sandbox: expose seccomp interface

There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-02 04:38:28 +09:00
parent a6887f7253
commit 31aef905fa
12 changed files with 117 additions and 77 deletions
--- a/ldd/exec.go
+++ b/ldd/exec.go
@@ -9,6 +9,7 @@ import (
 	"time"

 	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 )

 const lddTimeout = 2 * time.Second
@@ -29,6 +30,8 @@ func ExecFilter(ctx context.Context,
 	container := sandbox.New(c, "ldd", p)
 	container.CommandContext = commandContext
 	container.Hostname = "hakurei-ldd"
+	container.SeccompFlags |= seccomp.AllowMultiarch
+	container.SeccompPresets |= seccomp.PresetStrict
 	stdout, stderr := new(bytes.Buffer), new(bytes.Buffer)
 	container.Stdout = stdout
 	container.Stderr = stderr