commit df58efff26529acd6a5675d3b4044d494b138397 from: Omar Polo date: Mon Feb 08 12:46:46 2021 UTC fix seccomp for the new event loop add/remove syscalls from the BPF filter and move sandbox() after libevent initialisation commit - d090dc8491682f30c49da381498c283c61f2e37b commit + df58efff26529acd6a5675d3b4044d494b138397 blob - 023dd627341e053aae8fb166f6aaf3111aeb09cd blob + b960bfc4818a98b638f308e0fa6499d0bf377fd9 --- gmid.c +++ gmid.c @@ -200,7 +200,6 @@ listener_main(void) unblock_signals(); load_default_mime(&conf.mime); load_vhosts(); - sandbox(); loop(ctx, sock4, sock6); return 0; } blob - 262d41a499218bc6c745f605f98c333f6ac65bae blob + 2a2504f7eee13b21b8814ddb5107d9ee2dfd8382 --- sandbox.c +++ sandbox.c @@ -150,16 +150,9 @@ sandbox() /* these are used to serve the files. note how we * allow openat but not open. */ - -#ifdef __aarch64__ - /* it seems that on aarch64 there isn't a poll(2) - * syscall, but instead it's implemented on top of - * ppoll(2). */ - SC_ALLOW(ppoll), -#else - SC_ALLOW(poll), -#endif - SC_ALLOW(accept), + SC_ALLOW(epoll_pwait), + SC_ALLOW(epoll_ctl), + SC_ALLOW(accept4), SC_ALLOW(read), SC_ALLOW(openat), SC_ALLOW(fstat), @@ -175,8 +168,9 @@ sandbox() /* XXX: ??? */ SC_ALLOW(getpid), - /* alpine on amd64 does a clock_gettime(2) */ + /* alpine on amd64 */ SC_ALLOW(clock_gettime), + SC_ALLOW(madvise), /* void on aarch64 does a gettrandom */ SC_ALLOW(getrandom), @@ -187,6 +181,12 @@ sandbox() SC_ALLOW(exit), SC_ALLOW(exit_group), + /* stuff used by syslog. revisit once we move + * logging in its own process */ + SC_ALLOW(socket), + SC_ALLOW(sendto), + SC_ALLOW(connect), + /* allow only F_GETFL and F_SETFL fcntl */ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8), BPF_STMT(BPF_LD | BPF_W | BPF_ABS, blob - daeeb93d98170659954dcbe00fbbd0bc1e56e6d9 blob + d7e5108719f35024f3d9bf558fe54aaf1d648059 --- server.c +++ server.c @@ -1059,5 +1059,7 @@ loop(struct tls *ctx, int sock4, int sock6) server.ctx = ctx; + sandbox(); event_dispatch(); + _exit(0); }