Compare commits

...

5 Commits

Author SHA1 Message Date
8b693e564e
Merge 37386b857a into cada1bcfd8 2024-10-14 22:59:28 -07:00
CakeLancelot
cada1bcfd8
Update check-builds.yaml
* Install SQLite3 headers as they arent included in the Ubuntu 24.04 image (only includes CLI currently): https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md
* Change copy-artifacts task to also use ubuntu-latest
2024-10-14 22:48:41 -05:00
Juansecu
ca43a2996a
BUILD - Fix build of Docker image for different archs (#293) 2024-10-14 17:22:45 -05:00
37386b857a change wiki sandbox link to openfusion.dev mirror 2024-10-02 18:27:41 -05:00
19dbf7abeb seccomp: report unhandled syscalls 2024-10-01 21:47:59 -05:00
3 changed files with 28 additions and 10 deletions

View File

@ -29,7 +29,7 @@ jobs:
submodules: recursive submodules: recursive
fetch-depth: 0 fetch-depth: 0
- name: Install dependencies - name: Install dependencies
run: sudo apt install clang cmake snap -y && sudo snap install powershell --classic run: sudo apt install clang cmake snap libsqlite3-dev -y && sudo snap install powershell --classic
- name: Check compilation - name: Check compilation
run: | run: |
$versions = "104", "728", "1013" $versions = "104", "728", "1013"
@ -113,7 +113,7 @@ jobs:
copy-artifacts: copy-artifacts:
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/master' if: github.event_name != 'pull_request' && github.ref == 'refs/heads/master'
runs-on: ubuntu-22.04 runs-on: ubuntu-latest
needs: [windows-build, ubuntu-build] needs: [windows-build, ubuntu-build]
env: env:
BOT_SSH_KEY: ${{ secrets.BOT_SSH_KEY }} BOT_SSH_KEY: ${{ secrets.BOT_SSH_KEY }}

View File

@ -11,11 +11,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
strategy:
matrix:
platforms:
- linux/amd64
- linux/arm64
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Retrieve major version - name: Retrieve major version
@ -31,11 +26,13 @@ jobs:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push the Docker image - name: Build and push the Docker image
uses: docker/build-push-action@v5 uses: docker/build-push-action@v6
with: with:
context: . context: .
file: ./Dockerfile file: ./Dockerfile
platforms: ${{ matrix.platforms }} platforms: linux/amd64,linux/arm64
push: true push: true
tags: ${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.ref_name }},${{ secrets.DOCKERHUB_REPOSITORY }}:${{ steps.split.outputs._0 }},${{ secrets.DOCKERHUB_REPOSITORY }}:latest tags: ${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.ref_name }},${{ secrets.DOCKERHUB_REPOSITORY }}:${{ steps.split.outputs._0 }},${{ secrets.DOCKERHUB_REPOSITORY }}:latest

View File

@ -54,7 +54,7 @@
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
#define KILL_PROCESS \ #define KILL_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
/* /*
* Macros adapted from openssh's sandbox-seccomp-filter.c * Macros adapted from openssh's sandbox-seccomp-filter.c
@ -302,6 +302,18 @@ int seccomp(unsigned int operation, unsigned int flags, void *args) {
return syscall(__NR_seccomp, operation, flags, args); return syscall(__NR_seccomp, operation, flags, args);
} }
void sig_sys_handler(int signo, siginfo_t *info, void *context)
{
// report the unhandled syscall
std::cout << "[FATAL] Unhandled syscall: " << info->si_syscall << std::endl;
std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl
<< "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
<< " needed changes in our seccomp filter." << std::endl;
exit(1);
}
void sandbox_start() { void sandbox_start() {
if (!settings::SANDBOX) { if (!settings::SANDBOX) {
std::cout << "[WARN] Running without a sandbox" << std::endl; std::cout << "[WARN] Running without a sandbox" << std::endl;
@ -310,6 +322,15 @@ void sandbox_start() {
std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl; std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;
// we listen to SIGSYS to report unhandled syscalls
struct sigaction sa = {};
sa.sa_flags = SA_SIGINFO;
sa.sa_sigaction = sig_sys_handler;
if (sigaction(SIGSYS, &sa, NULL) < 0) {
perror("sigaction");
exit(1);
}
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
perror("prctl"); perror("prctl");
exit(1); exit(1);