Tree
- Tree:
f420f9dd34ec65af43ec12bba967d59f0afed211
- Date:
- Message:
- landlock the server process Trying to implement some landlock policies (rules?) where possible. The server process is, of course, the most dangerous process so start with that. The following should be equivalent to the unveil(2) call on OpenBSD: allows only to read files and directories inside the vhost roots. I'm assuming seccomp is enabled so I'm not trying to disallow actions such as LANDLOCK_ACCESS_FS_EXECUTE or LANDLOCK_ACCESS_FS_REMOVE_FILE which require syscalls that are already disallowed. I'm only trying to limit the damage that the currently allowed system calls can do. e.g. since write(2) is allowed, gmid could modify *any* file it has access to; this is now forbidden by landlock. There are still too many #ifdefs for my tastes, but it's still better than the seccomp code.
Dockerfile | commits | blame |
README | commits | blame |
gmid | commits | blame |
gmid.service | commits | blame |
vim/ |
README
This directory is for additional contributed files which may be useful. Dockerfile Sample Dockerfile to build alpine-based gmid images. gmid Sample rc(8) script for OpenBSD, to be placed in /etc/rc.d. gmid.service Simple systemd service file. vim Syntax highlighting of gmid configuration for vim, to be placed into ~/.vim/ or /usr/share/vim/vimfiles/. To enable Syntastic checker, put this line in your vimrc: let g:syntastic_gmid_checkers = ['gmid']