rdelaage
/
gmid
mirror of https://github.com/omar-polo/gmid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
681 Commits 2 Branches 28 Tags 5.6 MiB
Commit Graph

681 Commits

Author SHA1 Message Date
Martin 2b38d395cd Improve gmid.service 
Changed gmid.service to not to fork the server and forced to run under
user "gmid".  gmid now waits for the network stack beeing available
before starting. Also "gmid" is now the syslog id.
 2021-09-21 19:15:50 +02:00
Omar Polo 36d2d7b4b3 sync changelog 2021-09-19 17:15:24 +00:00
Omar Polo b0be065390 landlock the logger process too 
Disallow everything landlock can handle.  The logger process doesn't
need any fs access (on OpenBSD it runs with pledge("stdio recvfd")).
 2021-09-19 17:08:12 +00:00
Omar Polo 0ea22af280 add helper function gmid_create_landlock_rs 2021-09-19 17:08:12 +00:00
Omar Polo 67c49bc5c7 mention landlock in the README 2021-09-19 17:08:12 +00:00
Omar Polo 3499ce5a9a landlock the server process 
Trying to implement some landlock policies (rules?) where possible.
The server process is, of course, the most dangerous process so start
with that.

The following should be equivalent to the unveil(2) call on OpenBSD:
allows only to read files and directories inside the vhost roots.

I'm assuming seccomp is enabled so I'm not trying to disallow actions
such as LANDLOCK_ACCESS_FS_EXECUTE or LANDLOCK_ACCESS_FS_REMOVE_FILE
which require syscalls that are already disallowed.  I'm only trying
to limit the damage that the currently allowed system calls can do.
e.g. since write(2) is allowed, gmid could modify *any* file it has
access to; this is now forbidden by landlock.

There are still too many #ifdefs for my tastes, but it's still better
than the seccomp code.
 2021-09-19 17:08:12 +00:00
Omar Polo d85aa60208 define HAVE_LANDLOCK accordingly 2021-09-19 17:08:12 +00:00
Omar Polo 4c31de2915 add configure check and shim for landlock 
First move towards landlock support (#3).  The shim is needed until
libc provides the proper wrappers for the landlock APIs; I hope it
doesn't take too long, but landlock was merged back in May and are
still missing.
 2021-09-19 17:08:12 +00:00
Omar Polo fba809b5c7 tag 1.7.3 
bump version number
 2021-09-19 14:48:07 +00:00
Omar Polo ca3d8bfde6 retroactively mention the fstat64 fix 2021-09-18 11:15:40 +00:00
Omar Polo 39c5bfd64b fix changelog syntax 2021-09-18 11:09:36 +00:00
Omar Polo e30e5385f1 sort tests 2021-09-18 11:17:28 +02:00
Omar Polo b03b7d5bae sync changelog 2021-09-17 16:17:16 +00:00
Omar Polo db623d7551 fix syslog logging on FreeBSD 
Due to capsicum(4), opening the log on-demand via syslog(3) fails.
openlog(LOG_NDELAY) forces the log to be opened immediately, before we
enter capsicum.

This doesn't affect OpenBSD (where pledge(2) doesn't stop syslog) nor
linux (where the log process is not sandboxed.)

Reported by Karl Jeacle, thank you!
 2021-09-17 16:17:16 +00:00
Omar Polo f2478b332f sync 2021-08-23 22:44:55 +00:00
Omar Polo 2e31927606 don't crash if -n is given without -c 
If -n is given without -c, config_path is still NULL and it would
crash due to a NULL deference.
 2021-08-23 22:43:56 +00:00
Omar Polo 83272dfee9 don't yyerror if we can't open the file 
the global var file could still be NULL and yyerror would crash.
 2021-08-23 22:42:59 +00:00
Omar Polo ef352ec3b8 fix wrong arguments order for send_log 2021-08-23 22:36:01 +00:00
Omar Polo 03747a6c51 sync 2021-07-29 07:54:41 +00:00
Omar Polo 2bb1776bac keep the openssl key generation example under 80 columns 2021-07-29 09:48:43 +02:00
Anna “CyberTailor” 301e039d24 gmid.1: some spelling, grammar and crosslinks 2021-07-29 09:38:03 +02:00
Anna “CyberTailor” e308526cf6 gmid.1: provide certificate generation example 2021-07-29 09:35:09 +02:00
Anna “CyberTailor” e58a447a28 gmid.1: document logging 2021-07-29 09:31:09 +02:00
Omar Polo 2887c631ee sync 2021-07-27 09:22:17 +00:00
Omar Polo efb48052dc relax openat rule: follow symlinks 
O_NOFOLLOW acts only on *the last component*, so on
open("/foo/bar/baz") only when baz is a symlink open fails.
Checking every path component is not viable.

