From 74ba18325684ad7172b5d7f04c3a9f46ea6ab9a0 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Mon, 7 Apr 2025 04:13:08 +0900
Subject: [PATCH] app: install seccomp filter to shim

This does not necessarily reduce attack surface but does not affect functionality or introduce any side effects, so is nice to have.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 internal/app/shim.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/internal/app/shim.go b/internal/app/shim.go
index 4ebb2c3..ebc00aa 100644
--- a/internal/app/shim.go
+++ b/internal/app/shim.go
@@ -13,6 +13,7 @@ import (
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 )
 
 /*
@@ -161,6 +162,13 @@ func ShimMain() {
 	if err := container.Serve(); err != nil {
 		fmsg.PrintBaseError(err, "cannot configure container:")
 	}
+
+	if err := seccomp.Load(seccomp.FlagExt |
+		seccomp.FlagDenyNS | seccomp.FlagDenyTTY | seccomp.FlagDenyDevel |
+		seccomp.FlagMultiarch); err != nil {
+		log.Fatalf("cannot load syscall filter: %v", err)
+	}
+
 	if err := container.Wait(); err != nil {
 		var exitError *exec.ExitError
 		if !errors.As(err, &exitError) {