maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

container: move seccomp preset bits

Browse Source 
This allows holding the bits without cgo.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-10-07 18:28:20 +09:00
parent 2489766efe
commit 3ce63e95d7
15 changed files with 116 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
internal/app/spcontainer.go
View File

@@ -8,6 +8,7 @@ import (
"syscall"
"hakurei.app/container"
"hakurei.app/container/bits"
"hakurei.app/container/seccomp"
"hakurei.app/hst"
"hakurei.app/system/dbus"
@@ -64,16 +65,16 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
}
if !state.Container.SeccompCompat {
state.params.SeccompPresets |= seccomp.PresetExt
state.params.SeccompPresets |= bits.PresetExt
}
if !state.Container.Devel {
state.params.SeccompPresets |= seccomp.PresetDenyDevel
state.params.SeccompPresets |= bits.PresetDenyDevel
}
if !state.Container.Userns {
state.params.SeccompPresets |= seccomp.PresetDenyNS
state.params.SeccompPresets |= bits.PresetDenyNS
}
if !state.Container.Tty {
state.params.SeccompPresets |= seccomp.PresetDenyTTY
state.params.SeccompPresets |= bits.PresetDenyTTY
}
if state.Container.MapRealUID {