From 38db6ab5be80b255fe40df715adc3b5852875cdd Mon Sep 17 00:00:00 2001 From: bptato Date: Thu, 18 Apr 2024 18:30:53 +0200 Subject: sandbox: seccomp support on Linux We use libseccomp, which is now a semi-mandatory dependency on Linux. (You can still build without it, but only if you pass a scary long flag to make.) For this to work I had to disable getTimezoneOffset, which would otherwise call localtime_r which in turn reads in some files from /usr/share/zoneinfo. To allow this we would have to give unrestricted openat(2) access to buffer processes, which is unacceptable. (Giving websites access to the local timezone is a fingerprinting vector so if this ever gets fixed then it should be an opt-in config setting.) This patch also includes misc fixes to buffer cloning, and fixes the LIBEXECDIR override in the makefile so that it is actually useful. --- doc/build.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'doc/build.md') diff --git a/doc/build.md b/doc/build.md index bb9f929d..3d337d82 100644 --- a/doc/build.md +++ b/doc/build.md @@ -37,9 +37,16 @@ also override them by setting an environment variable with the same name. man pages. The default setting expands to `/usr/local/share/man/man1`, etc. * `CURLLIBNAME`: Change the name of the libcurl shared object file. * `LIBEXECDIR`: Path to your libexec directory; by default, it is relative - to wherever the binary is placed when it is executed.
+ to wherever the binary is placed when it is executed. (i.e. after installation + it would resolve to `/usr/local/libexec`.)
WARNING: Unlike other path names, this must be quoted if your path contains spaces! +* `DANGER_DISABLE_SANDBOX`: Set it to 1 to disable OS-level sandboxing even + on systems where we have built-in sandboxing support. Note that this is + *not* taken from the environment variables; you must use it like + `make DANGER_DISABLE_SANDBOX=1`.
+ WARNING: as the name suggests, this is rarely an optimal solution to whatever + problem you are facing. ## Phony targets -- cgit 1.4.1-2-gfad0