Re-enable Linux seccomp by default.

.github/workflows/makefile.yml

@@ -1,7 +1,7 @@
 name: Regression Tests
 on: [push]
 jobs:
-  ubuntu_standard:
+  ubuntu:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
@@ -13,19 +13,7 @@ jobs:
         ./configure
     - name: Build and test
       run: bmake regress
-  ubuntu_sandboxed:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@master
-    - name: Install dependencies
-      run: sudo apt-get install -y libcurl4-openssl-dev bmake
-    - name: Configure
-      run: |
-        cat /etc/os-release
-        ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1"
-    - name: Build and test
-      run: bmake regress
-  ubuntu_libbsd_sandboxed:
+  ubuntu_libbsd:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
@@ -34,7 +22,7 @@ jobs:
     - name: Configure
       run: |
         cat /etc/os-release
-        CFLAGS=$(pkg-config --cflags libbsd-overlay) ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1" LDFLAGS=$(pkg-config --libs libbsd-overlay)
+        CFLAGS=$(pkg-config --cflags libbsd-overlay) ./configure LDFLAGS=$(pkg-config --libs libbsd-overlay)
     - name: Build and test
       run: bmake regress
   macos_standard:
@@ -47,7 +35,7 @@ jobs:
       run: ./configure
     - name: Build and test
       run: bmake regress
-  alpine_sandboxed_x86_64:
+  alpine_x86_64:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
@@ -64,10 +52,10 @@ jobs:
     - name: Configure, build, and test on x86_64
       run: |
         cat /etc/alpine-release
-        ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1"
+        ./configure
         bmake regress
       shell: alpine-x86_64.sh {0}
-  alpine_sandboxed_aarch64:
+  alpine_aarch64:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
@@ -85,10 +73,10 @@ jobs:
     - name: Configure, build, and test on aarch64
       run: |
         cat /etc/alpine-release
-        ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1"
+        ./configure
         bmake regress
       shell: alpine-aarch64.sh {0}
-  alpine_sandboxed_armv7:
+  alpine_armv7:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
@@ -106,10 +94,10 @@ jobs:
     - name: Configure, build, and test on armv7
       run: |
         cat /etc/alpine-release
-        ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1"
+        ./configure
         bmake regress
       shell: alpine-armv7.sh {0}
-  alpine_sandboxed_ppc64le:
+  alpine_ppc64le:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
@@ -127,10 +115,10 @@ jobs:
     - name: Configure, build, and test on ppc64le
       run: |
         cat /etc/alpine-release
-        ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1"
+        ./configure
         bmake regress
       shell: alpine-ppc64le.sh {0}
-  alpine_sandboxed_s390x:
+  alpine_s390x:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
@@ -148,10 +136,10 @@ jobs:
     - name: Configure, build, and test on s390x
       run: |
         cat /etc/alpine-release
-        ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1"
+        ./configure
         bmake regress
       shell: alpine-s390x.sh {0}
-  freebsd_sandboxed:
+  freebsd:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
@@ -164,16 +152,3 @@ jobs:
           freebsd-version
           ./configure
           make regress
-  openbsd_sandboxed:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@master
-    - name: Test in OpenBSD
-      uses: vmactions/openbsd-vm@v1
-      with:
-        usesh: true
-        prepare: pkg_add curl
-        run: |
-          uname -a
-          ./configure
-          make regress

Makefile

@@ -9,11 +9,10 @@ include Makefile.configure
 
 #LDADD_STATIC	 =
 
-# Seccomp is disabled by default.  To enable it, uncomment the following
-# line and run `make regress` to make sure it runs on your target
-# architecture and system.
-
-#CPPFLAGS	+= -DSANDBOX_SECCOMP_DEBUG -DENABLE_SECCOMP_FILTER=1
+# If running Linux and seccomp is causing issues, cause violators to trap and
+# output a debug message instead of just failing.  This is disabled by default
+# so that violations are properly killed instead of providing an escape hatch.
+#CPPFLAGS	+= -DSANDBOX_SECCOMP_DEBUG
 
 # You probably don't need to change anything else...
 

README.md

@@ -1,4 +1,4 @@
-## Synopsis
+# Introduction
 
 **kcgi** is an open source CGI and FastCGI library for C/C++ web applications.
 It's minimal, secure, auditable, and fits within your
@@ -8,14 +8,18 @@ To keep up to date with the current stable release of **kcgi**, visit
 https://kristaps.bsd.lv/kcgi.  The website also contains canonical
 installation, deployment, examples, and usage documentation.
 
-## Installation
+# Installation
 
 Building the bleeding-edge version of **kcgi** (instead of from your
 system's packages or a stable version) is similar to building the source
 releases.
 
-You'll a C compiler, zlib (zlib-dev on some systems), and BSD make
-(bmake on some systems) for building.
+You'll a C compiler ([gcc](https://gcc.gnu.org/) or
+[clang](https://clang.llvm.org/), [zlib](https://zlib.net) (*zlib* or
+*zlib-dev* for some package managers), and BSD make (*bmake* for some
+managers) for building.  On some Linux systems, you might additionally
+need the Linux kernel headers installed using the *linux-headers*
+package or similar.
 
 Begin by cloning or downloading.  Then configure with `./configure`,
 compile with `make` (BSD make, so it may be `bmake` on your system),
@@ -29,32 +33,18 @@ make
 make install
 ```
 
-If you plan on using `pkg-config` with the above invocation, make sure
-that *~/.local/lib/pkgconfig* is recognised as a path to package
-specifications.  You'll also want to make sure that `man` can access the
-installed location of *~/.local/man*, in this case.
-
 A common idiom for deploying on Linux is to use
 [libbsd](https://libbsd.freedesktop.org/wiki/) as noted in the
 [oconfigure](https://github.com/kristapsdz/oconfigure) documentation:
 
 ```
 CFLAGS=$(pkg-config --cflags libbsd-overlay) \
     ./configure LDFLAGS=$(pkg-config --libs libbsd-overlay)
+make
+make install
 ```
 
-If you intend to run on Linux with seccomp sandboxing, pass the
-following to the configuration:
-
-```
-./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1"
-```
-
-You'll need the Linux kernel headers installed, which are usually by
-default but sometimes require the *linux-headers* package or similar.
-
-
-## Tests
+# Testing
 
 It's useful to run the installed regression tests on the bleeding edge
 sources.  (Again, this uses BSD make, so it may be `bmake` on your
@@ -75,11 +65,10 @@ cd afl
 afl-fuzz -i in/urlencoded -o out -- ./afl-urlencoded
 ```
 
-## Automated testing
-
 The public GitHub repository repository for **kcgi** uses automated
-testing on each check-in to run the regression tests.  The following
-systems are checked:
+testing on each check-in to run the regression tests.  These automated
+tests are primarily aimed at Linux, whose security mechanism requires
+constant maintenance.  The following systems are checked:
 
 - Alpine/musl Linux (latest, aarch64, sandboxed)
 - Alpine/musl Linux (latest, armv7, sandboxed)
@@ -88,15 +77,16 @@ systems are checked:
 - Alpine/musl Linux (latest, x86\_64, sandboxed)
 - FreeBSD (latest, x86\_64, sandboxed)
 - Mac OS X (latest, x86, sandboxed)
-- OpenBSD (latest, x86\_64, sandboxed)
 - Ubuntu/glibc Linux (latest, x86\_64, un-sandboxed)
 - Ubuntu/glibc Linux (latest, x86\_64, sandboxed)
 - Ubuntu/glibc Linux (latest, x86\_64, sandboxed, libbsd)
 
+Development is primarily on OpenBSD.
+
 These are also run weekly to catch any changes as new operating system
 features come into play.
 
-## License
+# License
 
 All sources use the ISC (like OpenBSD) license.
 See the [LICENSE.md](LICENSE.md) file for details.

index.xml

@@ -368,16 +368,8 @@
 					(Linux)
 				</dt>
 				<dd>
-					<strong>Disabled by default</strong> and must be manually enabled at build time
-					(see <code>ENABLE_SECCOMP_FILTER</code> in the Makefile).
-					The reasons for disabling follow those in an
-					<a href="https://github.com/kristapsdz/acme-client-portable/blob/master/Linux-seccomp.md">old article</a>
-					about another system.
-					If manually enabled, this requires a seccomp-enabled Linux kernel.
+					This requires a seccomp-enabled Linux kernel and a recognised hardware architecture.
 					It is supplemented by <code>setrlimit(2)</code> limiting.
-					For the time being, this feature is only available for x86, x86_64, and arm architectures.
-					If you're using another one, please send me your <code>uname -m</code> and, if you know if it,
-					the correct <code>AUDIT_ARCH_xxx</code> found in <code>/usr/include/linux/audit.h</code>.
 				</dd>
 				<dt>
 					<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>

sandbox-seccomp-filter.c

@@ -16,7 +16,7 @@
  */
 #include "config.h"
 
-#if HAVE_SECCOMP_FILTER && ENABLE_SECCOMP_FILTER
+#if HAVE_SECCOMP_FILTER
 
 /*
  * Copyright (c) 2012 Will Drewry <wad@dataspill.org>

sandbox.c

@@ -62,7 +62,7 @@ ksandbox_init_child(enum sandtype type,
 #elif HAVE_PLEDGE
 	if (!ksandbox_pledge_init_child(type))
 		return 0;
-#elif HAVE_SECCOMP_FILTER && ENABLE_SECCOMP_FILTER
+#elif HAVE_SECCOMP_FILTER
 	if (!ksandbox_seccomp_init_child(type))
 		return 0;
 #endif

versions.xml

@@ -9,8 +9,8 @@
 		</header>
 		<aside>
 			<div>
-				Remove stray seccomp bits if not enabled at compile-time and fix
-				some new white-listed system calls for x86.
+				Re-enable seccomp by default after introducing GitHub testing on
+				alternate architectures (armv7, aarch64, etc.).
 			</div>
 			<div>
 				Add