diff --git a/.github/workflows/makefile.yml b/.github/workflows/makefile.yml index 888c222c..89e1ad6a 100644 --- a/.github/workflows/makefile.yml +++ b/.github/workflows/makefile.yml @@ -1,7 +1,7 @@ name: Regression Tests on: [push] jobs: - ubuntu_standard: + ubuntu: runs-on: ubuntu-latest steps: - uses: actions/checkout@master @@ -13,19 +13,7 @@ jobs: ./configure - name: Build and test run: bmake regress - ubuntu_sandboxed: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - name: Install dependencies - run: sudo apt-get install -y libcurl4-openssl-dev bmake - - name: Configure - run: | - cat /etc/os-release - ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1" - - name: Build and test - run: bmake regress - ubuntu_libbsd_sandboxed: + ubuntu_libbsd: runs-on: ubuntu-latest steps: - uses: actions/checkout@master @@ -34,7 +22,7 @@ jobs: - name: Configure run: | cat /etc/os-release - CFLAGS=$(pkg-config --cflags libbsd-overlay) ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1" LDFLAGS=$(pkg-config --libs libbsd-overlay) + CFLAGS=$(pkg-config --cflags libbsd-overlay) ./configure LDFLAGS=$(pkg-config --libs libbsd-overlay) - name: Build and test run: bmake regress macos_standard: @@ -47,7 +35,7 @@ jobs: run: ./configure - name: Build and test run: bmake regress - alpine_sandboxed_x86_64: + alpine_x86_64: runs-on: ubuntu-latest steps: - uses: actions/checkout@master @@ -64,10 +52,10 @@ jobs: - name: Configure, build, and test on x86_64 run: | cat /etc/alpine-release - ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1" + ./configure bmake regress shell: alpine-x86_64.sh {0} - alpine_sandboxed_aarch64: + alpine_aarch64: runs-on: ubuntu-latest steps: - uses: actions/checkout@master @@ -85,10 +73,10 @@ jobs: - name: Configure, build, and test on aarch64 run: | cat /etc/alpine-release - ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1" + ./configure bmake regress shell: alpine-aarch64.sh {0} - alpine_sandboxed_armv7: + alpine_armv7: runs-on: ubuntu-latest steps: - uses: actions/checkout@master @@ -106,10 +94,10 @@ jobs: - name: Configure, build, and test on armv7 run: | cat /etc/alpine-release - ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1" + ./configure bmake regress shell: alpine-armv7.sh {0} - alpine_sandboxed_ppc64le: + alpine_ppc64le: runs-on: ubuntu-latest steps: - uses: actions/checkout@master @@ -127,10 +115,10 @@ jobs: - name: Configure, build, and test on ppc64le run: | cat /etc/alpine-release - ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1" + ./configure bmake regress shell: alpine-ppc64le.sh {0} - alpine_sandboxed_s390x: + alpine_s390x: runs-on: ubuntu-latest steps: - uses: actions/checkout@master @@ -148,10 +136,10 @@ jobs: - name: Configure, build, and test on s390x run: | cat /etc/alpine-release - ./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1" + ./configure bmake regress shell: alpine-s390x.sh {0} - freebsd_sandboxed: + freebsd: runs-on: ubuntu-latest steps: - uses: actions/checkout@master @@ -164,16 +152,3 @@ jobs: freebsd-version ./configure make regress - openbsd_sandboxed: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - name: Test in OpenBSD - uses: vmactions/openbsd-vm@v1 - with: - usesh: true - prepare: pkg_add curl - run: | - uname -a - ./configure - make regress diff --git a/Makefile b/Makefile index d31fb874..19f26acc 100644 --- a/Makefile +++ b/Makefile @@ -9,11 +9,10 @@ include Makefile.configure #LDADD_STATIC = -# Seccomp is disabled by default. To enable it, uncomment the following -# line and run `make regress` to make sure it runs on your target -# architecture and system. - -#CPPFLAGS += -DSANDBOX_SECCOMP_DEBUG -DENABLE_SECCOMP_FILTER=1 +# If running Linux and seccomp is causing issues, cause violators to trap and +# output a debug message instead of just failing. This is disabled by default +# so that violations are properly killed instead of providing an escape hatch. +#CPPFLAGS += -DSANDBOX_SECCOMP_DEBUG # You probably don't need to change anything else... diff --git a/README.md b/README.md index a677cb79..32d4e733 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -## Synopsis +# Introduction **kcgi** is an open source CGI and FastCGI library for C/C++ web applications. It's minimal, secure, auditable, and fits within your @@ -8,14 +8,18 @@ To keep up to date with the current stable release of **kcgi**, visit https://kristaps.bsd.lv/kcgi. The website also contains canonical installation, deployment, examples, and usage documentation. -## Installation +# Installation Building the bleeding-edge version of **kcgi** (instead of from your system's packages or a stable version) is similar to building the source releases. -You'll a C compiler, zlib (zlib-dev on some systems), and BSD make -(bmake on some systems) for building. +You'll a C compiler ([gcc](https://gcc.gnu.org/) or +[clang](https://clang.llvm.org/), [zlib](https://zlib.net) (*zlib* or +*zlib-dev* for some package managers), and BSD make (*bmake* for some +managers) for building. On some Linux systems, you might additionally +need the Linux kernel headers installed using the *linux-headers* +package or similar. Begin by cloning or downloading. Then configure with `./configure`, compile with `make` (BSD make, so it may be `bmake` on your system), @@ -29,11 +33,6 @@ make make install ``` -If you plan on using `pkg-config` with the above invocation, make sure -that *~/.local/lib/pkgconfig* is recognised as a path to package -specifications. You'll also want to make sure that `man` can access the -installed location of *~/.local/man*, in this case. - A common idiom for deploying on Linux is to use [libbsd](https://libbsd.freedesktop.org/wiki/) as noted in the [oconfigure](https://github.com/kristapsdz/oconfigure) documentation: @@ -41,20 +40,11 @@ A common idiom for deploying on Linux is to use ``` CFLAGS=$(pkg-config --cflags libbsd-overlay) \ ./configure LDFLAGS=$(pkg-config --libs libbsd-overlay) +make +make install ``` -If you intend to run on Linux with seccomp sandboxing, pass the -following to the configuration: - -``` -./configure CPPFLAGS="-DENABLE_SECCOMP_FILTER=1" -``` - -You'll need the Linux kernel headers installed, which are usually by -default but sometimes require the *linux-headers* package or similar. - - -## Tests +# Testing It's useful to run the installed regression tests on the bleeding edge sources. (Again, this uses BSD make, so it may be `bmake` on your @@ -75,11 +65,10 @@ cd afl afl-fuzz -i in/urlencoded -o out -- ./afl-urlencoded ``` -## Automated testing - The public GitHub repository repository for **kcgi** uses automated -testing on each check-in to run the regression tests. The following -systems are checked: +testing on each check-in to run the regression tests. These automated +tests are primarily aimed at Linux, whose security mechanism requires +constant maintenance. The following systems are checked: - Alpine/musl Linux (latest, aarch64, sandboxed) - Alpine/musl Linux (latest, armv7, sandboxed) @@ -88,15 +77,16 @@ systems are checked: - Alpine/musl Linux (latest, x86\_64, sandboxed) - FreeBSD (latest, x86\_64, sandboxed) - Mac OS X (latest, x86, sandboxed) -- OpenBSD (latest, x86\_64, sandboxed) - Ubuntu/glibc Linux (latest, x86\_64, un-sandboxed) - Ubuntu/glibc Linux (latest, x86\_64, sandboxed) - Ubuntu/glibc Linux (latest, x86\_64, sandboxed, libbsd) +Development is primarily on OpenBSD. + These are also run weekly to catch any changes as new operating system features come into play. -## License +# License All sources use the ISC (like OpenBSD) license. See the [LICENSE.md](LICENSE.md) file for details. diff --git a/index.xml b/index.xml index 67ad2ae1..b6eccbce 100644 --- a/index.xml +++ b/index.xml @@ -368,16 +368,8 @@ (Linux)
- Disabled by default and must be manually enabled at build time - (see ENABLE_SECCOMP_FILTER in the Makefile). - The reasons for disabling follow those in an - old article - about another system. - If manually enabled, this requires a seccomp-enabled Linux kernel. + This requires a seccomp-enabled Linux kernel and a recognised hardware architecture. It is supplemented by setrlimit(2) limiting. - For the time being, this feature is only available for x86, x86_64, and arm architectures. - If you're using another one, please send me your uname -m and, if you know if it, - the correct AUDIT_ARCH_xxx found in /usr/include/linux/audit.h.
pledge(2) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 2fc06cff..a2e009d9 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -16,7 +16,7 @@ */ #include "config.h" -#if HAVE_SECCOMP_FILTER && ENABLE_SECCOMP_FILTER +#if HAVE_SECCOMP_FILTER /* * Copyright (c) 2012 Will Drewry diff --git a/sandbox.c b/sandbox.c index 8a9613ad..f04bc088 100644 --- a/sandbox.c +++ b/sandbox.c @@ -62,7 +62,7 @@ ksandbox_init_child(enum sandtype type, #elif HAVE_PLEDGE if (!ksandbox_pledge_init_child(type)) return 0; -#elif HAVE_SECCOMP_FILTER && ENABLE_SECCOMP_FILTER +#elif HAVE_SECCOMP_FILTER if (!ksandbox_seccomp_init_child(type)) return 0; #endif diff --git a/versions.xml b/versions.xml index 4f71fe40..249d0f3a 100644 --- a/versions.xml +++ b/versions.xml @@ -9,8 +9,8 @@