| Age | Commit message (Collapse) | Author |
|---|
|
matches found with
% grep -R '=[ ]*{' . | fgrep -v const
|
|
be more strict and allow an openat only with the O_RDONLY flag. This
is kind of redundant with landlock, but still good to have. Landlock
is not yet widely available and won't kill the process upon policy
violation; furthermore, landlock can be disabled at boot time.
tested on GNU and musl libc on arch and alpine amd64.
|
|
|
|
|
|
Mickaël Salaün, the landlock author, pointed out the same error on the
got implementation. The assumption that not listed access
capabilities are implicitly denied is completely wrong:
> In a nutshell, the ruleset's handled_access_fs is required for
> backward and forward compatibility (i.e. the kernel and user space may
> not know each other's supported restrictions), hence the need to be
> explicit about the denied-by-default access rights.
|
|
|
|
|
|
It's been there for a long time, and it's frankly annoying to pretend
to use parameters. Most of the time, they're there to satisfy an
interface and nothings more.
|
|
otherwise landlock will refuse to enable itself and the logger process
dies.
|
|
|
|
it's needed by bufferevent_read
|
|
refactor the landlock-related code into something more manageable.
The only real difference is that before the logger process would try
to landlock itself to "/" without perms, something that landlock
doesn't support (now it enables landlock and then restrict itself,
which is the correct move.)
|
|
Disallow everything landlock can handle. The logger process doesn't
need any fs access (on OpenBSD it runs with pledge("stdio recvfd")).
|
|
|
|
Trying to implement some landlock policies (rules?) where possible.
The server process is, of course, the most dangerous process so start
with that.
The following should be equivalent to the unveil(2) call on OpenBSD:
allows only to read files and directories inside the vhost roots.
I'm assuming seccomp is enabled so I'm not trying to disallow actions
such as LANDLOCK_ACCESS_FS_EXECUTE or LANDLOCK_ACCESS_FS_REMOVE_FILE
which require syscalls that are already disallowed. I'm only trying
to limit the damage that the currently allowed system calls can do.
e.g. since write(2) is allowed, gmid could modify *any* file it has
access to; this is now forbidden by landlock.
There are still too many #ifdefs for my tastes, but it's still better
than the seccomp code.
|
|
Since there was 0 reports in a month can I assume it's not actually
used anywhere?
|
|
used by glibc on aarch64.
Found and tested by pine, thanks!
|
|
|
|
|
|
|
|
before we matched ppc64le as ppc64 (which is big ending I presume), so
the seccomp filter would always kill gmid
#4 related
|
|
Calling `configure' with --disable-sandbox will disable the sandbox
support *completely* at compile time. gmid will still complain at
compile time and during the startup.
Users shouldn't disable the sandbox if possible, but instead report
problem upstream so they get fixed (hopefully.)
#4 related
|
|
* SECCOMP_AUDIT_ARCH extended to support more architectures
* relax fcntl policy: allow the syscall regardless of the flags
* wrap every syscall in a ifdef, and add some (statx, fcntl64, ...)
used in x86
Some bits were taken from dhcpcd[0], thanks!
#4 related
[0]: https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
|
|
the logger process now can receive a file descriptor to write logs
to. At the moment the logic is simple, if it receives a file it logs
there, otherwise it logs to syslog. This will allow to log on custom
log files.
|
|
Not production-ready yet, but it's a start.
This adds a third ``backend'' for gmid: until now there it served
local files or CGI scripts, now FastCGI applications too.
FastCGI is meant to be an improvement over CGI: instead of exec'ing a
script for every request, it allows to open a single connection to an
``application'' and send the requests/receive the responses over that
socket using a simple binary protocol.
At the moment gmid supports three different methods of opening a
fastcgi connection:
- local unix sockets, with: fastcgi "/path/to/sock"
- network sockets, with: fastcgi tcp "host" [port]
port defaults to 9000 and can be either a string or a number
- subprocess, with: fastcgi spawn "/path/to/program"
the fastcgi protocol is done over the executed program stdin
of these, the last is only for testing and may be removed in the
future.
P.S.: the fastcgi rule is per-location of course :)
|
|
|
|
saves some bytes of memory and removes the limit on the maximum number
of vhosts and location blocks.
|
|
it's needed by getdtablesize, at least on glibc
|
|
while there, add capsicum for the logger process
|
|
|
|
|
|
accept4(2) isn't part of any standard (even though it'll be part in
the future) and raises warnings on some linux distro. Moreover, we
don't have thread that may fork at any time, so doing a mark_nonblock
after isn't a big deal.
|
|
fatal logs to the correct place, err only on stderr.
|
|
|
|
these are required to run on arch linux (at least)
|
|
|
|
fedora 33 issue an epoll_wait instead of pwait.
|
|
|
|
add/remove syscalls from the BPF filter and move sandbox() after
libevent initialisation
|
|
|
|
|
|
not a big deal, since the pledge prohibits us to exec, but
nevertheless.
|
|
musl does a F_SETFD in its fdopendir
|
|
|
|
|
|
|
|
|
|
alpine on amd64 (under OpenBSD vmd) tries to do a clock_gettime. I
don't know why, but it doesn't seem a problem to allow it.
|
|
|
|
allow only the F_GETFL and F_SETFL commands
|
