Merge 2096c3c3cc into 397700e909

.github/workflows/push-docker-image.yml

@@ -3,7 +3,6 @@ name: Push Docker Image
 on:
   release:
     types: [published]
-  workflow_dispatch:
 
 jobs:
   push-docker-image:
@@ -29,8 +28,6 @@ jobs:
         with:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
       - name: Build and push the Docker image
         uses: docker/build-push-action@v5
         with:

Dockerfile

@@ -1,28 +1,33 @@
 # build
-FROM debian:stable-slim as build
+FROM alpine:3 as build
 
 WORKDIR /usr/src/app
 
-RUN apt-get -y update && apt-get install -y \
+RUN apk update && apk upgrade && apk add \
+linux-headers \
 git \
-clang \
+clang18 \
 make \
-libsqlite3-dev
+sqlite-dev
 
 COPY src ./src
 COPY vendor ./vendor
 COPY .git ./.git
 COPY Makefile CMakeLists.txt version.h.in ./
 
+RUN sed -i 's/^CC=clang$/&-18/' Makefile
+RUN sed -i 's/^CXX=clang++$/&-18/' Makefile
+
 RUN make -j8
 
 # prod
-FROM debian:stable-slim
+FROM alpine:3
 
 WORKDIR /usr/src/app
 
-RUN apt-get -y update && apt-get install -y \
-libsqlite3-dev
+RUN apk update && apk upgrade && apk add \
+libstdc++ \
+sqlite-dev
 
 COPY --from=build /usr/src/app/bin/fusion /bin/fusion
 COPY sql ./sql

Makefile

@@ -133,8 +133,6 @@ HDR=$(CHDR) $(CXXHDR)
 all: $(SERVER)
 
 windows: $(SERVER)
-nosandbox: $(SERVER)
-nolandlock: $(SERVER)
 
 # assign Windows-specific values if targeting Windows
 windows : CC=$(WIN_CC)
@@ -144,9 +142,6 @@ windows : CXXFLAGS=$(WIN_CXXFLAGS)
 windows : LDFLAGS=$(WIN_LDFLAGS)
 windows : SERVER=$(WIN_SERVER)
 
-nosandbox : CFLAGS+=-DCONFIG_NOSANDBOX=1
-nolandlock : CFLAGS+=-DCONFIG_NOLANDLOCK=1
-
 .SUFFIXES: .o .c .cpp .h .hpp
 
 .c.o:
@@ -168,7 +163,7 @@ version.h:
 
 src/main.o: version.h
 
-.PHONY: all windows nosandbox nolandlock clean nuke
+.PHONY: all windows clean nuke
 
 # only gets rid of OpenFusion objects, so we don't need to
 # recompile the libs every time

README.md

@@ -1,14 +1,13 @@
-<p align="center"><img width="640" src="res/openfusion-hero.png" alt="OpenFusion Logo"></p>
+<p align="center"><img width="640" src="res/openfusion-hero.png" alt=""></p>
 
 <p align="center">
     <a href="https://github.com/OpenFusionProject/OpenFusion/releases/latest"><img src="https://img.shields.io/github/v/release/OpenFusionProject/OpenFusion" alt="Current Release"></a>
     <a href="https://github.com/OpenFusionProject/OpenFusion/actions/workflows/check-builds.yaml"><img src="https://github.com/OpenFusionProject/OpenFusion/actions/workflows/check-builds.yaml/badge.svg" alt="Workflow"></a>
-    <a href="https://hub.docker.com/repository/docker/openfusion/openfusion/"><img src="https://badgen.net/docker/pulls/openfusion/openfusion?icon=docker&label=pulls"></a>
     <a href="https://discord.gg/DYavckB"><img src="https://img.shields.io/badge/chat-on%20discord-7289da.svg?logo=discord" alt="Discord"></a>
     <a href="https://github.com/OpenFusionProject/OpenFusion/blob/master/LICENSE.md"><img src="https://img.shields.io/github/license/OpenFusionProject/OpenFusion" alt="License"></a>
 </p>
 
-OpenFusion is a reverse-engineered server for FusionFall. It primarily targets versions `beta-20100104` and `beta-20111013` of the original game, with [limited support](https://openfusion.dev/docs/reference/fusionfall-version-support/) for others.
+OpenFusion is a reverse-engineered server for FusionFall. It primarily targets versions `beta-20100104` and `beta-20111013` of the original game, with [limited support](https://github.com/OpenFusionProject/OpenFusion/wiki/FusionFall-Version-Support) for others.
 