gh issue #5 related (sort of)
 2021-07-27 09:21:42 +00:00
Omar Polo a8e1e8d738 typo 
Since there was 0 reports in a month can I assume it's not actually
used anywhere?
 2021-07-23 06:55:32 +00:00
Omar Polo 21f7d24699 allow fstat64 
used by glibc on aarch64.

Found and tested by pine, thanks!
 2021-07-23 06:50:30 +00:00
Omar Polo af5f9b271e use \e instead of \\ as a mean to escape \ 
Just read in a mail from Ingo to tech@

> Using \\ outside macro definitions (i.e., outside the bodies of roff(7)
> .de and similar requests) is almost always wrong even in low-level roff
> code, and \\ must never be used in manual pages.
 2021-07-21 07:56:41 +00:00
Omar Polo 3e0164f4c3 use certs from regress/ 2021-07-19 11:37:01 +00:00
Omar Polo 735336b21e unbreak configless mode 
An un-initialized field in the configless code path leads to a crash
on the first request.
 2021-07-19 11:15:44 +00:00
Omar Polo abc8801d60 typo 2021-07-19 07:45:55 +00:00
Omar Polo c74c70304d drop leading T from token names 2021-07-19 07:39:13 +00:00
Omar Polo 9a818eebc1 sort tokens 2021-07-19 07:34:29 +00:00
Omar Polo 41395640e0 introduce IMSG_LOG_REQUEST 2021-07-19 07:31:40 +00:00
Omar Polo 2b5e2a5f04 send_log: accept explicit imsg type param 2021-07-19 07:23:38 +00:00
Omar Polo 9ffdade26c sort 2021-07-13 11:45:51 +00:00
Omar Polo a7da55710e sync 2021-07-13 11:43:07 +00:00
Anna “CyberTailor” f3966209e5 contrib/vim: add Syntastic integration 
Error and warning messages are prefixed with "error: " and "warning: "
correspondingly to ease integration with automated tooling.

`yywarn' function added. Off-by-one line numbers in warnings are fixed.

Two error messages are reworded to avoid repeating like
"error: error in server directive" or "error: syntax error".
 2021-07-13 13:38:42 +02:00
Omar Polo a556718a24 sort and tweak rc description 2021-07-13 11:12:20 +02:00
la-ninpre caf4e5fb22 add an example rc(8) script for openbsd 
copy it to `/etc/rc.d`, write your config in `/etc/gmid.conf` and launch
using `rcctl enable gmid && rcctl start gmid`.
 2021-07-13 11:09:13 +02:00
Omar Polo dbbfd0fb9f point to contrib.html 2021-07-11 20:58:57 +00:00
Omar Polo 3b0eff06ff fix the dockerfile 2021-07-11 20:58:42 +00:00
Omar Polo 02ccd9d940 move the Dockerfile to contrib/ 2021-07-11 18:43:24 +00:00
Omar Polo e8b8003098 add an example systemd unit file 2021-07-11 15:44:44 +00:00
Omar Polo e2d3a8f222 add missing `env' keyword 2021-07-11 14:49:20 +00:00
Anna “CyberTailor” 1a115616cb add simple vim syntax file 2021-07-11 14:27:31 +02:00
Omar Polo 8068d2ff33 tag v1.7.1 
This version includes two bugfixes:

 - use ${MAKE} to recursively call make
 - fix the misleading example in the man page: macros name may not be
 reserved words

Both bugs found and fixed by Anna “CyberTailor”, thanks!
 2021-07-11 09:50:26 +02:00
Omar Polo 094bdacd40 sync 2021-07-11 09:48:29 +02:00
Omar Polo ad15003be8 align 2021-07-11 09:47:19 +02:00
Anna “CyberTailor” 2d06ae62ae fix misleading example in man page 
> Macros names may not be reserved words
 2021-07-11 09:23:56 +02:00