fst: include syscall filter configuration

This value is passed through to shim. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 21:12:39 +09:00 · 2025-01-20 21:12:39 +09:00 · 27f5922d5c
commit 27f5922d5c
parent 2cf1f46ea2
4 changed files with 31 additions and 6 deletions
--- a/fst/config.go
+++ b/fst/config.go
@ -31,6 +31,8 @@ type ConfinementConfig struct {
 	Outer string `json:"home"`
 	// bwrap sandbox confinement configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
+	// seccomp syscall filter configuration
+	Syscall *SyscallConfig `json:"syscall"`
 	// extra acl entries to append
 	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`

@ -45,6 +47,14 @@ type ConfinementConfig struct {
 	Enablements system.Enablements `json:"enablements"`
 }

+type SyscallConfig struct {
+	DenyDevel bool `json:"deny_devel"`
+	Multiarch bool `json:"multiarch"`
+	Linux32   bool `json:"linux32"`
+	Can       bool `json:"can"`
+	Bluetooth bool `json:"bluetooth"`
+}
+
 type ExtraPermConfig struct {
 	Ensure  bool   `json:"ensure,omitempty"`
 	Path    string `json:"path"`
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -47,6 +47,8 @@ type appSeal struct {

 	// pass-through enablement tracking from config
 	et system.Enablements
+	// pass-through seccomp config from config
+	scmp *fst.SyscallConfig
 	// wayland socket direct access
 	directWayland bool
 	// extra UpdatePerm ops
@ -218,6 +220,12 @@ func (a *app) Seal(config *fst.Config) error {
 		conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})

 		config.Confinement.Sandbox = conf
+
+		// ensure syscall filter
+		if config.Confinement.Syscall == nil {
+			config.Confinement.Syscall = new(fst.SyscallConfig)
+			config.Confinement.Syscall.Multiarch = true
+		}
 	}
 	seal.directWayland = config.Confinement.Sandbox.DirectWayland
 	if b, err := config.Confinement.Sandbox.Bwrap(a.os); err != nil {
@ -238,8 +246,9 @@ func (a *app) Seal(config *fst.Config) error {
 	// initialise system interface with full uid
 	seal.sys.I = system.New(seal.sys.user.uid)

-	// pass through enablements
+	// pass through enablements and seccomp
 	seal.et = config.Confinement.Enablements
+	seal.scmp = config.Confinement.Syscall

 	// this method calls all share methods in sequence
 	if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
--- a/internal/app/start.go
+++ b/internal/app/start.go
@ -76,10 +76,11 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {

 		// send payload
 		if err = a.shim.Serve(shimSetupCtx, &shim.Payload{
-			Argv:  a.seal.command,
-			Exec:  shimExec,
-			Bwrap: a.seal.sys.bwrap,
-			Home:  a.seal.sys.user.data,
+			Argv:    a.seal.command,
+			Exec:    shimExec,
+			Bwrap:   a.seal.sys.bwrap,
+			Home:    a.seal.sys.user.data,
+			Syscall: a.seal.scmp,

 			Verbose: fmsg.Verbose(),
 		}); err != nil {
--- a/internal/proc/priv/shim/payload.go
+++ b/internal/proc/priv/shim/payload.go
@ -1,6 +1,9 @@
 package shim

-import "git.gensokyo.uk/security/fortify/helper/bwrap"
+import (
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+)

 const Env = "FORTIFY_SHIM"

@ -15,6 +18,8 @@ type Payload struct {
 	Home string
 	// sync fd
 	Sync *uintptr
+	// seccomp opts pass through
+	Syscall *fst.SyscallConfig

 	// verbosity pass through
 	Verbose bool