Index: Makefile ================================================================== --- Makefile +++ Makefile @@ -22,11 +22,11 @@ '$(srcdir)/generate-mime-types' '$(MIMETYPES)' > filed-mime-types.h.new || \ '$(srcdir)/generate-mime-types' '$(srcdir)/mime.types' > filed-mime-types.h.new mv filed-mime-types.h.new filed-mime-types.h filed.seccomp.h: $(srcdir)/filed.seccomp $(srcdir)/generate-seccomp-filter - $(srcdir)/generate-seccomp-filter filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new + $(srcdir)/generate-seccomp-filter $(srcdir)/filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new mv filed.seccomp.h.new filed.seccomp.h install: filed $(srcdir)/filed.1 test -d "$(DESTDIR)$(mandir)/man1" || mkdir -p "$(DESTDIR)$(mandir)/man1" test -d "$(DESTDIR)$(bindir)" || mkdir -p "$(DESTDIR)$(bindir)" Index: README ================================================================== --- README +++ README @@ -77,10 +77,15 @@ 5. Differing "index.html" handling (CFLAGS, -DFILED_DONT_REDIRECT_DIRECTORIES=1) Normally "filed" redirects users who request a directory to the index.html file in that directory so that no memory allocations are required; This option lets the server generate the new path. + 6. Enable seccomp (CFLAGS, -DFILED_DO_SECCOMP=1) + Linux supports limiting the system calls that a process can make. + This is called seccomp (SECure COMPuting). Currently not all + platforms have been tested with this so it is disabled by default. + 6. MIME Types (MIMETYPES) For single-file convenience "filed" compiles the mapping of file extensions (the string in the filename following its last dot (".")) into the executable. This mapping comes from a file in the format of type1 type1_extension1 type1_extension2... Index: build/build-precompiled ================================================================== --- build/build-precompiled +++ build/build-precompiled @@ -42,11 +42,11 @@ *-musl-*|*-musl) make_extra=("${make_extra[@]}" FILED_EXTRA_LDFLAGS="-static") ;; esac - make "${make_extra[@]}" + make "${make_extra[@]}" > filed.log 2>&1 #include #include -#include #include #include #include #include #include @@ -605,11 +604,11 @@ filed_log_msg("START"); return(0); } -#endif +#endif /* FILED_DONT_LOG */ #ifdef FILED_DONT_TIMEOUT #define filed_sockettimeout_thread_init() 0 #define filed_sockettimeout_init() 0 #define filed_sockettimeout_accept(x) /**/ @@ -726,10 +725,12 @@ int count; int valid; int time_interval = 30; int check_period = 90; + filed_sockettimeout_time = time(NULL); + while (1) { for (count = 0; count < (check_period / time_interval); count++) { sleep_time.tv_sec = time_interval; sleep_time.tv_nsec = 0; nanosleep(&sleep_time, NULL); @@ -754,11 +755,11 @@ expiration_time = filed_sockettimeout_sockstatus[idx].expiration_time; thread_id = filed_sockettimeout_sockstatus[idx].thread_id; - if (expiration_time > now) { + if (expiration_time > filed_sockettimeout_time) { continue; } filed_sockettimeout_close(idx, 1); @@ -807,16 +808,20 @@ return(-1); } return(0); } -#endif +#endif /* FILED_DONT_TIMEOUT */ +#ifndef FILED_DO_SECCOMP +#define filed_init_seccomp() 0 +#else #include #include #include #include +#include #include static int filed_init_seccomp(void) { struct sock_fprog filter; struct sock_filter rules[] = { @@ -838,10 +843,11 @@ return(-1); } return(0); } +#endif /* FILED_DO_SECCOMP */ /* Format time per RFC2616 */ static char *filed_format_time(char *buffer, size_t buffer_len, const time_t timeinfo) { struct tm timeinfo_tm, *timeinfo_tm_p; @@ -1704,11 +1710,11 @@ return; } /* Add a getopt option */ static void filed_getopt_long_setopt(struct option *opt, const char *name, int has_arg, int val) { - opt->name = name; + opt->name = (const char *) name; opt->has_arg = has_arg; opt->flag = NULL; opt->val = val; return; @@ -1817,10 +1823,13 @@ int init_ret, chroot_ret, setuid_ret, lookup_ret, chdir_ret; int setuid_enabled = 0, daemon_enabled = 0; int ch; int fd; + /* Set default value */ + thread_options.fake_newroot = NULL; + /* Process arguments */ filed_getopt_long_setopt(&options[0], "port", required_argument, 'p'); filed_getopt_long_setopt(&options[1], "threads", required_argument, 't'); filed_getopt_long_setopt(&options[2], "cache", required_argument, 'c'); filed_getopt_long_setopt(&options[3], "bind", required_argument, 'b');