mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-07-01 16:58:30 +00:00
Add seccomp bpf sandboxing to redbean
It's now possible to pass the `-S` or `-SS` flags to sandbox redbean worker proecsses after they've been forked. The first `-S` flag is intended to be a permissive builtin policy that limits system calls to only that which the various parts of redbean serving need. The second `-SS` flag is intended to be more restrictive, preventing things like the Lua extensions you download off the web from using the HTTP client or sockets APIs. In upcoming changes you'll be able to implement your own Berkeley Packet Filter sandbox programs and load them via Lua.
This commit is contained in:
Justine Tunney
parent
7166679620
commit
5a132f9652
79 changed files with 2271 additions and 651 deletions
|
|
@ -7,6 +7,9 @@
|
|||
#define SECCOMP_MODE_STRICT 1
|
||||
#define SECCOMP_MODE_FILTER 2
|
||||
|
||||
#define PR_SET_NO_NEW_PRIVS 38
|
||||
#define PR_GET_NO_NEW_PRIVS 39
|
||||
|
||||
#define PR_SET_NAME 15
|
||||
#define PR_GET_NAME 0x10
|
||||
|
||||
|
|
@ -85,8 +88,6 @@
|
|||
#define PR_SET_MM 35
|
||||
#define PR_SET_CHILD_SUBREAPER 36
|
||||
#define PR_GET_CHILD_SUBREAPER 37
|
||||
#define PR_SET_NO_NEW_PRIVS 38
|
||||
#define PR_GET_NO_NEW_PRIVS 39
|
||||
#define PR_GET_TID_ADDRESS 40
|
||||
#define PR_SET_THP_DISABLE 41
|
||||
#define PR_GET_THP_DISABLE 42
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue