dd5994ae172ed8162aff397b907e4fc476fbaae
- From:
- Omar Polo <op@omarpolo.com>
- Date:
use fatal() in code used in the daemon
- Commit:
eae52ad493f582222b4f2b748c0043c42bb851cb
- From:
- Omar Polo <op@omarpolo.com>
- Date:
switch to the more usual log.c
- Commit:
281a8852b3a2d76c10d2fb6476a706746d05509b
- From:
- Omar Polo <op@omarpolo.com>
- Date:
rename log.[ch] to logger.[ch]
- Commit:
df5058c919cbd1538d0a04cb2a4c179c0291566f
- From:
- Omar Polo <op@omarpolo.com>
- Date:
provide a more usual fatal
fatal usually appends the error string. Add 'fatalx' that doesn't.
Fix callers and move the prototypes to log.h
- Commit:
1e0b974519c8228e271b2b6e677c1b8f9a109b6b
- From:
- Omar Polo <op@omarpolo.com>
- Date:
send capsicum/landlock/seccomp hack to Valhalla
- Commit:
0b62f4842d7c65b8f64c5f676a0a05333fd7db6f
- From:
- Omar Polo <op@omarpolo.com>
- Date:
drop landlock/seccomp and capsicum support
it reached a point where this stuff is not maintenable. I'd like
to move forward with gmid, but the restriction of capsicum and the
linux environment at large that make landlock unusable (how can you
resolve DNS portably when under landlock?) -and don't get me started
on seccomp- makes it impossible for me to do any work.
So, I prefer removing the crap, resuming working on gmid by cleaning
stuff and consolidating the features, improving various things
etc... and then eventually see how to introduce some sandboxing
again on other systems. Patches to resume sandboxing are, as always,
welcome!