 ## Usage
 
@@ -26,7 +25,7 @@ OpenFusion is a reverse-engineered server for FusionFall. It primarily targets v
 4. To create an account, simply enter the details you wish to use at the login screen then click Log In. Do *not* click register, as this will just lead to a blank screen.
 5. Make a new character, and enjoy the game! Your progress will be saved automatically, and you can resume playing by entering the login details you used in step 4.
 
-Instructions for getting the client to run on Linux through Wine can be found [here](https://openfusion.dev/docs/guides/running-on-linux/).
+Instructions for getting the client to run on Linux through Wine can be found [here](https://github.com/OpenFusionProject/OpenFusion/wiki/Running-the-game-client-on-Linux).
 
 ### Hosting a server
 1. Grab `OpenFusionServer-1.6-Original.zip` or `OpenFusionServer-1.6-Academy.zip` from [here](https://github.com/OpenFusionProject/OpenFusion/releases/tag/1.6).
@@ -80,17 +79,17 @@ This just works if you're all under the same LAN, but if you want to play over t
 
 ## Compiling 
 
-OpenFusion has one external dependency: SQLite. The oldest compatible version is `3.33.0`. You can install it on Windows using `vcpkg`, and on Unix/Linux using your distribution's package manager. For a more indepth guide on how to set up vcpkg, [read this guide](https://openfusion.dev/docs/development/installing-sqlite-on-windows-using-vcpkg/).
+OpenFusion has one external dependency: SQLite. The oldest compatible version is `3.33.0`. You can install it on Windows using `vcpkg`, and on Unix/Linux using your distribution's package manager. For a more indepth guide on how to set up vcpkg, [read this guide on the wiki](https://github.com/OpenFusionProject/OpenFusion/wiki/Installing-SQLite-on-Windows-using-vcpkg).
 
 You have two choices for compiling OpenFusion: the included Makefile and the included CMakeLists file.
 
 ### Makefile
 
-A detailed compilation guide is available for Windows users on the website [using MinGW-w64 and MSYS2](https://openfusion.dev/docs/development/compilation-on-windows-msys2-mingw/). Otherwise, to compile it for the current platform you're on, just run `make` with the correct build tools installed (currently make and clang).
+A detailed compilation guide is available for Windows users in the wiki [using MinGW-w64 and MSYS2](https://github.com/OpenFusionProject/OpenFusion/wiki/Compilation-on-Windows). Otherwise, to compile it for the current platform you're on, just run `make` with the correct build tools installed (currently make and clang).
 
 ### CMake
 
-A detailed guide is available [in our documentation](https://openfusion.dev/docs/development/compilation-with-cmake-or-visual-studio/) for people using regular old CMake or the version of CMake that comes with Visual Studio. TL;DR: `cmake -B build`
+A detailed guide is available [on the wiki](https://github.com/OpenFusionProject/OpenFusion/wiki/Compilation-with-CMake-or-Visual-Studio) for people using regular old CMake or the version of CMake that comes with Visual Studio. tl;dr: `cmake -B build`
 
 ## Contributing
 
@@ -108,4 +107,4 @@ Meanwhile the Academy server is more meant for legitimate playthroughs (default
 
 When hosting a local server, you will have access to all commands by default (account level 1).
 
