aboutsummaryrefslogtreecommitdiff
path: root/src/util/syscall_sandbox.cpp
AgeCommit message (Collapse)Author
2022-12-24scripted-diff: Bump copyright headersHennadii Stepanov
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT- Commits of previous years: - 2021: f47dda2c58b5d8d623e0e7ff4e74bc352dfa83d7 - 2020: fa0074e2d82928016a43ca408717154a1c70a4db - 2019: aaaaad6ac95b402fe18d019d67897ced6b316ee0
2022-04-05Remove gui-only syscallsMarcoFalke
* Revert "util: Add inotify_rm_watch to syscall sandbox (AllowFileSystem)" This reverts commit f05a4cdf5a0363e1c12f00c034afb60e7ea0c775. * Revert "util: add linkat to syscall sandbox (AllowFileSystem)" This reverts commit 9809db3577f0fa618bea42635b1581e628a30395.
2022-04-05init: Disable syscall sandbox in the bitcoin-qt processMarcoFalke
2022-03-28util: Add inotify_rm_watch to syscall sandbox (AllowFileSystem)Hennadii Stepanov
2022-03-24util: add linkat to syscall sandbox (AllowFileSystem)fanquake
2022-02-17util: Add missing rseq to syscall sandboxlaanwj
Fixes #24368.
2022-02-14util: Add missing unlinkat to syscall sandboxMarcoFalke
2022-02-03refactor: replace boost::filesystem with std::filesystemKiminuo
Warning: Replacing fs::system_complete calls with fs::absolute calls in this commit may cause minor changes in behaviour because fs::absolute no longer strips trailing slashes; however these changes are believed to be safe. Co-authored-by: Russell Yanofsky <russ@yanofsky.org> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
2021-12-30scripted-diff: Bump copyright headersHennadii Stepanov
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT- Commits of previous years: * 2020: fa0074e2d82928016a43ca408717154a1c70a4db * 2019: aaaaad6ac95b402fe18d019d67897ced6b316ee0
2021-11-19util: Add missing fstatfs to syscall sandboxMarcoFalke
2021-10-19Add missing gettimeofday to syscall sandboxMarcoFalke
Also, sort entries. Can be reviewed with: --color-moved=dimmed-zebra
2021-10-11util: Add mincore and clone3 to syscall sandboxMarcoFalke
2021-10-07Merge bitcoin/bitcoin#23196: util: Make syscall sandbox compilable with ↵W. J. van der Laan
kernel 4.4.0 ac402e749c91d40ce7066993f72f426b67196bd7 util: Conditionalize some syscalls in syscall name table (W. J. van der Laan) 64085b37f8d5c018372f013e925a725b67b527fc util: Add __NR_copy_file_range syscall constant for sandbox (W. J. van der Laan) Pull request description: Make the new syscall sandbox compilable with kernel 4.4.0. This defines a further syscall constant `__NR_copy_file_range` to make sure all syscalls used in the profile are available even if not defined in the kernel headers. Also, make a few syscalls optional in the syscall name table: - `__NR_pkey_alloc` - `__NR_pkey_free` - `__NR_pkey_mprotect` - `__NR_preadv2` - `__NR_pwritev2` ACKs for top commit: practicalswift: cr ACK ac402e749c91d40ce7066993f72f426b67196bd7 Tree-SHA512: be6c55bf0a686bcdfad0b80b950d0d7d77a559ac234fc997b47514bdba44865a371c96dd8d34a811ba46424a84f410e23f75485b9b1e69e529b7d40e0b4b91b8
2021-10-06util: Add mremap syscall to AllowAddressSpaceAccessMarcoFalke
2021-10-05util: Conditionalize some syscalls in syscall name tableW. J. van der Laan
Put these in `#ifdef` as they are newer syscalls that might not be defined on all kernels: __NR_pkey_alloc __NR_pkey_free __NR_pkey_mprotect __NR_preadv2 __NR_pwritev2 Thanks to jamesob for reporting.
2021-10-05util: Add __NR_copy_file_range syscall constant for sandboxW. J. van der Laan
Kernel 4.4.0 doesn't define this.
2021-10-05Merge bitcoin/bitcoin#23178: util: Fix GUIX build with syscall sandboxW. J. van der Laan
2d0279987ef04edda5f61c171768b9527cc936cc util: Make sure syscall numbers used in profile are defined (W. J. van der Laan) 8289d19ea5d9935883f71a32e2f8f82ba7a283fb util: Define SECCOMP_RET_KILL_PROCESS if not provided by the headers (W. J. van der Laan) Pull request description: Looks like we've broke the GUIX build in #20487. This attempts to fix it: - Define `__NR_statx` `__NR_getrandom` `__NR_membarrier` as some kernel headers lack them, and it's important to have the same profile independent on what kernel is used for building. - Define `SECCOMP_RET_KILL_PROCESS` as it isn't defined in the headers. ACKs for top commit: practicalswift: cr ACK 2d0279987ef04edda5f61c171768b9527cc936cc Tree-SHA512: c264c66f90af76bf364150e44d0a31876c2ef99f05777fcdd098a23f1e80efef43028f54bf9b3dad016110056d303320ed9741b0cb4c6266175fa9d5589b4277
2021-10-05util: Make sure syscall numbers used in profile are definedW. J. van der Laan
Define the following syscall numbers for x86_64, so that the profile will be the same no matter what kernel is built against, including kernels that don't have `__NR_statx`: ```c++ #define __NR_statx 332 #define __NR_getrandom 318 #define __NR_membarrier 324 ```
2021-10-05util: Define SECCOMP_RET_KILL_PROCESS if not provided by the headersW. J. van der Laan
Define `SECCOMP_RET_KILL_PROCESS` as it isn't defined in the headers, as is the case for the GUIX build on this platform.
2021-10-05sandbox: add copy_file_range to allowed filesystem syscallsfanquake
2021-10-05sandbox: add newfstatat to allowed filesystem syscallsfanquake
2021-10-01Add syscall sandboxing (seccomp-bpf)practicalswift