Albert S.
7ef9d7f020
sandbox: Use exile_vows_from_str() for seccomp policy
2022-10-23 21:36:58 +02:00
Albert S.
d17e596563
sandbox-linux: include exile.hpp
2022-03-27 19:59:52 +02:00
Albert S.
ca0c8a94fb
sandbox: Use exile.h vow promises
2021-12-29 11:13:47 +01:00
Albert S.
d0e7ff0a8c
sandbox: Switch to exile.h (former qssb.h)
2021-12-02 10:15:11 +01:00
Albert S.
696ff9b7e7
sandbox: Allow TIME group
2021-12-02 10:06:21 +01:00
Albert S.
4f6bcd27b4
sandbox: Sync iwth qssb.h upstream: Use whitelisting and groups
2021-11-14 21:54:08 +01:00
Albert S.
75268e0073
sandbox: Disable Landlock due to qssb.h issue #19
2021-10-26 23:07:37 +02:00
Albert S.
c4072a7e95
Sandbox: Remove multiple stages
...
While interesitng in theory, there is nothing to be gained here,
because we don't really have user input at those early stages.
As we are also not a privileged process, those early stage
sandboxes in the end are not worth it, since they increase
complexity while there is no benefit in practise.
So, reduce those 3 stages to a single one (enable()), which we
activate after CLI server has launched.
2021-10-03 23:53:56 +02:00
Albert S.
67eb8b6428
sandbox: adjust to latest qssb.h
2021-09-23 17:13:08 +02:00
Albert S.
75f76f58eb
sandbox: First version using qssb.h
2020-09-26 17:13:29 +02:00
Albert S.
2d0bd713e5
sandbox-linux: call seccomp_release, remove unnecessary iteration
2019-08-21 20:14:44 +02:00
Albert S.
1e150144e6
sandboxing: check whether debian specific patch disables user namespaces for unpriv users
2019-08-12 09:06:32 +02:00
Albert S.
e14aa99a4b
sandbox: paths must be bind mounted in order of their length
2019-08-11 21:03:50 +02:00
Albert S.
f83c705230
Begin sandboxing support, README updates.
2019-08-11 20:10:38 +02:00
Albert S.