diff --git a/fst/config.go b/fst/config.go index 7075c6a..171c29f 100644 --- a/fst/config.go +++ b/fst/config.go @@ -31,6 +31,8 @@ type ConfinementConfig struct { Outer string `json:"home"` // bwrap sandbox confinement configuration Sandbox *SandboxConfig `json:"sandbox"` + // seccomp syscall filter configuration + Syscall *SyscallConfig `json:"syscall"` // extra acl entries to append ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"` @@ -45,6 +47,14 @@ type ConfinementConfig struct { Enablements system.Enablements `json:"enablements"` } +type SyscallConfig struct { + DenyDevel bool `json:"deny_devel"` + Multiarch bool `json:"multiarch"` + Linux32 bool `json:"linux32"` + Can bool `json:"can"` + Bluetooth bool `json:"bluetooth"` +} + type ExtraPermConfig struct { Ensure bool `json:"ensure,omitempty"` Path string `json:"path"` diff --git a/internal/app/seal.go b/internal/app/seal.go index a67feb4..35cd316 100644 --- a/internal/app/seal.go +++ b/internal/app/seal.go @@ -47,6 +47,8 @@ type appSeal struct { // pass-through enablement tracking from config et system.Enablements + // pass-through seccomp config from config + scmp *fst.SyscallConfig // wayland socket direct access directWayland bool // extra UpdatePerm ops @@ -218,6 +220,12 @@ func (a *app) Seal(config *fst.Config) error { conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true}) config.Confinement.Sandbox = conf + + // ensure syscall filter + if config.Confinement.Syscall == nil { + config.Confinement.Syscall = new(fst.SyscallConfig) + config.Confinement.Syscall.Multiarch = true + } } seal.directWayland = config.Confinement.Sandbox.DirectWayland if b, err := config.Confinement.Sandbox.Bwrap(a.os); err != nil { @@ -238,8 +246,9 @@ func (a *app) Seal(config *fst.Config) error { // initialise system interface with full uid seal.sys.I = system.New(seal.sys.user.uid) - // pass through enablements + // pass through enablements and seccomp seal.et = config.Confinement.Enablements + seal.scmp = config.Confinement.Syscall // this method calls all share methods in sequence if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil { diff --git a/internal/app/start.go b/internal/app/start.go index 1755b33..1825d9a 100644 --- a/internal/app/start.go +++ b/internal/app/start.go @@ -76,10 +76,11 @@ func (a *app) Run(ctx context.Context, rs *RunState) error { // send payload if err = a.shim.Serve(shimSetupCtx, &shim.Payload{ - Argv: a.seal.command, - Exec: shimExec, - Bwrap: a.seal.sys.bwrap, - Home: a.seal.sys.user.data, + Argv: a.seal.command, + Exec: shimExec, + Bwrap: a.seal.sys.bwrap, + Home: a.seal.sys.user.data, + Syscall: a.seal.scmp, Verbose: fmsg.Verbose(), }); err != nil { diff --git a/internal/proc/priv/shim/payload.go b/internal/proc/priv/shim/payload.go index e942503..2d6854f 100644 --- a/internal/proc/priv/shim/payload.go +++ b/internal/proc/priv/shim/payload.go @@ -1,6 +1,9 @@ package shim -import "git.gensokyo.uk/security/fortify/helper/bwrap" +import ( + "git.gensokyo.uk/security/fortify/fst" + "git.gensokyo.uk/security/fortify/helper/bwrap" +) const Env = "FORTIFY_SHIM" @@ -15,6 +18,8 @@ type Payload struct { Home string // sync fd Sync *uintptr + // seccomp opts pass through + Syscall *fst.SyscallConfig // verbosity pass through Verbose bool