From 73a698c7cb551e2a372bf9c296862cc5e3fca6e9 Mon Sep 17 00:00:00 2001
From: Ophestra Umiker <cat@ophivana.moe>
Date: Thu, 17 Oct 2024 15:37:27 +0900
Subject: [PATCH] ldd: run ldd with read-only filesystem and unshared net

This is only called on trusted programs, however extra hardening is never a bad idea.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
---
 ldd/exec.go | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/ldd/exec.go b/ldd/exec.go
index d6a2af5..92b1054 100644
--- a/ldd/exec.go
+++ b/ldd/exec.go
@@ -5,14 +5,37 @@ import (
 	"os"
 	"os/exec"
 	"strings"
+
+	"git.ophivana.moe/cat/fortify/helper"
+	"git.ophivana.moe/cat/fortify/helper/bwrap"
 )
 
 func Exec(p string) ([]*Entry, error) {
-	t := exec.Command("ldd", p)
-	t.Stdout, t.Stderr = new(strings.Builder), os.Stderr
-	if err := t.Run(); err != nil {
+	var (
+		h   helper.Helper
+		cmd *exec.Cmd
+	)
+
+	if b, err := helper.NewBwrap((&bwrap.Config{
+		Hostname:      "fortify-ldd",
+		Chdir:         "/",
+		NewSession:    true,
+		DieWithParent: true,
+	}).Bind("/", "/").DevTmpfs("/dev"),
+		nil, "ldd", func(_, _ int) []string { return []string{p} }); err != nil {
+		return nil, err
+	} else {
+		cmd = b.Unwrap()
+		h = b
+	}
+
+	cmd.Stdout, cmd.Stderr = new(strings.Builder), os.Stderr
+	if err := h.Start(); err != nil {
+		return nil, err
+	}
+	if err := h.Wait(); err != nil {
 		return nil, err
 	}
 
-	return Parse(t.Stdout.(fmt.Stringer))
+	return Parse(cmd.Stdout.(fmt.Stringer))
 }