Proof-of-concept, default-permit seccomp-bpf sandbox

Can be disabled by adding -DCONFIG_NOSANDBOX to CXXFLAGS.
2026-01-04 00:20:43 +00:00 · 2021-11-04 03:12:11 +01:00
parent 05d6174351
commit 3c1e08372d
7 changed files with 138 additions and 2 deletions
--- a/src/sandbox/Sandbox.hpp
+++ b/src/sandbox/Sandbox.hpp
@@ -0,0 +1,21 @@
+#pragma once
+
+// use the sandbox on supported platforms, unless disabled
+#if defined(__linux__) || defined(__OpenBSD__)
+
+# if !defined(CONFIG_NOSANDBOX)
+void sandbox_start();
+# else
+
+#include <iostream>
+
+inline void sandbox_start() {
+    std::cout << "[WARN] Built without a sandbox" << std::endl;
+}
+
+# endif // CONFIG_NOSANDBOX
+
+#else
+// stub for unsupported platforms
+inline void sandbox_start() {}
+#endif