crtxcr/qswiki
1
0
Fork 0
Code Issues 21 Pull Requests 1 Releases Activity

Compare commits

base: crtxcr:c90e26a374bc4d567a17fbf88b7853be78751941
Branches Tags
crtxcr:master
crtxcr:next
crtxcr:WIP/cpp20
crtxcr:feature/markdown
...
compare: crtxcr:55701541137069b92513dd31c0b90f3f435bccf4
Branches Tags
crtxcr:master
crtxcr:next
crtxcr:WIP/cpp20
crtxcr:feature/markdown

4 Commits
c90e26a374 ... 5570154113

Author SHA1 Message Date
Albert S
5570154113 fscache: Fix starts_with() broken by b41a5f4e5b 2021-11-30 19:14:59 +01:00
Albert S
4f6bcd27b4 sandbox: Sync iwth qssb.h upstream: Use whitelisting and groups 2021-11-14 21:54:08 +01:00
Albert S
bbe74a2c50 handlers: HandlerSearch: Add missing call to setGeneralVars() 2021-11-14 21:54:08 +01:00
Albert S
5db9305408 template: display headers inline (backport from production) 2021-11-14 21:54:08 +01:00
6 changed files with 23 additions and 15 deletions
Show Stats Expand all files Collapse all files

2
cache/fscache.cpp vendored
View File

@ -46,7 +46,7 @@ void FsCache::removePrefix(std::string_view prefix)
// TODO: lock dir // TODO: lock dir
for(auto &entry : std::filesystem::directory_iterator(std::filesystem::path{this->path})) for(auto &entry : std::filesystem::directory_iterator(std::filesystem::path{this->path}))
{ {
if(std::string_view(entry.path().filename().c_str()).starts_with(prefix) == 0) if(std::string_view(entry.path().filename().c_str()).starts_with(prefix))
{ {
std::filesystem::remove_all(entry); std::filesystem::remove_all(entry);
} }

1
handlers/handlersearch.cpp
View File

@ -28,6 +28,7 @@ Response HandlerSearch::handleRequest(const Request &r)
TemplatePage searchForm = this->templ->getPage("searchform"); TemplatePage searchForm = this->templ->getPage("searchform");
response.setBody(searchForm.render()); response.setBody(searchForm.render());
response.setStatus(200); response.setStatus(200);
setGeneralVars(searchForm);
return response; return response;
} }

29
sandbox/sandbox-linux.cpp
View File

@ -60,18 +60,25 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
policy->not_dumpable = 1; policy->not_dumpable = 1;
policy->no_new_privs = 1; policy->no_new_privs = 1;
policy->mount_path_policies_to_chroot = 1; policy->mount_path_policies_to_chroot = 1;
/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
* sense that more could be listed here and some critical ones are probably missing */
/* TODO: use qssb groups */
long blacklisted_syscalls[] = {QSSB_SYS(setuid), QSSB_SYS(connect), QSSB_SYS(chroot), QSSB_SYS(pivot_root),
QSSB_SYS(mount), QSSB_SYS(setns), QSSB_SYS(unshare), QSSB_SYS(ptrace),
QSSB_SYS(personality), QSSB_SYS(prctl), QSSB_SYS(execveat), QSSB_SYS(execve),
QSSB_SYS(fork)};
qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW) != 0)
{
Logger::error() << "Sandbox: Failed to add whitelist!";
qssb_free_policy(policy);
return false;
}
if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_SOCKET | QSSB_SYSCGROUP_FUTEX | QSSB_SYSCGROUP_PATH | QSSB_SYSCGROUP_SCHED) != 0)
{
Logger::error() << "Sandbox: Failed to add socket group!";
qssb_free_policy(policy);
return false;
}
if(qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS) != 0)
{
Logger::error() << "Sandbox: Default policy";
qssb_free_policy(policy);
return false;
}
if(qssb_enable_policy(policy) != 0) if(qssb_enable_policy(policy) != 0)
{ {
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!"; Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";

2
submodules/qssb.h

@ -1 +1 @@
Subproject commit 0d7c5bd6d437ae95a4900aab6b7b6cc207acbd1b Subproject commit d847d0f996679c77741b85959988dd9e65d63b97

3
template/quitesimple/searchform
View File

@ -1,7 +1,6 @@
{qswiki:include:general_header} {qswiki:include:general_header}
<main id="content"> <main id="content">
<h2>Search</h2> <h2>Search</h2><br>
Search content of pages: Search content of pages:
<form action="{qswiki:config:wikipath}" method="GET"><input type="hidden" name="action" value="search"/><input type="text" name="q" value="search here" onfocus="this.value=''"></form> <form action="{qswiki:config:wikipath}" method="GET"><input type="hidden" name="action" value="search"/><input type="text" name="q" value="search here" onfocus="this.value=''"></form>
</main> </main>

1
template/quitesimple/style.css
View File

@ -23,6 +23,7 @@ h1, h2, h3
{ {
margin: 0; margin: 0;
padding: 0; padding: 0;
display: inline;
} }
nav nav