| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Saves bandwidth; it's especially useful over SSH. Still not sure if this
is the right solution, since it now needs two select cycles instead
of one, and it does yet another copy of the image. (Unnecessarily,
because stbi cannot stream its output, and stbiw cannot stream its
input.)
Also, to save memory, we now discard decoded images of buffers that are
not being viewed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* resize images with stb_image_resize
* use tee for output handle redirection (redirectToFile blocks)
* cache original image files
* accept lseek in sandbox
* misc stbi fixes
For now, I just pulled in stb_image_resize v1. v2 is an extra 150K in
size, not sure if it's worth the cost. (Either way, we can always switch
later if needed, since the API is almost the same.)
Next step: move sixel/kitty encoders to CGI, and cache their output in
memory instead of the intermediate RGBA representation.
|
| |
|
|
|
|
|
| |
Now we have decoders for gif, jpeg, bmp. Also, the in-house PNG decoder
has been replaced in favor of the stbi implementation; this means we
no longer depend on zlib, since stbi comes with a built in inflate
implementation.
|
| |
|
|
| |
seems to get called for signal handlers
|
| |
|
|
|
|
|
| |
* add $LOGNAME to the tmp directory name, so that tmpdirs of separate
users don't conflict
* use separate directory for sockets, so that we do not have to give
buffers access to all cached pages
|
| |
|
|
| |
openssl needs it
|
| |
|
|
|
| |
We no longer modify the file system inside the sandbox, so this
permission is simply not needed.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes setTimeout/setInterval causing crashes.
Note: timerfd_gettime is not actually used by Nim right now.
However, it seems like a good idea to add it to the set in case a
future Nim version needs it, as it does no harm.
We still do not allow signalfd, because it would let rogue buffers
override our SIGSYS handler. (Not sure if this really matters, but
we don't need it for now anyway.)
|
| |
|
|
|
|
|
|
|
| |
glibc apparently calls fstat from fread, and we didn't allow it in
seccomp. So:
* allow fstat in the sandbox; no reason not to, and it seems too big of
a footgun to assume we never call fread
* use read(2) in http; no need for buffered i/o here
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use libseccomp, which is now a semi-mandatory dependency on Linux.
(You can still build without it, but only if you pass a scary long flag
to make.)
For this to work I had to disable getTimezoneOffset, which would
otherwise call localtime_r which in turn reads in some files from
/usr/share/zoneinfo. To allow this we would have to give unrestricted
openat(2) access to buffer processes, which is unacceptable.
(Giving websites access to the local timezone is a fingerprinting vector
so if this ever gets fixed then it should be an opt-in config setting.)
This patch also includes misc fixes to buffer cloning, and fixes the
LIBEXECDIR override in the makefile so that it is actually useful.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pledge is a bit more fine-grained than Capsicum's capability mode,
so the buffer & http ("network") sandboxes are now split up into
two parts.
I applied the same hack as in FreeBSD for overriding the buffer
selector kqueue, because a) I didn't want to request sysctl promise
b) I'm not sure if it would even work and c) if it breaks on OpenBSD,
then it's broken on FreeBSD too, so there's a greater chance of
discovering the bug.
|
|
|
It's the sandboxing system of FreeBSD. Quite pleasant to work with.
(Just trying to figure out the basics with this one before tackling the
abomination that is seccomp.)
Indeed, the only non-trivial part was getting newSelector to work with
Capsicum. Long story short it doesn't, so we use an ugly pointer cast +
assignment. But even that is stdlib's "fault", not Capsicum's.
This also gets rid of that ugly SocketPath global.
|