helper/seccomp: separate seccomp package

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 12:59:11 +09:00 · 2025-01-25 12:59:11 +09:00 · 163f15e93f
commit 163f15e93f
parent 016da20443
7 changed files with 47 additions and 45 deletions
--- a/helper/bwrap/seccomp-resolve.go
+++ b/helper/bwrap/seccomp-resolve.go
@ -2,9 +2,9 @@ package bwrap

 import (
 	"fmt"
-	"io"
 	"os"

+	"git.gensokyo.uk/security/fortify/helper/seccomp"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

@ -53,24 +53,24 @@ func (c *Config) resolveSeccomp() (*os.File, error) {

 	// resolve seccomp filter opts
 	var (
-		opts    syscallOpts
+		opts    seccomp.SyscallOpts
 		optd    []string
 		optCond = [...]struct {
 			v bool
-			o syscallOpts
+			o seccomp.SyscallOpts
 			d string
 		}{
-			{!c.Syscall.Compat, flagExt, "fortify"},
-			{!c.UserNS, flagDenyNS, "denyns"},
-			{c.NewSession, flagDenyTTY, "denytty"},
-			{c.Syscall.DenyDevel, flagDenyDevel, "denydevel"},
-			{c.Syscall.Multiarch, flagMultiarch, "multiarch"},
-			{c.Syscall.Linux32, flagLinux32, "linux32"},
-			{c.Syscall.Can, flagCan, "can"},
-			{c.Syscall.Bluetooth, flagBluetooth, "bluetooth"},
+			{!c.Syscall.Compat, seccomp.FlagExt, "fortify"},
+			{!c.UserNS, seccomp.FlagDenyNS, "denyns"},
+			{c.NewSession, seccomp.FlagDenyTTY, "denytty"},
+			{c.Syscall.DenyDevel, seccomp.FlagDenyDevel, "denydevel"},
+			{c.Syscall.Multiarch, seccomp.FlagMultiarch, "multiarch"},
+			{c.Syscall.Linux32, seccomp.FlagLinux32, "linux32"},
+			{c.Syscall.Can, seccomp.FlagCan, "can"},
+			{c.Syscall.Bluetooth, seccomp.FlagBluetooth, "bluetooth"},
 		}
 	)
-	if CPrintln != nil {
+	if seccomp.CPrintln != nil {
 		optd = make([]string, 1, len(optCond)+1)
 		optd[0] = "common"
 	}
@ -82,22 +82,9 @@ func (c *Config) resolveSeccomp() (*os.File, error) {
 			}
 		}
 	}
-	if CPrintln != nil {
-		CPrintln(fmt.Sprintf("seccomp flags: %s", optd))
+	if seccomp.CPrintln != nil {
+		seccomp.CPrintln(fmt.Sprintf("seccomp flags: %s", optd))
 	}

-	// export seccomp filter to tmpfile
-	if f, err := tmpfile(); err != nil {
-		return nil, err
-	} else {
-		return f, exportAndSeek(f, opts)
-	}
-}
-
-func exportAndSeek(f *os.File, opts syscallOpts) error {
-	if err := exportFilter(f.Fd(), opts); err != nil {
-		return err
-	}
-	_, err := f.Seek(0, io.SeekStart)
-	return err
+	return seccomp.Export(opts)
 }
--- a/helper/seccomp/export.go
+++ b/helper/seccomp/export.go
@ -0,0 +1,17 @@
+package seccomp
+
+import (
+	"io"
+	"os"
+)
+
+func Export(opts SyscallOpts) (f *os.File, err error) {
+	if f, err = tmpfile(); err != nil {
+		return
+	}
+	if err = exportFilter(f.Fd(), opts); err != nil {
+		return
+	}
+	_, err = f.Seek(0, io.SeekStart)
+	return
+}
--- a/helper/seccomp/seccomp-export.c
+++ b/helper/seccomp/seccomp-export.c
--- a/helper/seccomp/seccomp-export.h
+++ b/helper/seccomp/seccomp-export.h
--- a/helper/seccomp/seccomp.go
+++ b/helper/seccomp/seccomp.go
@ -1,4 +1,4 @@
-package bwrap
+package seccomp

 /*
 #cgo linux pkg-config: --static libseccomp
@ -25,19 +25,17 @@ var resErr = [...]error{
 	6: errors.New("seccomp_export_bpf failed"),
 }

-type (
-	syscallOpts = C.f_syscall_opts
-)
+type SyscallOpts = C.f_syscall_opts

 const (
-	flagExt       syscallOpts = C.F_EXT
-	flagDenyNS    syscallOpts = C.F_DENY_NS
-	flagDenyTTY   syscallOpts = C.F_DENY_TTY
-	flagDenyDevel syscallOpts = C.F_DENY_DEVEL
-	flagMultiarch syscallOpts = C.F_MULTIARCH
-	flagLinux32   syscallOpts = C.F_LINUX32
-	flagCan       syscallOpts = C.F_CAN
-	flagBluetooth syscallOpts = C.F_BLUETOOTH
+	FlagExt       SyscallOpts = C.F_EXT
+	FlagDenyNS    SyscallOpts = C.F_DENY_NS
+	FlagDenyTTY   SyscallOpts = C.F_DENY_TTY
+	FlagDenyDevel SyscallOpts = C.F_DENY_DEVEL
+	FlagMultiarch SyscallOpts = C.F_MULTIARCH
+	FlagLinux32   SyscallOpts = C.F_LINUX32
+	FlagCan       SyscallOpts = C.F_CAN
+	FlagBluetooth SyscallOpts = C.F_BLUETOOTH
 )

 func tmpfile() (*os.File, error) {
@ -48,7 +46,7 @@ func tmpfile() (*os.File, error) {
 	return os.NewFile(uintptr(fd), "tmpfile"), err
 }

-func exportFilter(fd uintptr, opts syscallOpts) error {
+func exportFilter(fd uintptr, opts SyscallOpts) error {
 	var (
 		arch      C.uint32_t = 0
 		multiarch C.uint32_t = 0
--- a/internal/proc/priv/shim/main.go
+++ b/internal/proc/priv/shim/main.go
@ -8,7 +8,7 @@ import (

 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/helper/seccomp"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
@ -128,7 +128,7 @@ func Main() {

 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
 	if fmsg.Verbose() {
-		bwrap.CPrintln = fmsg.Println
+		seccomp.CPrintln = fmsg.Println
 	}
 	if b, err := helper.NewBwrap(
 		conf, innerInit,
--- a/main.go
+++ b/main.go
@ -16,7 +16,7 @@ import (

 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/helper/seccomp"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
@ -310,7 +310,7 @@ func runApp(config *fst.Config) {
 	ctx, cancel := context.WithCancel(context.Background())

 	if fmsg.Verbose() {
-		bwrap.CPrintln = fmsg.Println
+		seccomp.CPrintln = fmsg.Println
 	}

 	// handle signals for graceful shutdown