about summary refs log tree commit diff stats
path: root/src/utils/sandbox.nim
Commit message (Collapse)AuthorAgeFilesLines
* sandbox: allow getpid in seccomp network sandboxbptato2024-04-271-0/+1
| | | | openssl needs it
* sandbox: remove unveil callbptato2024-04-231-7/+4
| | | | | We no longer modify the file system inside the sandbox, so this permission is simply not needed.
* sandbox: allow syscalls for epoll Nim selectorsbptato2024-04-201-0/+4
| | | | | | | | | | | | This fixes setTimeout/setInterval causing crashes. Note: timerfd_gettime is not actually used by Nim right now. However, it seems like a good idea to add it to the set in case a future Nim version needs it, as it does no harm. We still do not allow signalfd, because it would let rogue buffers override our SIGSYS handler. (Not sure if this really matters, but we don't need it for now anyway.)
* http: fix sandbox violation in readFromStdinbptato2024-04-191-0/+2
| | | | | | | | | glibc apparently calls fstat from fread, and we didn't allow it in seccomp. So: * allow fstat in the sandbox; no reason not to, and it seems too big of a footgun to assume we never call fread * use read(2) in http; no need for buffered i/o here
* sandbox: seccomp support on Linuxbptato2024-04-181-2/+118
| | | | | | | | | | | | | | | | | We use libseccomp, which is now a semi-mandatory dependency on Linux. (You can still build without it, but only if you pass a scary long flag to make.) For this to work I had to disable getTimezoneOffset, which would otherwise call localtime_r which in turn reads in some files from /usr/share/zoneinfo. To allow this we would have to give unrestricted openat(2) access to buffer processes, which is unacceptable. (Giving websites access to the local timezone is a fingerprinting vector so if this ever gets fixed then it should be an opt-in config setting.) This patch also includes misc fixes to buffer cloning, and fixes the LIBEXECDIR override in the makefile so that it is actually useful.
* sandbox: add OpenBSD pledge/unveil supportbptato2024-04-031-3/+26
| | | | | | | | | | | | pledge is a bit more fine-grained than Capsicum's capability mode, so the buffer & http ("network") sandboxes are now split up into two parts. I applied the same hack as in FreeBSD for overriding the buffer selector kqueue, because a) I didn't want to request sysctl promise b) I'm not sure if it would even work and c) if it breaks on OpenBSD, then it's broken on FreeBSD too, so there's a greater chance of discovering the bug.
* Add capsicum supportbptato2024-03-281-0/+13
It's the sandboxing system of FreeBSD. Quite pleasant to work with. (Just trying to figure out the basics with this one before tackling the abomination that is seccomp.) Indeed, the only non-trivial part was getting newSelector to work with Capsicum. Long story short it doesn't, so we use an ugly pointer cast + assignment. But even that is stdlib's "fault", not Capsicum's. This also gets rid of that ugly SocketPath global.
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2025-01-11 20:49:26 +0000