sandbox: seccomp support on Linux

We use libseccomp, which is now a semi-mandatory dependency on Linux.
(You can still build without it, but only if you pass a scary long flag
to make.)

For this to work I had to disable getTimezoneOffset, which would
otherwise call localtime_r which in turn reads in some files from
/usr/share/zoneinfo.  To allow this we would have to give unrestricted
openat(2) access to buffer processes, which is unacceptable.

(Giving websites access to the local timezone is a fingerprinting vector
so if this ever gets fixed then it should be an opt-in config setting.)

This patch also includes misc fixes to buffer cloning, and fixes the
LIBEXECDIR override in the makefile so that it is actually useful.

3 files changed, 26 insertions, 6 deletions

diff --git a/src/local/client.nim b/src/local/client.nim
index 92fa4660..73b17c99 100644
--- a/src/local/client.nim
+++ b/src/local/client.nim
@@ -24,6 +24,7 @@ import io/dynstream
 import io/filestream
 import io/posixstream
 import io/promise
+import io/serversocket
 import io/socketstream
 import js/base64
 import js/console
@@ -407,6 +408,9 @@ proc acceptBuffers(client: Client) =
     let container = item.container
     let stream = connectSocketStream(client.config.external.tmpdir,
       client.loader.sockDirFd, container.process)
+    # unlink here; on Linux we can't unlink from the buffer :/
+    discard tryRemoveFile(getSocketPath(client.config.external.tmpdir,
+      container.process))
     if stream == nil:
       pager.alert("Error: failed to set up buffer")
       continue
diff --git a/src/local/container.nim b/src/local/container.nim
index e93bf610..b88161b8 100644
--- a/src/local/container.nim
+++ b/src/local/container.nim
@@ -1,14 +1,15 @@
 import std/deques
+import std/net
 import std/options
+import std/os
+import std/posix
 import std/unicode
 
-when defined(posix):
-  import std/posix
-
 import config/config
 import config/mimetypes
 import io/dynstream
 import io/promise
+import io/serversocket
 import io/socketstream
 import js/javascript
 import js/jstypes
@@ -184,14 +185,29 @@ proc newContainer*(config: BufferConfig; loaderConfig: LoaderClientConfig;
 func location(container: Container): URL {.jsfget.} =
   return container.url
 
-proc clone*(container: Container; newurl: URL): Promise[Container] =
+proc clone*(container: Container; newurl: URL; loader: FileLoader):
+    Promise[Container] =
+  if container.iface == nil:
+    return nil
   let url = if newurl != nil:
     newurl
   else:
     container.url
-  return container.iface.clone(url).then(proc(pid: int): Container =
+  let p = container.iface.clone(url)
+  # create a server socket, pass it on to the buffer, then move it to
+  # the expected path after the buffer forked itself
+  #TODO this is very ugly
+  let ssock = initServerSocket(loader.sockDir, loader.sockDirFd,
+    loader.clientPid)
+  SocketStream(container.iface.stream.source)
+    .sendFileHandle(FileHandle(ssock.sock.getFd()))
+  ssock.sock.close()
+  return p.then(proc(pid: int): Container =
     if pid == -1:
       return nil
+    let newPath = getSocketPath(loader.sockDir, pid)
+    let oldPath = getSocketPath(loader.sockDir, loader.clientPid)
+    moveFile(oldPath, newPath)
     let nc = Container()
     nc[] = container[]
     nc.url = url
diff --git a/src/local/pager.nim b/src/local/pager.nim
index 99a1ba1c..28c1face 100644
--- a/src/local/pager.nim
+++ b/src/local/pager.nim
@@ -571,7 +571,7 @@ func findProcMapItem*(pager: Pager; pid: int): int =
   -1
 
 proc dupeBuffer(pager: Pager; container: Container; url: URL) =
-  container.clone(url).then(proc(container: Container) =
+  container.clone(url, pager.loader).then(proc(container: Container) =
     if container == nil:
       pager.alert("Failed to duplicate buffer.")
     else: