[sandbox] Print error message on seccomp sandbox violation

Co-authored-by: cpunch <sethtstubbs@gmail.com>

.github/workflows/check-builds.yaml

@@ -29,7 +29,7 @@ jobs:
           submodules: recursive
           fetch-depth: 0
       - name: Install dependencies
-        run: sudo apt install clang cmake snap libsqlite3-dev -y && sudo snap install powershell --classic
+        run: sudo apt install clang cmake snap -y && sudo snap install powershell --classic
       - name: Check compilation
         run: |
           $versions = "104", "728", "1013"
@@ -113,7 +113,7 @@ jobs:
 
   copy-artifacts:
     if: github.event_name != 'pull_request' && github.ref == 'refs/heads/master'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: [windows-build, ubuntu-build]
     env:
       BOT_SSH_KEY: ${{ secrets.BOT_SSH_KEY }}

.github/workflows/push-docker-image.yml

@@ -11,6 +11,11 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+    strategy:
+      matrix:
+        platforms:
+          - linux/amd64
+          - linux/arm64
     steps:
       - uses: actions/checkout@v4
       - name: Retrieve major version
@@ -26,13 +31,11 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
       - name: Build and push the Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.platforms }}
           push: true
           tags: ${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.ref_name }},${{ secrets.DOCKERHUB_REPOSITORY }}:${{ steps.split.outputs._0 }},${{ secrets.DOCKERHUB_REPOSITORY }}:latest

Dockerfile

@@ -1,5 +1,5 @@
 # build
-FROM debian:stable-slim AS build
+FROM debian:stable-slim as build
 
 WORKDIR /usr/src/app
 
@@ -14,7 +14,7 @@ COPY vendor ./vendor
 COPY .git ./.git
 COPY Makefile CMakeLists.txt version.h.in ./
 
-RUN make nosandbox -j$(nproc)
+RUN make -j8
 
 # prod
 FROM debian:stable-slim
@@ -29,8 +29,4 @@ COPY sql ./sql
 
 CMD ["/bin/fusion"]
 
-EXPOSE 23000/tcp
+LABEL Name=openfusion Version=0.0.2
-EXPOSE 23001/tcp
-EXPOSE 8001/tcp
-
-LABEL Name=openfusion Version=1.6.0

config.ini

@@ -102,8 +102,5 @@ eventmode=0
 enabled=false
 # the port to listen for connections on
 port=8003
-# The local IP to listen on.
-# Do not change this unless you know what you're doing.
-listenip=127.0.0.1
 # how often the listeners should be updated (in milliseconds)
 interval=5000

docker-compose.yml

@@ -1,9 +1,11 @@
+version: '3.4'
+
 services:
   openfusion:
+    image: openfusion
     build:
       context: .
       dockerfile: ./Dockerfile
-    image: openfusion/openfusion:latest
     volumes:
       - ./config.ini:/usr/src/app/config.ini
       - ./database.db:/usr/src/app/database.db

src/MobAI.cpp

@@ -478,14 +478,6 @@ void MobAI::deadStep(CombatNPC* npc, time_t currTime) {
     if (self->groupLeader == self->id)
         roamingStep(self, currTime);
 
-    /*
-     * If the mob hasn't fully despanwed yet, don't try to respawn it. This protects
-     * against the edge case where mobs with a very short regenTime would try to respawn
-     * before they've faded away; and would respawn even if they were meant to be removed.
-     */
-    if (!self->despawned)
-        return;
-
     if (self->killedTime != 0 && currTime - self->killedTime < self->regenTime * 100)
         return;
 

src/Transport.cpp

@@ -388,21 +388,8 @@ NPCPath* Transport::findApplicablePath(int32_t id, int32_t type, int taskID) {
 
