mirror of
https://github.com/brunopostle/ifcurl.git
synced 2026-07-12 10:18:14 +00:00
Add sandboxing directives to limit blast radius from a compromised render subprocess: - NoNewPrivileges + RestrictSUIDSGID: no privilege escalation - ProtectSystem=strict + ProtectHome: Forgejo data tree is unwritable - PrivateTmp: isolated /tmp - RestrictAddressFamilies=AF_INET AF_INET6: no Unix socket access to Forgejo - SystemCallFilter=@system-service @process @files @io-event @network-io: allows fork/clone (needed by ifcopenshell geom workers) but excludes execve/execveat so an attacker cannot exec a shell - RestrictNamespaces, LockPersonality, ProtectKernelTunables, etc. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| gitattributes | ||
| gitconfig-ifcmerge | ||
| ifcurl-preview.service | ||