maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

sandbox/seccomp: resolve rules natively

Browse Source 
This enables loading syscall filter policies from external cross-platform config files.

This also removes a significant amount of C code.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-07-01 20:23:33 +09:00
parent 1fb453dffe
commit 1a8840bebc
27 changed files with 709 additions and 619 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dbus/dbus_test.go
View File

@@ -178,7 +178,7 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
t.Run("string", func(t *testing.T) {
wantSubstr := fmt.Sprintf("%s -test.run=TestHelperStub -- --args=3 --fd=4", os.Args[0])
if useSandbox {
wantSubstr = fmt.Sprintf(`argv: ["%s" "-test.run=TestHelperStub" "--" "--args=3" "--fd=4"], flags: 0x0, seccomp: 0x3e`, os.Args[0])
wantSubstr = fmt.Sprintf(`argv: ["%s" "-test.run=TestHelperStub" "--" "--args=3" "--fd=4"], flags: 0x0, seccomp: 0x1, presets: 0xf`, os.Args[0])
}
if got := p.String(); !strings.Contains(got, wantSubstr) {
t.Errorf("String: %q, want %q",

2
dbus/proc.go
View File

@@ -66,7 +66,7 @@ func (p *Proxy) Start() error {
ctx, toolPath,
p.final, true,
argF, func(container *sandbox.Container) {
container.Seccomp |= seccomp.FilterMultiarch
container.SeccompFlags |= seccomp.AllowMultiarch
container.Hostname = "hakurei-dbus"
container.CommandContext = p.CommandContext
if p.output != nil {