| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fix matching on unstripped whitespace: caught after upgrading to
upstream dash & chaseccomp wouldn't compile
* add defines to ensure that we computed the filter length correctly
* inline cut_label
* EPERM on sigaction, sigprocmask, gettid, and kill on tgkill (so a
crash doesn't trigger sandbox violations)
* move SIGSYS handler to C and add one for the network
The last change removes the stack trace from SIGSYS, but gives us the
syscall number which is probably more useful. (Indeed, we don't even
have a stack trace in release builds.)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This drops libseccomp as a dependency.
Also, move the capsicum/pledge definitions from bindings to sandbox.nim
because they are only used there.
Interestingly, after integrating chaseccomp I found that the
stbi process would mysteriously crash by a getrandom(2) syscall.
Closer investigation revealed it is only called on the initialization
of glibc's malloc; presumably it had never surfaced before because
libseccomp would always allocate before entering the sandbox.
So I've added getrandom to our filter as well.
|
| |
|
|
|
|
|
|
|
|
|
| |
nativesockets is a wrapper over posix and winapi, but we don't support
winapi, so we can just fall back to PosixStream instead.
SocketStream remains as a constraint over PosixStream to allow
sendFileHandle/recvFileHandle.
As a nice side effect, we can drop some allowed syscalls from the
seccomp filter.
|
| |
|
|
|
| |
On a second thought, no timeouts for name resolution is fine - and even
if it weren't, it's better implemented in the loader.
|
| |
|
|
| |
used on 32-bit platforms
|
| |
|
|
| |
required for poll
|
| |
|
|
|
|
|
|
|
|
|
|
| |
std/selectors uses OS-specific selector APIs, which sounds good in
theory (faster than poll!), but sucks for portability in practice.
Sure, you can fix portability bugs, but who knows how many there are
on untested platforms... poll is standard, so if it works on one
computer it should work on all other ones. (I hope.)
As a bonus, I rewrote the timeout API for poll, which incidentally
fixes setTimeout across forks. Also, SIGWINCH should now work on all
platforms (as we self-pipe instead of signalfd/kqueue magic).
|
| |
|
|
| |
looks like it's also necessary for musl
|
| |
|
|
| |
fcntl has some cursed commands that we really don't want to allow
|
| |
|
|
|
| |
Wait, why does std fastRuneAt try to decode UCS-32?
Hmm...
|
| |
|
|
|
| |
WSL needs it. It was already allowed on Android, so this just makes the
sandboxes converge a little.
|
| |
|
|
|
|
|
| |
Until recently, glibc used to implement it as fstatat. So don't trap
for fstatat (and for consistency, fstat), but return EPERM.
Just to be sure, rewrite sixel & stbi to never call fread.
|
| |
|
|
| |
called on armhf
|
| |
|
|
|
| |
Still not perfect, because it crashes on missing /tmp dir so you have to
manually set it...
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Saves bandwidth; it's especially useful over SSH. Still not sure if this
is the right solution, since it now needs two select cycles instead
of one, and it does yet another copy of the image. (Unnecessarily,
because stbi cannot stream its output, and stbiw cannot stream its
input.)
Also, to save memory, we now discard decoded images of buffers that are
not being viewed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* resize images with stb_image_resize
* use tee for output handle redirection (redirectToFile blocks)
* cache original image files
* accept lseek in sandbox
* misc stbi fixes
For now, I just pulled in stb_image_resize v1. v2 is an extra 150K in
size, not sure if it's worth the cost. (Either way, we can always switch
later if needed, since the API is almost the same.)
Next step: move sixel/kitty encoders to CGI, and cache their output in
memory instead of the intermediate RGBA representation.
|
| |
|
|
|
|
|
| |
Now we have decoders for gif, jpeg, bmp. Also, the in-house PNG decoder
has been replaced in favor of the stbi implementation; this means we
no longer depend on zlib, since stbi comes with a built in inflate
implementation.
|
| |
|
|
| |
seems to get called for signal handlers
|
| |
|
|
|
|
|
| |
* add $LOGNAME to the tmp directory name, so that tmpdirs of separate
users don't conflict
* use separate directory for sockets, so that we do not have to give
buffers access to all cached pages
|
| |
|
|
| |
openssl needs it
|
| |
|
|
|
| |
We no longer modify the file system inside the sandbox, so this
permission is simply not needed.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes setTimeout/setInterval causing crashes.
Note: timerfd_gettime is not actually used by Nim right now.
However, it seems like a good idea to add it to the set in case a
future Nim version needs it, as it does no harm.
We still do not allow signalfd, because it would let rogue buffers
override our SIGSYS handler. (Not sure if this really matters, but
we don't need it for now anyway.)
|
| |
|
|
|
|
|
|
|
| |
glibc apparently calls fstat from fread, and we didn't allow it in
seccomp. So:
* allow fstat in the sandbox; no reason not to, and it seems too big of
a footgun to assume we never call fread
* use read(2) in http; no need for buffered i/o here
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use libseccomp, which is now a semi-mandatory dependency on Linux.
(You can still build without it, but only if you pass a scary long flag
to make.)
For this to work I had to disable getTimezoneOffset, which would
otherwise call localtime_r which in turn reads in some files from
/usr/share/zoneinfo. To allow this we would have to give unrestricted
openat(2) access to buffer processes, which is unacceptable.
(Giving websites access to the local timezone is a fingerprinting vector
so if this ever gets fixed then it should be an opt-in config setting.)
This patch also includes misc fixes to buffer cloning, and fixes the
LIBEXECDIR override in the makefile so that it is actually useful.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pledge is a bit more fine-grained than Capsicum's capability mode,
so the buffer & http ("network") sandboxes are now split up into
two parts.
I applied the same hack as in FreeBSD for overriding the buffer
selector kqueue, because a) I didn't want to request sysctl promise
b) I'm not sure if it would even work and c) if it breaks on OpenBSD,
then it's broken on FreeBSD too, so there's a greater chance of
discovering the bug.
|
|
|
It's the sandboxing system of FreeBSD. Quite pleasant to work with.
(Just trying to figure out the basics with this one before tackling the
abomination that is seccomp.)
Indeed, the only non-trivial part was getting newSelector to work with
Capsicum. Long story short it doesn't, so we use an ugly pointer cast +
assignment. But even that is stdlib's "fault", not Capsicum's.
This also gets rid of that ugly SocketPath global.
|