sandbox: seccomp support on Linux

We use libseccomp, which is now a semi-mandatory dependency on Linux.
(You can still build without it, but only if you pass a scary long flag
to make.)

For this to work I had to disable getTimezoneOffset, which would
otherwise call localtime_r which in turn reads in some files from
/usr/share/zoneinfo.  To allow this we would have to give unrestricted
openat(2) access to buffer processes, which is unacceptable.

(Giving websites access to the local timezone is a fingerprinting vector
so if this ever gets fixed then it should be an opt-in config setting.)

This patch also includes misc fixes to buffer cloning, and fixes the
LIBEXECDIR override in the makefile so that it is actually useful.

1 files changed, 8 insertions, 1 deletions

diff --git a/doc/build.md b/doc/build.md
index bb9f929d..3d337d82 100644
--- a/doc/build.md
+++ b/doc/build.md
@@ -37,9 +37,16 @@ also override them by setting an environment variable with the same name.
   man pages. The default setting expands to `/usr/local/share/man/man1`, etc.
 * `CURLLIBNAME`: Change the name of the libcurl shared object file.
 * `LIBEXECDIR`: Path to your libexec directory; by default, it is relative
-  to wherever the binary is placed when it is executed.<BR>
+  to wherever the binary is placed when it is executed. (i.e. after installation
+  it would resolve to `/usr/local/libexec`.) <BR>
   WARNING: Unlike other path names, this must be quoted if your path contains
   spaces!
+* `DANGER_DISABLE_SANDBOX`: Set it to 1 to disable OS-level sandboxing even
+  on systems where we have built-in sandboxing support. Note that this is
+  *not* taken from the environment variables; you must use it like
+  `make DANGER_DISABLE_SANDBOX=1`.<BR>
+  WARNING: as the name suggests, this is rarely an optimal solution to whatever
+  problem you are facing.
 
 ## Phony targets