Merge 37386b857a into 7c66041a6f

Add make target for building without the sandbox
[bcrypt] Fix missing include on Windows
2024-11-21 21:20:04 +00:00 · 2024-10-12 16:53:08 +02:00 · 2024-10-12 15:42:26 +02:00 · 2024-10-12 15:15:36 +02:00 · 2024-10-02 18:27:41 -05:00 · 2024-10-01 21:47:59 -05:00
3 changed files with 29 additions and 3 deletions
--- a/6
+++ b/6
@ -134,6 +134,8 @@ all: $(SERVER)

 windows: $(SERVER)

+nosandbox: $(SERVER)
+
 # assign Windows-specific values if targeting Windows
 windows : CC=$(WIN_CC)
 windows : CXX=$(WIN_CXX)
@ -142,6 +144,8 @@ windows : CXXFLAGS=$(WIN_CXXFLAGS)
 windows : LDFLAGS=$(WIN_LDFLAGS)
 windows : SERVER=$(WIN_SERVER)

+nosandbox : CFLAGS+=-DCONFIG_NOSANDBOX=1
+
 .SUFFIXES: .o .c .cpp .h .hpp

 .c.o:
@ -163,7 +167,7 @@ version.h:

 src/main.o: version.h

-.PHONY: all windows clean nuke
+.PHONY: all windows nosandbox clean nuke

 # only gets rid of OpenFusion objects, so we don't need to
 # recompile the libs every time
--- a/src/sandbox/seccomp.cpp
+++ b/src/sandbox/seccomp.cpp
@ -54,7 +54,7 @@
    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))

 #define KILL_PROCESS \
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)

 /*
 * Macros adapted from openssh's sandbox-seccomp-filter.c
@ -302,6 +302,18 @@ int seccomp(unsigned int operation, unsigned int flags, void *args) {
    return syscall(__NR_seccomp, operation, flags, args);
 }

+void sig_sys_handler(int signo, siginfo_t *info, void *context)
+{
+    // report the unhandled syscall
+    std::cout << "[FATAL] Unhandled syscall: " << info->si_syscall << std::endl;
+
+    std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl 
+              << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
+              << " needed changes in our seccomp filter." << std::endl;
+
+    exit(1);
+}
+
 void sandbox_start() {
    if (!settings::SANDBOX) {
        std::cout << "[WARN] Running without a sandbox" << std::endl;
@ -310,6 +322,15 @@ void sandbox_start() {

    std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;

+    // we listen to SIGSYS to report unhandled syscalls
+    struct sigaction sa = {};
+    sa.sa_flags = SA_SIGINFO;
+    sa.sa_sigaction = sig_sys_handler;
+    if (sigaction(SIGSYS, &sa, NULL) < 0) {
+        perror("sigaction");
+        exit(1);
+    }
+
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
        perror("prctl");
        exit(1);
--- a/vendor/bcrypt/bcrypt.c
+++ b/vendor/bcrypt/bcrypt.c
@ -38,9 +38,10 @@ typedef __int64 ssize_t;
 #include <wincrypt.h> /* CryptAcquireContext, CryptGenRandom */
 #else
 #include "bcrypt.h"
-#include "ow-crypt.h"
 #endif

+#include "ow-crypt.h"
+
 #define RANDBYTES (16)

 static int try_close(int fd)
Author	SHA1	Message	Date
cpunk	1f5ac83c03	Merge `37386b857a` into `7c66041a6f`	2024-10-12 16:53:08 +02:00
dongresource	7c66041a6f	Add make target for building without the sandbox	2024-10-12 15:42:26 +02:00
dongresource	2c822e210b	[bcrypt] Fix missing include on Windows Co-authored-by: Jade Shrinemaiden <jadeshrinemaiden@gmail.com>	2024-10-12 15:15:36 +02:00
cpunch	37386b857a	change wiki sandbox link to openfusion.dev mirror	2024-10-02 18:27:41 -05:00
cpunch	19dbf7abeb	seccomp: report unhandled syscalls	2024-10-01 21:47:59 -05:00