-For a list of available commands, see [this page](https://openfusion.dev/docs/reference/ingame-command-list/).
+For a list of available commands, see [this wiki page](https://github.com/OpenFusionProject/OpenFusion/wiki/Ingame-Command-list).

src/Abilities.cpp

@@ -368,6 +368,7 @@ void Abilities::useNPCSkill(EntityRef npc, int skillID, std::vector<ICombatant*>
     SkillData* skill = &SkillTable[skillID];
 
     std::vector<SkillResult> results = handleSkill(skill, 0, src, affected);
+    if(results.empty()) return; // no effect; no need for confirmation packets
 
     // lazy validation since skill results might be different sizes
     if (!validOutVarPacket(sizeof(sP_FE2CL_NPC_SKILL_HIT), results.size(), MAX_SKILLRESULT_SIZE)) {

src/main.cpp

@@ -49,7 +49,6 @@ CNShardServer *shardServer = nullptr;
 std::thread *shardThread = nullptr;
 
 void startShard(CNShardServer* server) {
-    sandbox_thread_start();
     server->start();
 }
 
@@ -151,8 +150,6 @@ int main() {
         /* not reached */
     }
 
-    sandbox_init();
-
     std::cout << "[INFO] Starting Server Threads..." << std::endl;
     CNLoginServer loginServer(settings::LOGINPORT);
     shardServer = new CNShardServer(settings::SHARDPORT);
@@ -160,7 +157,6 @@ int main() {
     shardThread = new std::thread(startShard, (CNShardServer*)shardServer);
 
     sandbox_start();
-    sandbox_thread_start();
 
     loginServer.start();
 

src/sandbox/Sandbox.hpp

@@ -4,16 +4,11 @@
 #if defined(__linux__) || defined(__OpenBSD__)
 
 # if !defined(CONFIG_NOSANDBOX)
-void sandbox_init();
 void sandbox_start();
-void sandbox_thread_start();
 # else
 
 #include <iostream>
 
-inline void sandbox_init() {}
-inline void sandbox_thread_start() {}
-
 inline void sandbox_start() {
     std::cout << "[WARN] Built without a sandbox" << std::endl;
 }
@@ -22,7 +17,5 @@ inline void sandbox_start() {
 
 #else
 // stub for unsupported platforms
-inline void sandbox_init() {}
 inline void sandbox_start() {}
-inline void sandbox_thread_start() {}
 #endif

src/sandbox/openbsd.cpp

@@ -13,9 +13,6 @@ static void eunveil(const char *path, const char *permissions) {
         err(1, "unveil");
 }
 
-void sandbox_init() {}
-void sandbox_thread_start() {}
-
 void sandbox_start() {
     /*
      * There shouldn't ever be a reason to disable this one, but might as well

src/sandbox/seccomp.cpp

@@ -4,9 +4,6 @@
 #include "settings.hpp"
 
 #include <stdlib.h>
-#include <fcntl.h>
-
-#include <filesystem>
 
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
@@ -20,10 +17,6 @@
 #include <linux/audit.h>
 #include <linux/net.h> // for socketcall() args
 
-#ifndef CONFIG_NOLANDLOCK
-#include <linux/landlock.h>
-#endif
-
 /*
  * Macros adapted from https://outflux.net/teach-seccomp/
  * Relevant license:
@@ -61,7 +54,7 @@
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
 
 #define KILL_PROCESS \
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
 
 /*
  * Macros adapted from openssh's sandbox-seccomp-filter.c
@@ -304,201 +297,25 @@ static sock_fprog prog = {
     ARRLEN(filter), filter
 };
 
-// Our own wrapper for the seccomp() syscall.
+// our own wrapper for the seccomp() syscall
 int seccomp(unsigned int operation, unsigned int flags, void *args) {
     return syscall(__NR_seccomp, operation, flags, args);
 }
 
