Add syscall sandboxing (seccomp-bpf)

author: practicalswift <practicalswift@users.noreply.github.com> 2021-10-01 13:53:59 +0000
committer: practicalswift <practicalswift@users.noreply.github.com> 2021-10-01 13:51:10 +0000
commit: 4747da3a5b639b5a336b737e7e3cbf060cf2efcf (patch)
tree: c375c8eff3a7f4b02f66247b52dfee286e7fcbae /src/httpserver.cpp
parent: e69cbac628bfdca4a8e4ead821190eaf5b6b3d07 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/httpserver.cpp b/src/httpserver.cpp
index fa0379f612..b583ed323a 100644
--- a/src/httpserver.cpp
+++ b/src/httpserver.cpp
@@ -12,6 +12,7 @@
 #include <shutdown.h>
 #include <sync.h>
 #include <util/strencodings.h>
+#include <util/syscall_sandbox.h>
 #include <util/system.h>
 #include <util/threadnames.h>
 #include <util/translation.h>
@@ -279,6 +280,7 @@ static void http_reject_request_cb(struct evhttp_request* req, void*)
 static bool ThreadHTTP(struct event_base* base)
 {
     util::ThreadRename("http");
+    SetSyscallSandboxPolicy(SyscallSandboxPolicy::NET_HTTP_SERVER);
     LogPrint(BCLog::HTTP, "Entering http event loop\n");
     event_base_dispatch(base);
     // Event loop will be interrupted by InterruptHTTPServer()
@@ -332,6 +334,7 @@ static bool HTTPBindAddresses(struct evhttp* http)
 static void HTTPWorkQueueRun(WorkQueue<HTTPClosure>* queue, int worker_num)
 {
     util::ThreadRename(strprintf("httpworker.%i", worker_num));
+    SetSyscallSandboxPolicy(SyscallSandboxPolicy::NET_HTTP_SERVER_WORKER);
     queue->Run();
 }
author	practicalswift <practicalswift@users.noreply.github.com>	2021-10-01 13:53:59 +0000
committer	practicalswift <practicalswift@users.noreply.github.com>	2021-10-01 13:51:10 +0000
commit	4747da3a5b639b5a336b737e7e3cbf060cf2efcf (patch)
tree	c375c8eff3a7f4b02f66247b52dfee286e7fcbae /src/httpserver.cpp
parent	e69cbac628bfdca4a8e4ead821190eaf5b6b3d07 (diff)