Merge 37386b857a into 68b56e7c25

Docker: disable sandbox to fix crashes and update Dockerfile/compose.yml (#294 )
Additionally: * Add EXPOSE hints to Dockerfile * as -> AS in Dockerfile to resolve warning * Point docker-compose to our docker hub image * Remove version property in docker-compose.yml as it was deprecated
2024-11-24 14:01:05 +00:00 · 2024-10-15 19:53:35 +08:00 · 2024-10-15 01:00:37 -05:00 · 2024-10-02 18:27:41 -05:00 · 2024-10-01 21:47:59 -05:00
3 changed files with 30 additions and 7 deletions
--- a/10
+++ b/10
@ -1,5 +1,5 @@
 # build
-FROM debian:stable-slim as build
+FROM debian:stable-slim AS build
 WORKDIR /usr/src/app
@ -14,7 +14,7 @@ COPY vendor ./vendor
 COPY .git ./.git
 COPY Makefile CMakeLists.txt version.h.in ./
-RUN make -j8
+RUN make nosandbox -j$(nproc)
 # prod
 FROM debian:stable-slim
@ -29,4 +29,8 @@ COPY sql ./sql
 CMD ["/bin/fusion"]
-LABEL Name=openfusion Version=0.0.2
+EXPOSE 23000/tcp
 EXPOSE 23001/tcp
 EXPOSE 8001/tcp
 LABEL Name=openfusion Version=1.6.0
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,11 +1,9 @@
 version: '3.4'
 services:
  openfusion:
    image: openfusion
    build:
      context: .
      dockerfile: ./Dockerfile
    image: openfusion/openfusion:latest
    volumes:
      - ./config.ini:/usr/src/app/config.ini
      - ./database.db:/usr/src/app/database.db
--- a/src/sandbox/seccomp.cpp
+++ b/src/sandbox/seccomp.cpp
@ -54,7 +54,7 @@
    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
 #define KILL_PROCESS \
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
 /*
 * Macros adapted from openssh's sandbox-seccomp-filter.c
@ -302,6 +302,18 @@ int seccomp(unsigned int operation, unsigned int flags, void *args) {
    return syscall(__NR_seccomp, operation, flags, args);
 }
 void sig_sys_handler(int signo, siginfo_t *info, void *context)
 {
    // report the unhandled syscall
    std::cout << "[FATAL] Unhandled syscall: " << info->si_syscall << std::endl;
    std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl 
              << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
              << " needed changes in our seccomp filter." << std::endl;
    exit(1);
 }
 void sandbox_start() {
    if (!settings::SANDBOX) {
        std::cout << "[WARN] Running without a sandbox" << std::endl;
@ -310,6 +322,15 @@ void sandbox_start() {
    std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;
    // we listen to SIGSYS to report unhandled syscalls
    struct sigaction sa = {};
    sa.sa_flags = SA_SIGINFO;
    sa.sa_sigaction = sig_sys_handler;
    if (sigaction(SIGSYS, &sa, NULL) < 0) {
        perror("sigaction");
        exit(1);
    }
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
        perror("prctl");
        exit(1);
Author	SHA1	Message	Date
cpunk	cd6aee2fae	Merge `37386b857a` into `68b56e7c25`	2024-10-15 19:53:35 +08:00
CakeLancelot	68b56e7c25	Docker: disable sandbox to fix crashes and update Dockerfile/compose.yml (#294 ) Additionally: * Add EXPOSE hints to Dockerfile * as -> AS in Dockerfile to resolve warning * Point docker-compose to our docker hub image * Remove version property in docker-compose.yml as it was deprecated	2024-10-15 01:00:37 -05:00
cpunch	37386b857a	change wiki sandbox link to openfusion.dev mirror	2024-10-02 18:27:41 -05:00
cpunch	19dbf7abeb	seccomp: report unhandled syscalls	2024-10-01 21:47:59 -05:00