mirror of
https://github.com/jorisvink/kore
synced 2025-03-19 01:09:02 -04:00
cd9971247c
With this commit all Kore processes (minus the parent) are running
under seccomp.
The worker processes get the bare minimum allowed syscalls while each module
like curl, pgsql, etc will add their own filters to allow what they require.
New API functions:
int kore_seccomp_filter(const char *name, void *filter, size_t len);
Adds a filter into the seccomp system (must be called before
seccomp is enabled).
New helpful macro:
define KORE_SYSCALL_ALLOW(name)
Allow the syscall with a given name, should be used in
a sock_filter data structure.
New hooks:
void kore_seccomp_hook(void);
Called before seccomp is enabled, allows developers to add their
own BPF filters into seccomp.
35 lines
1016 B
Plaintext
35 lines
1016 B
Plaintext
# python-async build config
|
|
# You can switch flavors using: kodev flavor [newflavor]
|
|
|
|
# Set to yes if you wish to produce a single binary instead
|
|
# of a dynamic library. If you set this to yes you must also
|
|
# set kore_source together with kore_flavor.
|
|
single_binary=yes
|
|
kore_source=../../
|
|
kore_flavor=PYTHON=1 CURL=1 NOTLS=1 DEBUG=1
|
|
|
|
# The flags below are shared between flavors
|
|
cflags=-Wall -Wmissing-declarations -Wshadow
|
|
cflags=-Wstrict-prototypes -Wmissing-prototypes
|
|
cflags=-Wpointer-arith -Wcast-qual -Wsign-compare
|
|
|
|
cxxflags=-Wall -Wmissing-declarations -Wshadow
|
|
cxxflags=-Wpointer-arith -Wcast-qual -Wsign-compare
|
|
|
|
# Mime types for assets served via the builtin asset_serve_*
|
|
#mime_add=txt:text/plain; charset=utf-8
|
|
#mime_add=png:image/png
|
|
#mime_add=html:text/html; charset=utf-8
|
|
|
|
dev {
|
|
# These flags are added to the shared ones when
|
|
# you build the "dev" flavor.
|
|
cflags=-g
|
|
cxxflags=-g
|
|
}
|
|
|
|
#prod {
|
|
# You can specify additional flags here which are only
|
|
# included if you build with the "prod" flavor.
|
|
#}
|