maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

helper/bwrap: integrate seccomp into helper interface

Browse Source 
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-01-22 01:51:10 +09:00
parent 82029948e6
commit 9a239fa1a5
21 changed files with 224 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/app/seal.go
View File

@@ -14,6 +14,7 @@ import (
"git.gensokyo.uk/security/fortify/acl"
"git.gensokyo.uk/security/fortify/dbus"
"git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/helper/bwrap"
"git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/linux"
"git.gensokyo.uk/security/fortify/internal/state"
@@ -52,8 +53,6 @@ type appSeal struct {
et system.Enablements
// initial config gob encoding buffer
ct io.WriterTo
// pass-through seccomp config from config
scmp *fst.SyscallConfig
// wayland socket direct access
directWayland bool
// extra UpdatePerm ops
@@ -196,6 +195,7 @@ func (a *app) Seal(config *fst.Config) error {
conf := &fst.SandboxConfig{
UserNS: true,
Net: true,
Syscall: new(bwrap.SyscallPolicy),
NoNewSession: true,
AutoEtc: true,
}
@@ -233,12 +233,6 @@ func (a *app) Seal(config *fst.Config) error {
conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})
config.Confinement.Sandbox = conf
// ensure syscall filter
if config.Confinement.Syscall == nil {
config.Confinement.Syscall = new(fst.SyscallConfig)
config.Confinement.Syscall.Multiarch = true
}
}
seal.directWayland = config.Confinement.Sandbox.DirectWayland
if b, err := config.Confinement.Sandbox.Bwrap(a.os); err != nil {
@@ -259,9 +253,8 @@ func (a *app) Seal(config *fst.Config) error {
// initialise system interface with full uid
seal.sys.I = system.New(seal.sys.user.uid)
// pass through enablements and seccomp
// pass through enablements
seal.et = config.Confinement.Enablements
seal.scmp = config.Confinement.Syscall
// this method calls all share methods in sequence
if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {