| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
All uses of these could be delegated to other processes with more
privileges.
|
| |
|
|
|
|
|
|
|
|
|
| |
Now we just pass through a socket created in pager.
This removes the need for a socket directory, and strengthens the buffer
sandbox slightly.
I've kept the ServerSocket code, because I want to add some form of RPC
and communication between separate instances in the future. However,
I don't expect this to be handled outside the main process, so I've
removed the Capsicum-specific connectat/bindat code.
|
| |
|
|
|
|
|
| |
This caused buffer cloning to choke on armhf.
It seems that cris and S/390 architectures also swap flags and stack;
luckily, both are dead.
|
| |
|
|
|
| |
Otherwise, it complains about missing syscalls on cross compilation.
(Also, fix the warnings this revealed.)
|
| |
|
|
| |
continuation of 79d832c37
|
| |
|
|
|
|
|
| |
ref. https://todo.sr.ht/~bptato/chawan/23
TODO: I'm not quite sure *why* it's getting called. curls operate in
mysterious ways.
|
| |
|
|
|
|
|
| |
* add some more env vars to makefile
* remove fpermissive from GCC builds
* update Monoucha
* fix borked seccomp filter length safety check (ugh)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* add restrictions on clone for buffer filter
- hardcoded it for musl, glibc and bionic. hopefully they don't
change it too soon...
* remove define directive from gen_syscalls
- now the arch nr check is hardcoded in gen_defs. makes things a
bit less complex.
* fix borked mprotect filter on bionic
- this completely broke the browser.
|
| |
|
|
|
|
|
|
|
| |
* abort on network sandbox violation - it's probably better not to, but
I want to think this through a bit more before changing it for good
(and then do it consistently, i.e. also for the buffer process.)
* revert case variable quoting - the lack of field splitting is
specified by POSIX, and the readme states that we target POSIX. no
need to be paranoid about imaginary shells.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fix matching on unstripped whitespace: caught after upgrading to
upstream dash & chaseccomp wouldn't compile
* add defines to ensure that we computed the filter length correctly
* inline cut_label
* EPERM on sigaction, sigprocmask, gettid, and kill on tgkill (so a
crash doesn't trigger sandbox violations)
* move SIGSYS handler to C and add one for the network
The last change removes the stack trace from SIGSYS, but gives us the
syscall number which is probably more useful. (Indeed, we don't even
have a stack trace in release builds.)
|
| | |
|
|
|
This drops libseccomp as a dependency.
Also, move the capsicum/pledge definitions from bindings to sandbox.nim
because they are only used there.
Interestingly, after integrating chaseccomp I found that the
stbi process would mysteriously crash by a getrandom(2) syscall.
Closer investigation revealed it is only called on the initialization
of glibc's malloc; presumably it had never surfaced before because
libseccomp would always allocate before entering the sandbox.
So I've added getrandom to our filter as well.
|