Commits
- Commit:
5eb3fc905f5e3bd2f2d586fb1e0ceda879500b3e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
don't work around a missing -Wno-unused-parameter
It's been there for a long time, and it's frankly annoying to pretend
to use parameters. Most of the time, they're there to satisfy an
interface and nothings more.
- Commit:
f7ee799023657126a89134cd64ab6a7638b4d1bf
- From:
- Omar Polo <op@omarpolo.com>
- Date:
enforce PR_SET_NO_NEW_PRIVS in the logger process
otherwise landlock will refuse to enable itself and the logger process
dies.
- Commit:
0c66b6ad55416d9fca326c04b038784a9e59a84e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
forgot include
- Commit:
6f27d2595ae350dc6f9ce226d079370645dbff03
- From:
- Omar Polo <op@omarpolo.com>
- Date:
[seccomp] allow ioctl(FIONREAD)
it's needed by bufferevent_read
- Commit:
cb28978f0a91612f91f0bf4b8bda365941b5df25
- From:
- Omar Polo <op@omarpolo.com>
- Date:
refactor landlock
refactor the landlock-related code into something more manageable.
The only real difference is that before the logger process would try
to landlock itself to "/" without perms, something that landlock
doesn't support (now it enables landlock and then restrict itself,
which is the correct move.)
- Commit:
b0be0653909864ac2ea070184f6fc4f0dcc62299
- From:
- Omar Polo <op@omarpolo.com>
- Date:
landlock the logger process too
Disallow everything landlock can handle. The logger process doesn't
need any fs access (on OpenBSD it runs with pledge("stdio recvfd")).
- Commit:
0ea22af2805935f4562fb537eb57d85809e70a84
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add helper function gmid_create_landlock_rs
- Commit:
3499ce5a9ac180a805d8e507207accf8ea352f48
- From:
- Omar Polo <op@omarpolo.com>
- Date:
landlock the server process
Trying to implement some landlock policies (rules?) where possible.
The server process is, of course, the most dangerous process so start
with that.
The following should be equivalent to the unveil(2) call on OpenBSD:
allows only to read files and directories inside the vhost roots.
I'm assuming seccomp is enabled so I'm not trying to disallow actions
such as LANDLOCK_ACCESS_FS_EXECUTE or LANDLOCK_ACCESS_FS_REMOVE_FILE
which require syscalls that are already disallowed. I'm only trying
to limit the damage that the currently allowed system calls can do.
e.g. since write(2) is allowed, gmid could modify *any* file it has
access to; this is now forbidden by landlock.
There are still too many #ifdefs for my tastes, but it's still better
than the seccomp code.
- Commit:
a8e1e8d73853b4373ae4554be976bf827cb2dc81
- From:
- Omar Polo <op@omarpolo.com>
- Date:
typo
Since there was 0 reports in a month can I assume it's not actually
used anywhere?
- Commit:
21f7d2469937a5168542cc12586fb1153d5cc2f4
- From:
- Omar Polo <op@omarpolo.com>
- Date:
allow fstat64
used by glibc on aarch64.
Found and tested by pine, thanks!
- Commit:
a5d822e542a927e88f655842273356225370c11f
- From:
- Omar Polo <op@omarpolo.com>
- Date:
typo
- Commit:
a8a1f439210de9538b196c6bb5470c306379128c
- From:
- Omar Polo <op@omarpolo.com>
- Date:
style(9)-ify
- Commit:
4aa1dd553a8919c61136f8ed7cc775017f628769
- From:
- Omar Polo <op@omarpolo.com>
- Date:
typo
- Commit:
b24021d4a27ec5311490ee51b42dc2dacb18aa23
- From:
- Omar Polo <op@omarpolo.com>
- Date:
fix seccomp filter for ppc64le
before we matched ppc64le as ppc64 (which is big ending I presume), so
the seccomp filter would always kill gmid
#4 related
- Commit:
8bb8cf2ad488151879b1d7e5ec7436d38553b1b5
- From:
- Omar Polo <op@omarpolo.com>
- Date:
configure: add --disable-sandbox
Calling `configure' with --disable-sandbox will disable the sandbox
support *completely* at compile time. gmid will still complain at
compile time and during the startup.
Users shouldn't disable the sandbox if possible, but instead report
problem upstream so they get fixed (hopefully.)
#4 related