diff options
| author | bptato <nincsnevem662@gmail.com> | 2024-04-19 18:19:09 +0200 |
|---|---|---|
| committer | bptato <nincsnevem662@gmail.com> | 2024-04-19 18:25:39 +0200 |
| commit | d4d34ea8b5257d6f0ddd40807a9b6b684df24811 (patch) | |
| tree | 3d8f8d2fa482f962115927e35673465f18aa14c5 /src/utils | |
| parent | cce00d49b0c2962a2e39c31f6b09863c1231c7d6 (diff) | |
| download | chawan-d4d34ea8b5257d6f0ddd40807a9b6b684df24811.tar.gz | |
http: fix sandbox violation in readFromStdin
glibc apparently calls fstat from fread, and we didn't allow it in seccomp. So: * allow fstat in the sandbox; no reason not to, and it seems too big of a footgun to assume we never call fread * use read(2) in http; no need for buffered i/o here
Diffstat (limited to 'src/utils')
| -rw-r--r-- | src/utils/sandbox.nim | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/utils/sandbox.nim b/src/utils/sandbox.nim index 4697523f..ad37c2d2 100644 --- a/src/utils/sandbox.nim +++ b/src/utils/sandbox.nim @@ -88,6 +88,7 @@ elif defined(linux) and not disableSandbox: "exit_group", # for quit "fcntl", "fcntl64", # for changing blocking status "fork", # for when fork is really fork + "fstat", # glibc fread seems to call it "getpid", # for determining current PID after we fork "getrlimit", # glibc uses it after fork it seems "getsockname", # Nim needs it for connecting @@ -131,6 +132,7 @@ elif defined(linux) and not disableSandbox: "fcntl", "fcntl64", # so we can set nonblock etc. "mmap", "mmap2", "munmap", "brk", # memory allocation "poll", # curl needs poll + "fstat", # glibc fread seems to call it # maybe it will need epoll too in the future "epoll_create", "epoll_create1", "epoll_ctl", "epoll_wait", "ppoll", # or ppoll |