Compare commits

...

4 Commits

Author SHA1 Message Date
cd6aee2fae
Merge 37386b857a into 68b56e7c25 2024-10-15 19:53:35 +08:00
CakeLancelot
68b56e7c25
Docker: disable sandbox to fix crashes and update Dockerfile/compose.yml (#294)
Additionally:
* Add EXPOSE hints to Dockerfile
* as -> AS in Dockerfile to resolve warning
* Point docker-compose to our docker hub image
* Remove version property in docker-compose.yml as it was deprecated
2024-10-15 01:00:37 -05:00
37386b857a change wiki sandbox link to openfusion.dev mirror 2024-10-02 18:27:41 -05:00
19dbf7abeb seccomp: report unhandled syscalls 2024-10-01 21:47:59 -05:00
3 changed files with 30 additions and 7 deletions

View File

@ -1,5 +1,5 @@
# build
FROM debian:stable-slim as build
FROM debian:stable-slim AS build
WORKDIR /usr/src/app
@ -14,7 +14,7 @@ COPY vendor ./vendor
COPY .git ./.git
COPY Makefile CMakeLists.txt version.h.in ./
RUN make -j8
RUN make nosandbox -j$(nproc)
# prod
FROM debian:stable-slim
@ -29,4 +29,8 @@ COPY sql ./sql
CMD ["/bin/fusion"]
LABEL Name=openfusion Version=0.0.2
EXPOSE 23000/tcp
EXPOSE 23001/tcp
EXPOSE 8001/tcp
LABEL Name=openfusion Version=1.6.0

View File

@ -1,11 +1,9 @@
version: '3.4'
services:
openfusion:
image: openfusion
build:
context: .
dockerfile: ./Dockerfile
image: openfusion/openfusion:latest
volumes:
- ./config.ini:/usr/src/app/config.ini
- ./database.db:/usr/src/app/database.db

View File

@ -54,7 +54,7 @@
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
#define KILL_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
/*
* Macros adapted from openssh's sandbox-seccomp-filter.c
@ -302,6 +302,18 @@ int seccomp(unsigned int operation, unsigned int flags, void *args) {
return syscall(__NR_seccomp, operation, flags, args);
}
void sig_sys_handler(int signo, siginfo_t *info, void *context)
{
// report the unhandled syscall
std::cout << "[FATAL] Unhandled syscall: " << info->si_syscall << std::endl;
std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl
<< "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
<< " needed changes in our seccomp filter." << std::endl;
exit(1);
}
void sandbox_start() {
if (!settings::SANDBOX) {
std::cout << "[WARN] Running without a sandbox" << std::endl;
@ -310,6 +322,15 @@ void sandbox_start() {
std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;
// we listen to SIGSYS to report unhandled syscalls
struct sigaction sa = {};
sa.sa_flags = SA_SIGINFO;
sa.sa_sigaction = sig_sys_handler;
if (sigaction(SIGSYS, &sa, NULL) < 0) {
perror("sigaction");
exit(1);
}
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
perror("prctl");
exit(1);