Commit Graph

14 Commits

Author SHA1 Message Date
94064e1865 [sandbox] Print error message on seccomp sandbox violation
Co-authored-by: cpunch <sethtstubbs@gmail.com>
2024-10-17 01:04:50 +02:00
197ccad0eb [sandbox] Landlock support
* Support disabling Landlock at compile time or runtime if unsupported,
  without disabling seccomp
* Support older Landlock ABI versions
* Support an extra arbitrary RW path, inteded for the coredump dir
* Support database locations other than the working directory
2024-10-17 01:03:06 +02:00
b1eea6d4fe [seccomp] Whitelist rseq syscall
Used by glibc 2.35 and later.
2022-11-15 02:30:20 +01:00
f126b88781 [seccomp] Whitelist newfstatat and fix a few #ifdefs
Some newer versions of either glibc or libsqlite3 seem to require this
syscall for the server to terminate properly.
2022-09-04 20:53:17 +02:00
271eef83d3 [seccomp] Add support for AArch64
This is useful for 64-bit Raspberry Pis and other 64-bit ARM systems.
2022-07-24 22:40:46 +02:00
f376c68115 [seccomp] Allow clock_nanosleep()
This apparently gets called very rarely during normal operation. This
change fixes a rare server crash.
2022-02-04 20:04:22 +01:00
384a2ece78 [sandbox] Seccomp filter tweaks
* Restrict fcntl() to only the flags we need
* Non-fatally deny tgkill() and rt_sigaction() so that segfaults don't
  result in a SIGSYS. They're debuggable either way, but this way it's
  clearer what the issue is right away.
* Allow truncate() and ftruncate() for sqlite's alternate journal modes
* Slight macro cleanup
* Add missing colon in a DB log message

We don't need to worry about compilation problems arising if glibc or
musl-libc add their own wrapper for the seccomp() syscall in the future.
Ours will/would just silently take precedence over the external one
without interfering with compilation. This should work regardless of
whether libc uses weak symbols and regardless of whether libc is
dynamically or statically linked into the executable. The wrapper's
signature has been stripped of its static and inline qualifiers, as it
must match the exact declaration the libc headers will/would use.

Further, if a pre-compiled binary is run on a system which genuinely
doesn't support seccomp(), it'll just return ENOSYS and the server will
terminate with an error. The user can then just disable the sandbox in
the config file. We don't need any special logic for that scenario.
2021-12-26 04:00:51 +01:00
c6ffcd4804 Clean up indentation in a few places 2021-12-16 03:34:15 +01:00
b3c844650b Tighten seccomp sandbox restrictions on mmap(), ioctl() and socketcall() 2021-12-16 00:36:48 +01:00
dfe596447b Whitelist syscalls for 32-bit x86 Linux
Should probably filter the args to this for the sake of proper
sandboxing.
2021-12-16 00:36:48 +01:00
9297e82589 Whitelist syscalls for musl-libc, Raspberry Pi and alt libsqlite configs 2021-12-16 00:36:48 +01:00
4319ee57a0 Switch seccomp sandbox to default-deny filter 2021-12-16 00:36:48 +01:00
09e452a09d pledge() + unveil() sandbox
This is the OpenBSD sandbox.
2021-12-16 00:36:43 +01:00
3c1e08372d Proof-of-concept, default-permit seccomp-bpf sandbox
Can be disabled by adding -DCONFIG_NOSANDBOX to CXXFLAGS.
2021-12-16 00:36:09 +01:00