diff options
| author | bptato <nincsnevem662@gmail.com> | 2024-04-18 18:30:53 +0200 |
|---|---|---|
| committer | bptato <nincsnevem662@gmail.com> | 2024-04-18 18:30:53 +0200 |
| commit | 38db6ab5be80b255fe40df715adc3b5852875cdd (patch) | |
| tree | 328eada3b571e475903be0df61c5abf09c022d8b /Makefile | |
| parent | 5bb9542045ff6dbb6c357eb4dd0a7616dba33a9a (diff) | |
| download | chawan-38db6ab5be80b255fe40df715adc3b5852875cdd.tar.gz | |
sandbox: seccomp support on Linux
We use libseccomp, which is now a semi-mandatory dependency on Linux. (You can still build without it, but only if you pass a scary long flag to make.) For this to work I had to disable getTimezoneOffset, which would otherwise call localtime_r which in turn reads in some files from /usr/share/zoneinfo. To allow this we would have to give unrestricted openat(2) access to buffer processes, which is unacceptable. (Giving websites access to the local timezone is a fingerprinting vector so if this ever gets fixed then it should be an opt-in config setting.) This patch also includes misc fixes to buffer cloning, and fixes the LIBEXECDIR override in the makefile so that it is actually useful.
Diffstat (limited to 'Makefile')
| -rw-r--r-- | Makefile | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/Makefile b/Makefile index 988b42d5..ed4365ef 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ LIBEXECDIR ?= '$${%CHA_BIN_DIR}/../libexec/chawan' ifeq ($(LIBEXECDIR),'$${%CHA_BIN_DIR}/../libexec/chawan') LIBEXECDIR_CHAWAN = "$(DESTDIR)$(PREFIX)/libexec/chawan" else -LIBEXECDIR_CHAWAN = $(LIBEXECDIR)/chawan +LIBEXECDIR_CHAWAN = $(LIBEXECDIR) endif # These paths are quoted in recipes. @@ -28,6 +28,11 @@ OUTDIR_LIBEXEC = $(OUTDIR_TARGET)/libexec/chawan OUTDIR_CGI_BIN = $(OUTDIR_LIBEXEC)/cgi-bin OUTDIR_MAN = $(OUTDIR_TARGET)/share/man +# I won't take this from the environment for obvious reasons. Please override it +# in the make command if you must, or (preferably) fix your environment so it's +# not needed. +DANGER_DISABLE_SANDBOX = 0 + # Nim compiler flags ifeq ($(TARGET),debug) FLAGS += -d:debug --debugger:native @@ -55,7 +60,8 @@ $(OUTDIR_BIN)/cha: lib/libquickjs.a src/*.nim src/**/*.nim src/**/*.c res/* \ res/**/* res/map/idna_gen.nim nim.cfg @mkdir -p "$(OUTDIR_BIN)" $(NIMC) --nimcache:"$(OBJDIR)/$(TARGET)/cha" -d:libexecPath=$(LIBEXECDIR) \ - $(FLAGS) -o:"$(OUTDIR_BIN)/cha" src/main.nim + -d:disableSandbox=$(DANGER_DISABLE_SANDBOX) $(FLAGS) \ + -o:"$(OUTDIR_BIN)/cha" src/main.nim ln -sf "$(OUTDIR)/$(TARGET)/bin/cha" cha $(OUTDIR_BIN)/mancha: adapter/tools/mancha.nim @@ -125,10 +131,11 @@ $(OUTDIR_CGI_BIN)/spartan: adapter/protocol/spartan $(OUTDIR_CGI_BIN)/http: adapter/protocol/http.nim adapter/protocol/curlwrap.nim \ adapter/protocol/curlerrors.nim adapter/protocol/curl.nim \ - src/utils/twtstr.nim + src/utils/twtstr.nim src/utils/sandbox.nim @mkdir -p "$(OUTDIR_CGI_BIN)" $(NIMC) $(FLAGS) --nimcache:"$(OBJDIR)/$(TARGET)/http" -d:curlLibName:$(CURLLIBNAME) \ - -o:"$(OUTDIR_CGI_BIN)/http" adapter/protocol/http.nim + -d:disableSandbox=$(DANGER_DISABLE_SANDBOX) \ + -o:"$(OUTDIR_CGI_BIN)/http" adapter/protocol/http.nim $(OUTDIR_CGI_BIN)/about: adapter/protocol/about.nim res/chawan.html \ res/license.html |