sandbox: seccomp support on Linux

We use libseccomp, which is now a semi-mandatory dependency on Linux.
(You can still build without it, but only if you pass a scary long flag
to make.)

For this to work I had to disable getTimezoneOffset, which would
otherwise call localtime_r which in turn reads in some files from
/usr/share/zoneinfo.  To allow this we would have to give unrestricted
openat(2) access to buffer processes, which is unacceptable.

(Giving websites access to the local timezone is a fingerprinting vector
so if this ever gets fixed then it should be an opt-in config setting.)

This patch also includes misc fixes to buffer cloning, and fixes the
LIBEXECDIR override in the makefile so that it is actually useful.

1 files changed, 4 insertions, 0 deletions

diff --git a/src/local/client.nim b/src/local/client.nim
index 92fa4660..73b17c99 100644
--- a/src/local/client.nim
+++ b/src/local/client.nim
@@ -24,6 +24,7 @@ import io/dynstream
 import io/filestream
 import io/posixstream
 import io/promise
+import io/serversocket
 import io/socketstream
 import js/base64
 import js/console
@@ -407,6 +408,9 @@ proc acceptBuffers(client: Client) =
     let container = item.container
     let stream = connectSocketStream(client.config.external.tmpdir,
       client.loader.sockDirFd, container.process)
+    # unlink here; on Linux we can't unlink from the buffer :/
+    discard tryRemoveFile(getSocketPath(client.config.external.tmpdir,
+      container.process))
     if stream == nil:
       pager.alert("Error: failed to set up buffer")
       continue