diff options
| author | bptato <nincsnevem662@gmail.com> | 2024-04-18 18:30:53 +0200 |
|---|---|---|
| committer | bptato <nincsnevem662@gmail.com> | 2024-04-18 18:30:53 +0200 |
| commit | 38db6ab5be80b255fe40df715adc3b5852875cdd (patch) | |
| tree | 328eada3b571e475903be0df61c5abf09c022d8b /src/server/forkserver.nim | |
| parent | 5bb9542045ff6dbb6c357eb4dd0a7616dba33a9a (diff) | |
| download | chawan-38db6ab5be80b255fe40df715adc3b5852875cdd.tar.gz | |
sandbox: seccomp support on Linux
We use libseccomp, which is now a semi-mandatory dependency on Linux. (You can still build without it, but only if you pass a scary long flag to make.) For this to work I had to disable getTimezoneOffset, which would otherwise call localtime_r which in turn reads in some files from /usr/share/zoneinfo. To allow this we would have to give unrestricted openat(2) access to buffer processes, which is unacceptable. (Giving websites access to the local timezone is a fingerprinting vector so if this ever gets fixed then it should be an opt-in config setting.) This patch also includes misc fixes to buffer cloning, and fixes the LIBEXECDIR override in the makefile so that it is actually useful.
Diffstat (limited to 'src/server/forkserver.nim')
| -rw-r--r-- | src/server/forkserver.nim | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/src/server/forkserver.nim b/src/server/forkserver.nim index e3f210f8..7502a481 100644 --- a/src/server/forkserver.nim +++ b/src/server/forkserver.nim @@ -10,6 +10,7 @@ import io/bufwriter import io/dynstream import io/posixstream import io/serversocket +import io/socketstream import io/stdio import loader/loader import server/buffer @@ -117,7 +118,6 @@ proc forkLoader(ctx: var ForkServerContext; config: LoaderConfig): int = discard close(pipefd[0]) return pid -var gssock: ServerSocket proc forkBuffer(ctx: var ForkServerContext; r: var BufferedReader): int = var config: BufferConfig var url: URL @@ -155,18 +155,24 @@ proc forkBuffer(ctx: var ForkServerContext; r: var BufferedReader): int = # calling sysctl # also lets us deny sysctl call with pledge let selector = newSelector[int]() - enterBufferSandbox(sockDir) + setBufferProcessTitle(url) let pid = getCurrentProcessId() let ssock = initServerSocket(sockDir, sockDirFd, pid) - gssock = ssock - onSignal SIGTERM: - # This will be overridden after buffer has been set up; it is only - # necessary to avoid a race condition when buffer is killed before that. - discard sig - gssock.close() let ps = newPosixStream(pipefd[1]) ps.write(char(0)) ps.sclose() + let pstream = ssock.acceptSocketStream() + gssock = ssock + gpstream = pstream + onSignal SIGTERM: + discard sig + gpstream.sclose() + when defined(linux): + # no unlink access on Linux + gssock.close(unlink = false) + else: + gssock.close() + enterBufferSandbox(sockDir) let loader = FileLoader( process: loaderPid, clientPid: pid, @@ -174,9 +180,8 @@ proc forkBuffer(ctx: var ForkServerContext; r: var BufferedReader): int = sockDirFd: sockDirFd ) try: - setBufferProcessTitle(url) launchBuffer(config, url, request, attrs, ishtml, charsetStack, loader, - ssock, selector) + ssock, pstream, selector) except CatchableError: let e = getCurrentException() # taken from system/excpt.nim |