mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-05-22 21:32:31 +00:00
Add seccomp bpf sandboxing to redbean
It's now possible to pass the `-S` or `-SS` flags to sandbox redbean worker proecsses after they've been forked. The first `-S` flag is intended to be a permissive builtin policy that limits system calls to only that which the various parts of redbean serving need. The second `-SS` flag is intended to be more restrictive, preventing things like the Lua extensions you download off the web from using the HTTP client or sockets APIs. In upcoming changes you'll be able to implement your own Berkeley Packet Filter sandbox programs and load them via Lua.
This commit is contained in:
Justine Tunney
parent
7166679620
commit
5a132f9652
79 changed files with 2271 additions and 651 deletions
|
|
@ -1,11 +1,9 @@
|
|||
#ifndef COSMOPOLITAN_LIBC_SOCK_SYSLOG_H_
|
||||
#define COSMOPOLITAN_LIBC_SOCK_SYSLOG_H_
|
||||
|
||||
|
||||
#if !(__ASSEMBLER__ + __LINKER__ + 0)
|
||||
COSMOPOLITAN_C_START_
|
||||
|
||||
#define LOG_PRI(p) ((p) & LOG_PRIMASK)
|
||||
#define LOG_PRI(p) (LOG_PRIMASK & (p))
|
||||
|
||||
int setlogmask(int);
|
||||
void openlog(const char *, int, int);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue