ldd: run ldd with read-only filesystem and unshared net

This is only called on trusted programs, however extra hardening is never a bad idea.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra 2024-10-17 15:37:27 +09:00
parent 57c1b3eda6
commit 73a698c7cb
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q

View File

@ -5,14 +5,37 @@ import (
"os"
"os/exec"
"strings"
"git.ophivana.moe/cat/fortify/helper"
"git.ophivana.moe/cat/fortify/helper/bwrap"
)
func Exec(p string) ([]*Entry, error) {
t := exec.Command("ldd", p)
t.Stdout, t.Stderr = new(strings.Builder), os.Stderr
if err := t.Run(); err != nil {
var (
h helper.Helper
cmd *exec.Cmd
)
if b, err := helper.NewBwrap((&bwrap.Config{
Hostname: "fortify-ldd",
Chdir: "/",
NewSession: true,
DieWithParent: true,
}).Bind("/", "/").DevTmpfs("/dev"),
nil, "ldd", func(_, _ int) []string { return []string{p} }); err != nil {
return nil, err
} else {
cmd = b.Unwrap()
h = b
}
cmd.Stdout, cmd.Stderr = new(strings.Builder), os.Stderr
if err := h.Start(); err != nil {
return nil, err
}
if err := h.Wait(); err != nil {
return nil, err
}
return Parse(t.Stdout.(fmt.Stringer))
return Parse(cmd.Stdout.(fmt.Stringer))
}