-
Notifications
You must be signed in to change notification settings - Fork 64
The Sandbox
Recent versions of the OpenFusion server contain two built-in process sandboxes; one for Linux and one for OpenBSD. These do not normally affect the behavior of the server, but they fortify it so that any attempts to exploit any security issues in the server's packet handlers will simply crash the server process instead of potentially allowing the attacker to take control of the machine the server process is being hosted on.
While we doubt there will ever be many people hosting OpenFusion on OpenBSD, the sandbox for that system, based on the pledge()
and unveil()
system calls, was trivial to develop, and is entirely complete and future-proof. There should never be a reason to disable it on that system.
The Linux sandbox is a bit more complex however. It's built with seccomp
, and due to the design of that operating system feature, unfortunately isn't as future-proof. It's on by default, but might cause the server to crash on startup or at other times if running on a system with newer versions of glibc or libsqlite, if those newer versions have changed the set of syscalls they call during normal operation. The same can happen if those libraries have been built with vastly different settings than we've tested. You can tell it's the sandbox if the server gets killed by the SIGSYS
signal, and prints Bad system call (core dumped)
. In those cases, you can simply disable the sandbox by setting the sandbox
config option to false
in the server's config.ini
, and send us a bug report with a backtrace and your OS, libc, libsqlite and OpenFusion versions.
The other flaw with the Linux sandbox is that seccomp
cannot limit file access to only the server folder. We might enhance this in the future using Landlock, but for now, security-minded system administrators can enhance the sandboxing by enclosing the process with an AppArmor profile or a Bubblewrap script.
This sandbox functionality is mostly relevant to people hosting public servers for others to play on. If you're hosting a local server or a friends only server on a private network, you're not going to be hacking into your own machine, and neither will your friends probably.