sandbox: expose seccomp interface

There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-02 04:38:28 +09:00
parent a6887f7253
commit 31aef905fa
12 changed files with 117 additions and 77 deletions
--- a/dbus/proc.go
+++ b/dbus/proc.go
@@ -67,6 +67,7 @@ func (p *Proxy) Start() error {
 			p.final, true,
 			argF, func(container *sandbox.Container) {
 				container.SeccompFlags |= seccomp.AllowMultiarch
+				container.SeccompPresets |= seccomp.PresetStrict
 				container.Hostname = "hakurei-dbus"
 				container.CommandContext = p.CommandContext
 				if p.output != nil {