mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-06-27 06:48:31 +00:00
Add seccomp bpf sandboxing to redbean
It's now possible to pass the `-S` or `-SS` flags to sandbox redbean worker proecsses after they've been forked. The first `-S` flag is intended to be a permissive builtin policy that limits system calls to only that which the various parts of redbean serving need. The second `-SS` flag is intended to be more restrictive, preventing things like the Lua extensions you download off the web from using the HTTP client or sockets APIs. In upcoming changes you'll be able to implement your own Berkeley Packet Filter sandbox programs and load them via Lua.
This commit is contained in:
Justine Tunney
parent
7166679620
commit
5a132f9652
79 changed files with 2271 additions and 651 deletions
13
libc/sysv/consts/audit.h
Normal file
13
libc/sysv/consts/audit.h
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
#ifndef COSMOPOLITAN_LIBC_SYSV_CONSTS_AUDIT_H_
|
||||
#define COSMOPOLITAN_LIBC_SYSV_CONSTS_AUDIT_H_
|
||||
#include "libc/elf/def.h"
|
||||
|
||||
#define __AUDIT_ARCH_64BIT 0x80000000
|
||||
#define __AUDIT_ARCH_LE 0x40000000
|
||||
#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
|
||||
#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
|
||||
|
||||
#define AUDIT_ARCH_X86_64 (EM_X86_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
|
||||
#define AUDIT_ARCH_I386 (EM_386 | __AUDIT_ARCH_LE)
|
||||
|
||||
#endif /* COSMOPOLITAN_LIBC_SYSV_CONSTS_AUDIT_H_ */
|
||||
Loading…
Add table
Add a link
Reference in a new issue