sandbox: replace libseccomp with chaseccomp

This drops libseccomp as a dependency.

Also, move the capsicum/pledge definitions from bindings to sandbox.nim
because they are only used there.

Interestingly, after integrating chaseccomp I found that the
stbi process would mysteriously crash by a getrandom(2) syscall.
Closer investigation revealed it is only called on the initialization
of glibc's malloc; presumably it had never surfaced before because
libseccomp would always allocate before entering the sandbox.

So I've added getrandom to our filter as well.

1 files changed, 48 insertions, 0 deletions

diff --git a/lib/chaseccomp/chaseccomp.c b/lib/chaseccomp/chaseccomp.c
new file mode 100644
index 00000000..9001b973
--- /dev/null
+++ b/lib/chaseccomp/chaseccomp.c
@@ -0,0 +1,48 @@
+/*
+ * ref. seccomp(2)
+ * also bpf(4), except I can't find it on Linux... check a BSD.
+ */
+
+#include <stdlib.h>
+#include <stddef.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <fcntl.h>
+#include <stdint.h>
+
+#include "chaseccomp.h"
+
+int cha_enter_buffer_sandbox(void)
+{
+	struct sock_filter filter[] = {
+#include "chasc_buffer.h"
+	};
+	struct sock_fprog prog = { .len = COUNTOF(filter), .filter = filter };
+
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+		return 0;
+	if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog))
+		return 0;
+	return 1;
+}
+
+int cha_enter_network_sandbox(void)
+{
+	struct sock_filter filter[] = {
+#include "chasc_network.h"
+	};
+	struct sock_fprog prog = { .len = COUNTOF(filter), .filter = filter };
+
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+		return 0;
+	if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog))
+		return 0;
+	return 1;
+}