maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

sandbox/seccomp: resolve rules natively

Browse Source 
This enables loading syscall filter policies from external cross-platform config files.

This also removes a significant amount of C code.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-07-01 20:23:33 +09:00
parent 1fb453dffe
commit 1a8840bebc
27 changed files with 709 additions and 619 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/app/instance/common/container.go
View File

@@ -27,8 +27,9 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
}
container := &sandbox.Params{
Hostname: s.Hostname,
Seccomp: s.Seccomp,
Hostname: s.Hostname,
SeccompFlags: s.SeccompFlags,
SeccompPresets: s.SeccompPresets,
}
{
@@ -37,7 +38,7 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
}
if s.Multiarch {
container.Seccomp |= seccomp.FilterMultiarch
container.SeccompFlags |= seccomp.AllowMultiarch
}
if s.Devel {