From 580128922be2a983192804b7963175b2a0fe2093 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 22 Jan 2025 12:01:30 +0900
Subject: [PATCH] cmd/fpkg: expose syscall policy options

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/fpkg/bundle.go | 7 +++++++
 cmd/fpkg/start.go  | 2 ++
 cmd/fpkg/with.go   | 3 +++
 3 files changed, 12 insertions(+)

diff --git a/cmd/fpkg/bundle.go b/cmd/fpkg/bundle.go
index 22b9de2..5c9db72 100644
--- a/cmd/fpkg/bundle.go
+++ b/cmd/fpkg/bundle.go
@@ -38,6 +38,13 @@ type bundleInfo struct {
 	// passed through to [fst.Config]
 	Enablements system.Enablements `json:"enablements"`
 
+	// passed through inverted to [bwrap.SyscallPolicy]
+	Devel bool `json:"devel,omitempty"`
+	// passed through to [bwrap.SyscallPolicy]
+	Multiarch bool `json:"multiarch,omitempty"`
+	// passed through to [bwrap.SyscallPolicy]
+	Bluetooth bool `json:"bluetooth,omitempty"`
+
 	// allow gpu access within sandbox
 	GPU bool `json:"gpu"`
 	// store path to nixGL mesa wrappers
diff --git a/cmd/fpkg/start.go b/cmd/fpkg/start.go
index 1dc31e4..4a88211 100644
--- a/cmd/fpkg/start.go
+++ b/cmd/fpkg/start.go
@@ -5,6 +5,7 @@ import (
 	"path"
 
 	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
@@ -96,6 +97,7 @@ func actionStart(args []string) {
 				UserNS:        app.UserNS,
 				Net:           app.Net,
 				Dev:           app.Dev,
+				Syscall:       &bwrap.SyscallPolicy{DenyDevel: !app.Devel, Multiarch: app.Multiarch, Bluetooth: app.Bluetooth},
 				NoNewSession:  app.NoNewSession || dropShell,
 				MapRealUID:    app.MapRealUID,
 				DirectWayland: app.DirectWayland,
diff --git a/cmd/fpkg/with.go b/cmd/fpkg/with.go
index 5331367..03718dd 100644
--- a/cmd/fpkg/with.go
+++ b/cmd/fpkg/with.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
@@ -34,6 +35,7 @@ func withNixDaemon(
 				Hostname:     formatHostname(app.Name) + "-" + action,
 				UserNS:       true, // nix sandbox requires userns
 				Net:          net,
+				Syscall:      &bwrap.SyscallPolicy{Multiarch: true},
 				NoNewSession: dropShell,
 				Filesystem: []*fst.FilesystemConfig{
 					{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
@@ -65,6 +67,7 @@ func withCacheDir(action string, command []string, workDir string, app *bundleIn
 			Outer:    pathSet.cacheDir, // this also ensures cacheDir via shim
 			Sandbox: &fst.SandboxConfig{
 				Hostname:     formatHostname(app.Name) + "-" + action,
+				Syscall:      &bwrap.SyscallPolicy{Multiarch: true},
 				NoNewSession: dropShell,
 				Filesystem: []*fst.FilesystemConfig{
 					{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},