cmd/fshim: bind finit inside sandbox
The outer finit executable is normally inaccessible inside the sandbox. This was obscured by the current Nix-based setup exposing /nix/store to the sandbox. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
b956ce4052
commit
0a2aa5823b
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
@ -9,6 +9,7 @@ import (
|
|||||||
|
|
||||||
init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
|
init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
|
||||||
shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
|
shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
|
||||||
|
"git.gensokyo.uk/security/fortify/fst"
|
||||||
"git.gensokyo.uk/security/fortify/helper"
|
"git.gensokyo.uk/security/fortify/helper"
|
||||||
"git.gensokyo.uk/security/fortify/internal"
|
"git.gensokyo.uk/security/fortify/internal"
|
||||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||||
@ -117,8 +118,12 @@ func main() {
|
|||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// bind finit inside sandbox
|
||||||
|
finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
|
||||||
|
conf.Bind(finitPath, finitInnerPath)
|
||||||
|
|
||||||
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
|
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
|
||||||
if b, err := helper.NewBwrap(conf, nil, finitPath,
|
if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
|
||||||
func(int, int) []string { return make([]string, 0) }); err != nil {
|
func(int, int) []string { return make([]string, 0) }); err != nil {
|
||||||
fmsg.Fatalf("malformed sandbox config: %v", err)
|
fmsg.Fatalf("malformed sandbox config: %v", err)
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user