-#ifndef CONFIG_NOLANDLOCK
-
-// Support compilation on systems that only have older Landlock headers.
-#ifndef LANDLOCK_ACCESS_FS_REFER
-#define LANDLOCK_ACCESS_FS_REFER 0
-#endif
-#ifndef LANDLOCK_ACCESS_FS_TRUNCATE
-#define LANDLOCK_ACCESS_FS_TRUNCATE 0
-#endif
-
-struct landlock_ruleset_attr ruleset_attr = {
-    .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE
-        | LANDLOCK_ACCESS_FS_WRITE_FILE
-        | LANDLOCK_ACCESS_FS_READ_DIR
-        | LANDLOCK_ACCESS_FS_MAKE_REG
-        | LANDLOCK_ACCESS_FS_MAKE_DIR
-        | LANDLOCK_ACCESS_FS_MAKE_SYM
-        | LANDLOCK_ACCESS_FS_MAKE_SOCK
-        | LANDLOCK_ACCESS_FS_MAKE_FIFO
-        | LANDLOCK_ACCESS_FS_MAKE_BLOCK
-        | LANDLOCK_ACCESS_FS_REMOVE_FILE
-        | LANDLOCK_ACCESS_FS_REMOVE_DIR
-        | LANDLOCK_ACCESS_FS_TRUNCATE
-        | LANDLOCK_ACCESS_FS_REFER
-};
-
-uint64_t landlock_perms = LANDLOCK_ACCESS_FS_READ_FILE
-    | LANDLOCK_ACCESS_FS_WRITE_FILE
-    | LANDLOCK_ACCESS_FS_TRUNCATE
-    | LANDLOCK_ACCESS_FS_MAKE_REG
-    | LANDLOCK_ACCESS_FS_REMOVE_FILE;
-
-int landlock_fd;
-bool landlock_supported;
-
-/*
- * Our own wrappers for Landlock syscalls.
- */
-
-int landlock_create_ruleset(const struct landlock_ruleset_attr *attr, size_t size, uint32_t flags) {
-    return syscall(__NR_landlock_create_ruleset, attr, size, flags);
-}
-
-int landlock_add_rule(int ruleset_fd, enum landlock_rule_type rule_type, const void *rule_attr, uint32_t flags) {
-    return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags);
-}
-
-int landlock_restrict_self(int ruleset_fd, uint32_t flags) {
-    return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
-}
-
-static void landlock_path(std::string path, uint32_t perms) {
-    struct landlock_path_beneath_attr path_beneath = {
-        .allowed_access = perms
-    };
-
-    path_beneath.parent_fd = open(path.c_str(), O_PATH|O_CLOEXEC);
-    if (path_beneath.parent_fd < 0) {
-        perror(path.c_str());
-        exit(1);
-    }
-
-    if (landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0)) {
-        perror("landlock_add_rule");
-        exit(1);
-    }
-
-    close(path_beneath.parent_fd);
-}
-
-static bool landlock_detect() {
-    int abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
-
-    if (abi < 0) {
-        if (errno == ENOSYS || errno == EOPNOTSUPP) {
-            std::cout << "[WARN] No Landlock support on this system" << std::endl;
-            return false;
-        }
-        perror("landlock_create_ruleset");
-        exit(1);
-    }
-
-    std::cout << "[INFO] Landlock ABI version: " << abi << std::endl;
-
-    switch (abi) {
-    case 1:
-        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
-        landlock_perms &= ~LANDLOCK_ACCESS_FS_REFER;
-        // fallthrough
-    case 2:
-        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
-        landlock_perms &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
-    }
-
-    return true;
-}
-
-static void landlock_init() {
-    std::cout << "[INFO] Setting up Landlock sandbox..." << std::endl;
-
-    landlock_supported = landlock_detect();
-
-    if (!landlock_supported)
-        return;
-
-    landlock_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
-    if (landlock_fd < 0) {
-        perror("landlock_create_ruleset");
-        exit(1);
-    }
-
-    std::string dbdir = std::filesystem::path(settings::DBPATH).parent_path();
-
-    // for the DB files (we can't rely on them being in the working directory)
-    landlock_path(dbdir == "" ? "." : dbdir, landlock_perms);
-    // for writing the gruntwork file
-    landlock_path(settings::TDATADIR, landlock_perms);
-    // for passowrd salting during account creation
-    landlock_path("/dev/urandom", LANDLOCK_ACCESS_FS_READ_FILE);
-    // for core dumps, optionally
-    if (settings::SANDBOXEXTRAPATH != "")
-        landlock_path(settings::SANDBOXEXTRAPATH, landlock_perms);
-}
-
-#endif // !CONFIG_NOLANDLOCK
-
-static void sigsys_handler(int signo, siginfo_t *info, void *context) {
-    // report the unhandled syscall
-    std::cout << "[FATAL] Unhandled syscall " << info->si_syscall
-       << " at " << std::hex << info->si_call_addr << " on arch " << info->si_arch << std::endl;
-
-    std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl
-              << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
-              << " needed changes in our seccomp filter." << std::endl;
-
-    exit(1);
-}
-
-void sandbox_init() {
+void sandbox_start() {
     if (!settings::SANDBOX) {
         std::cout << "[WARN] Running without a sandbox" << std::endl;
         return;
     }
 
-    // listen to SIGSYS to report unhandled syscalls
-    struct sigaction sa = {};
-
-    sa.sa_flags = SA_SIGINFO;
-    sa.sa_sigaction = sigsys_handler;
-
-    if (sigaction(SIGSYS, &sa, NULL) < 0) {
-        perror("sigaction");
-        exit(1);
-    }
-
-#ifndef CONFIG_NOLANDLOCK
-    landlock_init();
-#else
-    std::cout << "[WARN] Built without Landlock" << std::endl;
-#endif
-}
-
-void sandbox_start() {
-    if (!settings::SANDBOX)
-        return;
-
     std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;
 
-    // Sandboxing starts in sandbox_thread_start().
-}
-
-void sandbox_thread_start() {
-    if (!settings::SANDBOX)
-        return;
-
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
         perror("prctl");
         exit(1);
     }
 
-#ifndef CONFIG_NOLANDLOCK
-    if (landlock_supported) {
-        if (landlock_restrict_self(landlock_fd, 0)) {
-            perror("landlock_restrict_self");
-            exit(1);
-        }
-    }
-#endif
-
-    if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog) < 0) {
+    if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) < 0) {
         perror("seccomp");
         exit(1);
     }

src/settings.cpp

@@ -9,7 +9,6 @@
 // defaults :)
 int settings::VERBOSITY = 1;
 bool settings::SANDBOX = true;
-std::string settings::SANDBOXEXTRAPATH = "";
 
 int settings::LOGINPORT = 23000;
 bool settings::APPROVEALLNAMES = true;
@@ -86,7 +85,6 @@ void settings::init() {
 
     VERBOSITY = reader.GetInteger("", "verbosity", VERBOSITY);
     SANDBOX = reader.GetBoolean("", "sandbox", SANDBOX);
-    SANDBOXEXTRAPATH = reader.Get("", "sandboxextrapath", SANDBOXEXTRAPATH);
     LOGINPORT = reader.GetInteger("login", "port", LOGINPORT);
     APPROVEALLNAMES = reader.GetBoolean("login", "acceptallcustomnames", APPROVEALLNAMES);
     AUTOCREATEACCOUNTS = reader.GetBoolean("login", "autocreateaccounts", AUTOCREATEACCOUNTS);

src/settings.hpp

@@ -1,11 +1,11 @@
 #pragma once
 
+#include <stdint.h>
 #include <string>
 
 namespace settings {
     extern int VERBOSITY;
     extern bool SANDBOX;
-    extern std::string SANDBOXEXTRAPATH;
     extern int LOGINPORT;
     extern bool APPROVEALLNAMES;
     extern bool AUTOCREATEACCOUNTS;
@@ -15,7 +15,7 @@ namespace settings {
     extern std::string SHARDSERVERIP;
     extern bool LOCALHOSTWORKAROUND;
     extern bool ANTICHEAT;
-    extern time_t TIMEOUT;
+    extern int64_t TIMEOUT;
     extern int VIEWDISTANCE;
     extern bool SIMULATEMOBS;
     extern int SPAWN_X;

vendor/bcrypt/bcrypt.c

@@ -38,9 +38,8 @@ typedef __int64 ssize_t;
 #include <wincrypt.h> /* CryptAcquireContext, CryptGenRandom */
 #else
 #include "bcrypt.h"
-#endif
-
 #include "ow-crypt.h"
+#endif
 
 #define RANDBYTES (16)