diff --git a/helper/bwrap/seccomp-resolve.go b/helper/bwrap/seccomp-resolve.go index 01df4dc..860d720 100644 --- a/helper/bwrap/seccomp-resolve.go +++ b/helper/bwrap/seccomp-resolve.go @@ -2,9 +2,9 @@ package bwrap import ( "fmt" - "io" "os" + "git.gensokyo.uk/security/fortify/helper/seccomp" "git.gensokyo.uk/security/fortify/internal/fmsg" ) @@ -53,24 +53,24 @@ func (c *Config) resolveSeccomp() (*os.File, error) { // resolve seccomp filter opts var ( - opts syscallOpts + opts seccomp.SyscallOpts optd []string optCond = [...]struct { v bool - o syscallOpts + o seccomp.SyscallOpts d string }{ - {!c.Syscall.Compat, flagExt, "fortify"}, - {!c.UserNS, flagDenyNS, "denyns"}, - {c.NewSession, flagDenyTTY, "denytty"}, - {c.Syscall.DenyDevel, flagDenyDevel, "denydevel"}, - {c.Syscall.Multiarch, flagMultiarch, "multiarch"}, - {c.Syscall.Linux32, flagLinux32, "linux32"}, - {c.Syscall.Can, flagCan, "can"}, - {c.Syscall.Bluetooth, flagBluetooth, "bluetooth"}, + {!c.Syscall.Compat, seccomp.FlagExt, "fortify"}, + {!c.UserNS, seccomp.FlagDenyNS, "denyns"}, + {c.NewSession, seccomp.FlagDenyTTY, "denytty"}, + {c.Syscall.DenyDevel, seccomp.FlagDenyDevel, "denydevel"}, + {c.Syscall.Multiarch, seccomp.FlagMultiarch, "multiarch"}, + {c.Syscall.Linux32, seccomp.FlagLinux32, "linux32"}, + {c.Syscall.Can, seccomp.FlagCan, "can"}, + {c.Syscall.Bluetooth, seccomp.FlagBluetooth, "bluetooth"}, } ) - if CPrintln != nil { + if seccomp.CPrintln != nil { optd = make([]string, 1, len(optCond)+1) optd[0] = "common" } @@ -82,22 +82,9 @@ func (c *Config) resolveSeccomp() (*os.File, error) { } } } - if CPrintln != nil { - CPrintln(fmt.Sprintf("seccomp flags: %s", optd)) + if seccomp.CPrintln != nil { + seccomp.CPrintln(fmt.Sprintf("seccomp flags: %s", optd)) } - // export seccomp filter to tmpfile - if f, err := tmpfile(); err != nil { - return nil, err - } else { - return f, exportAndSeek(f, opts) - } -} - -func exportAndSeek(f *os.File, opts syscallOpts) error { - if err := exportFilter(f.Fd(), opts); err != nil { - return err - } - _, err := f.Seek(0, io.SeekStart) - return err + return seccomp.Export(opts) } diff --git a/helper/seccomp/export.go b/helper/seccomp/export.go new file mode 100644 index 0000000..1bcb714 --- /dev/null +++ b/helper/seccomp/export.go @@ -0,0 +1,17 @@ +package seccomp + +import ( + "io" + "os" +) + +func Export(opts SyscallOpts) (f *os.File, err error) { + if f, err = tmpfile(); err != nil { + return + } + if err = exportFilter(f.Fd(), opts); err != nil { + return + } + _, err = f.Seek(0, io.SeekStart) + return +} diff --git a/helper/bwrap/seccomp-export.c b/helper/seccomp/seccomp-export.c similarity index 100% rename from helper/bwrap/seccomp-export.c rename to helper/seccomp/seccomp-export.c diff --git a/helper/bwrap/seccomp-export.h b/helper/seccomp/seccomp-export.h similarity index 100% rename from helper/bwrap/seccomp-export.h rename to helper/seccomp/seccomp-export.h diff --git a/helper/bwrap/seccomp.go b/helper/seccomp/seccomp.go similarity index 74% rename from helper/bwrap/seccomp.go rename to helper/seccomp/seccomp.go index f77abc6..b329467 100644 --- a/helper/bwrap/seccomp.go +++ b/helper/seccomp/seccomp.go @@ -1,4 +1,4 @@ -package bwrap +package seccomp /* #cgo linux pkg-config: --static libseccomp @@ -25,19 +25,17 @@ var resErr = [...]error{ 6: errors.New("seccomp_export_bpf failed"), } -type ( - syscallOpts = C.f_syscall_opts -) +type SyscallOpts = C.f_syscall_opts const ( - flagExt syscallOpts = C.F_EXT - flagDenyNS syscallOpts = C.F_DENY_NS - flagDenyTTY syscallOpts = C.F_DENY_TTY - flagDenyDevel syscallOpts = C.F_DENY_DEVEL - flagMultiarch syscallOpts = C.F_MULTIARCH - flagLinux32 syscallOpts = C.F_LINUX32 - flagCan syscallOpts = C.F_CAN - flagBluetooth syscallOpts = C.F_BLUETOOTH + FlagExt SyscallOpts = C.F_EXT + FlagDenyNS SyscallOpts = C.F_DENY_NS + FlagDenyTTY SyscallOpts = C.F_DENY_TTY + FlagDenyDevel SyscallOpts = C.F_DENY_DEVEL + FlagMultiarch SyscallOpts = C.F_MULTIARCH + FlagLinux32 SyscallOpts = C.F_LINUX32 + FlagCan SyscallOpts = C.F_CAN + FlagBluetooth SyscallOpts = C.F_BLUETOOTH ) func tmpfile() (*os.File, error) { @@ -48,7 +46,7 @@ func tmpfile() (*os.File, error) { return os.NewFile(uintptr(fd), "tmpfile"), err } -func exportFilter(fd uintptr, opts syscallOpts) error { +func exportFilter(fd uintptr, opts SyscallOpts) error { var ( arch C.uint32_t = 0 multiarch C.uint32_t = 0 diff --git a/internal/proc/priv/shim/main.go b/internal/proc/priv/shim/main.go index 85c5baf..7ad0a44 100644 --- a/internal/proc/priv/shim/main.go +++ b/internal/proc/priv/shim/main.go @@ -8,7 +8,7 @@ import ( "git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/helper" - "git.gensokyo.uk/security/fortify/helper/bwrap" + "git.gensokyo.uk/security/fortify/helper/seccomp" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/proc" @@ -128,7 +128,7 @@ func Main() { helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent if fmsg.Verbose() { - bwrap.CPrintln = fmsg.Println + seccomp.CPrintln = fmsg.Println } if b, err := helper.NewBwrap( conf, innerInit, diff --git a/main.go b/main.go index 2a47806..36396ed 100644 --- a/main.go +++ b/main.go @@ -16,7 +16,7 @@ import ( "git.gensokyo.uk/security/fortify/dbus" "git.gensokyo.uk/security/fortify/fst" - "git.gensokyo.uk/security/fortify/helper/bwrap" + "git.gensokyo.uk/security/fortify/helper/seccomp" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/app" "git.gensokyo.uk/security/fortify/internal/fmsg" @@ -310,7 +310,7 @@ func runApp(config *fst.Config) { ctx, cancel := context.WithCancel(context.Background()) if fmsg.Verbose() { - bwrap.CPrintln = fmsg.Println + seccomp.CPrintln = fmsg.Println } // handle signals for graceful shutdown