Commits
Commit:
534afd0ddcba7c3d2f8478e89db026010c6190c5
Author:
Omar Polo <op@omarpolo.com>
Date:
Wed Oct 5 15:10:44 2022 UTC
make the various strings in the config fixed-length

will help in future restructuring to have fixed-size objects.
Commit:
760009951357d4c36991c4c6a62db973289b32d9
Author:
Omar Polo <op@omarpolo.com>
Date:
Tue Sep 6 16:40:38 2022 UTC
optionally disable the sandbox on some systems

The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy'
configuration rules: new sockets needs to be opened and it's either
impossible (the former) or a huge pain in the arse (the latter).

The sandbox is still always used in case only static files are served.
Commit:
1ab7c96bb305e818b5dfa3b525d5ff635ad12a0a
Author:
Omar Polo <op@omarpolo.com>
Date:
Tue Sep 6 16:24:45 2022 UTC
gc sandbox_executor_process
Commit:
d29a2ee2246e1b1b0c5222a823820e42422c894e
Author:
Omar Polo <op@omarpolo.com>
Date:
Tue Sep 6 16:11:09 2022 UTC
get rid of the CGI support

I really want to get rid of the `executor' process hack for CGI scripts
and its escalation to allow fastcgi and proxying to work on non-OpenBSD.

This drops the CGI support and the `executor' process entirely and is
the first step towards gmid 2.0. It also allows to have more secure
defaults.

On non-OpenBSD systems this means that the sandbox will be deactivated
as soon as fastcgi or proxying are used: you can't open sockets under
FreeBSD' capsicum(4) and I don't want to go thru the pain of making it
work under linux' seccomp/landlock. Patches are always welcome however.

For folks using CGI scripts (hey, I'm one of you!) not all hope is lost:
fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were
FastCGI applications.

fixes for the documentation and to the non-OpenBSD sandboxes will
follow.
Commit:
e5d82d9472513ef742dbb0b5ac451337625feb58
Author:
Omar Polo <op@omarpolo.com>
Date:
Sat Mar 19 11:02:42 2022 UTC
const-ify some tables

matches found with

% grep -R '=[ ]*{' . | fgrep -v const
Commit:
4f0e893cd3889acb8e3d40d359610749189adc25
Author:
Omar Polo <op@omarpolo.com>
Date:
Sun Feb 13 16:20:27 2022 UTC
tightens seccomp filter: allow only openat(O_RDONLY)

be more strict and allow an openat only with the O_RDONLY flag. This
is kind of redundant with landlock, but still good to have. Landlock
is not yet widely available and won't kill the process upon policy
violation; furthermore, landlock can be disabled at boot time.

tested on GNU and musl libc on arch and alpine amd64.
Commit:
94c5f99ab038efafa5f5a841d8092a995d9ee03c
Author:
Omar Polo <op@omarpolo.com>
Date:
Sun Feb 13 15:32:10 2022 UTC
sort syscalls in seccomp filter
Commit:
d0e0be1e43e6628e6215e1803c7a2415dd58c9bd
Author:
Tobias Berger <tobi.berger13@gmail.com>
Date:
Sun Feb 13 14:29:33 2022 UTC
Allow Arch-Armv7 syscalls in sandbox.c
Commit:
98c6f8de41647ba565dcbdaccf876277b404161e
Author:
Omar Polo <op@omarpolo.com>
Date:
Thu Feb 10 22:29:51 2022 UTC
fix landlock usage

Mickaël Salaün, the landlock author, pointed out the same error on the
got implementation. The assumption that not listed access
capabilities are implicitly denied is completely wrong:

> In a nutshell, the ruleset's handled_access_fs is required for
> backward and forward compatibility (i.e. the kernel and user space may
> not know each other's supported restrictions), hence the need to be
> explicit about the denied-by-default access rights.
Commit:
63bf54b646f65a798b56905313ed15cd97a32fbf
Author:
Max <vdrummer@posteo.net>
Date:
Sat Dec 11 09:08:50 2021 UTC
[seccomp] allow ugetrlimit(2), needed by glibc on armv7l
Commit:
4842c72d9f3f45478cb641e15a3272e541fb8a18
Author:
Omar Polo <op@omarpolo.com>
Date:
Mon Oct 18 10:05:55 2021 UTC
fmt
Commit:
5eb3fc905f5e3bd2f2d586fb1e0ceda879500b3e
Author:
Omar Polo <op@omarpolo.com>
Date:
Sat Oct 9 18:54:41 2021 UTC
don't work around a missing -Wno-unused-parameter

It's been there for a long time, and it's frankly annoying to pretend
to use parameters. Most of the time, they're there to satisfy an
interface and nothings more.
Commit:
f7ee799023657126a89134cd64ab6a7638b4d1bf
Author:
Omar Polo <op@omarpolo.com>
Date:
Sat Oct 2 17:20:10 2021 UTC
enforce PR_SET_NO_NEW_PRIVS in the logger process

otherwise landlock will refuse to enable itself and the logger process
dies.
Commit:
0c66b6ad55416d9fca326c04b038784a9e59a84e
Author:
Omar Polo <op@omarpolo.com>
Date:
Sun Sep 26 20:01:32 2021 UTC
forgot include
Commit:
6f27d2595ae350dc6f9ce226d079370645dbff03
Author:
Omar Polo <op@omarpolo.com>
Date:
Sun Sep 26 20:00:38 2021 UTC
[seccomp] allow ioctl(FIONREAD)

it's needed by bufferevent_read
Omar Polo