 void Transport::constructPathNPC(int32_t id, NPCPath* path) {
     BaseNPC* npc = NPCManager::NPCs[id];
-
+    if (npc->kind == EntityKind::MOB)
-    if (npc->kind == EntityKind::MOB) {
+        ((Mob*)(npc))->staticPath = true;
-        auto mob = (Mob*)npc;
-        mob->staticPath = true;
-
-        Vec3 firstPoint = path->points.front();
-
-        // Ensure that the first point coincides with the mob's spawn point.
-        if (mob->spawnX != firstPoint.x || mob->spawnY != firstPoint.y) {
-            std::cout << "[FATAL] The first point of the route for mob " << mob->id << " (type " << mob->type
-                << ") does not correspond with its spawn point." << std::endl;
-            exit(1);
-        }
-    }
-
     npc->loopingPath = path->isLoop;
 
     // Interpolate

src/core/CNProtocol.cpp

@@ -428,7 +428,7 @@ void CNServer::removePollFD(int fd) {
 }
 
 void CNServer::start() {
-    std::cout << "Starting " << serverType << " server at *:" << port << std::endl;
+    std::cout << "Starting server at *:" << port << std::endl;
     while (active) {
         // the timeout is to ensure shard timers are ticking
         int n = poll(fds.data(), fds.size(), 50);

src/sandbox/seccomp.cpp

@@ -391,7 +391,7 @@ static bool landlock_detect() {
         exit(1);
     }
 
-    std::cout << "[INFO] Detected Landlock ABI version: " << abi << std::endl;
+    std::cout << "[INFO] Landlock ABI version: " << abi << std::endl;
 
     switch (abi) {
     case 1:

src/servers/Monitor.cpp

@@ -180,14 +180,9 @@ SOCKET Monitor::init() {
     }
 
     address.sin_family = AF_INET;
+    address.sin_addr.s_addr = INADDR_ANY;
     address.sin_port = htons(settings::MONITORPORT);
 
-    if (!inet_pton(AF_INET, settings::MONITORLISTENIP.c_str(), &address.sin_addr)) {
-        std::cout << "Failed to set monitor listen address" << std::endl;
-        printSocketError("inet_pton");
-        exit(1);
-    }
-
     if (SOCKETERROR(bind(listener, (struct sockaddr*)&address, sizeof(address)))) {
         std::cout << "Failed to bind to monitor port" << std::endl;
         printSocketError("bind");
@@ -211,7 +206,7 @@ SOCKET Monitor::init() {
         exit(EXIT_FAILURE);
     }
 
-    std::cout << "Monitor listening on " << settings::MONITORLISTENIP << ":" << settings::MONITORPORT << std::endl;
+    std::cout << "Monitor listening on *:" << settings::MONITORPORT << std::endl;
 
     REGISTER_SHARD_TIMER(tick, settings::MONITORINTERVAL);
 

src/settings.cpp

@@ -64,7 +64,6 @@ bool settings::DISABLEFIRSTUSEFLAG = true;
 // monitor settings
 bool settings::MONITORENABLED = false;
 int settings::MONITORPORT = 8003;
-std::string settings::MONITORLISTENIP = "127.0.0.1";
 int settings::MONITORINTERVAL = 5000;
 
 // event mode settings
@@ -122,6 +121,5 @@ void settings::init() {
     IZRACESCORECAPPED = reader.GetBoolean("shard", "izracescorecapped", IZRACESCORECAPPED);
     MONITORENABLED = reader.GetBoolean("monitor", "enabled", MONITORENABLED);
     MONITORPORT = reader.GetInteger("monitor", "port", MONITORPORT);
-    MONITORLISTENIP = reader.Get("monitor", "listenip", MONITORLISTENIP);
     MONITORINTERVAL = reader.GetInteger("monitor", "interval", MONITORINTERVAL);
 }

src/settings.hpp

@@ -38,7 +38,6 @@ namespace settings {
     extern int EVENTMODE;
     extern bool MONITORENABLED;
     extern int MONITORPORT;
-    extern std::string MONITORLISTENIP;
     extern int MONITORINTERVAL;
     extern bool DISABLEFIRSTUSEFLAG;
     extern bool IZRACESCORECAPPED;