security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

sandbox: cancel process on serve error
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m32s
Details
Test / Fpkg (push) Successful in 3m28s
Details
Test / Data race detector (push) Successful in 4m4s
Details
Test / Flake checks (push) Successful in 49s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-17 21:49:45 +09:00
parent d7eddd54a2
commit 816b372f14
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
sandbox/container.go
View File

@ -185,7 +185,11 @@ func (p *Container) Serve() error {
panic("invalid serve") panic("invalid serve")
} }
setup := p.setup
p.setup = nil
if p.Path != "" && !path.IsAbs(p.Path) { if p.Path != "" && !path.IsAbs(p.Path) {
p.cancel()
return msg.WrapErr(syscall.EINVAL, return msg.WrapErr(syscall.EINVAL,
fmt.Sprintf("invalid executable path %q", p.Path)) fmt.Sprintf("invalid executable path %q", p.Path))
} }
@ -194,6 +198,7 @@ func (p *Container) Serve() error {
if p.name == "" { if p.name == "" {
p.Path = os.Getenv("SHELL") p.Path = os.Getenv("SHELL")
if !path.IsAbs(p.Path) { if !path.IsAbs(p.Path) {
p.cancel()
return msg.WrapErr(syscall.EBADE, return msg.WrapErr(syscall.EBADE,
"no command specified and $SHELL is invalid") "no command specified and $SHELL is invalid")
} }
@ -201,15 +206,14 @@ func (p *Container) Serve() error {
} else if path.IsAbs(p.name) { } else if path.IsAbs(p.name) {
p.Path = p.name p.Path = p.name
} else if v, err := exec.LookPath(p.name); err != nil { } else if v, err := exec.LookPath(p.name); err != nil {
p.cancel()
return msg.WrapErr(err, err.Error()) return msg.WrapErr(err, err.Error())
} else { } else {
p.Path = v p.Path = v
} }
} }
setup := p.setup err := setup.Encode(
p.setup = nil
return setup.Encode(
&initParams{ &initParams{
p.Params, p.Params,
syscall.Getuid(), syscall.Getuid(),
@ -218,6 +222,10 @@ func (p *Container) Serve() error {
msg.IsVerbose(), msg.IsVerbose(),
}, },
) )
if err != nil {
p.cancel()
}
return err
} }
func (p *Container) Wait() error { defer p.cancel(); return p.cmd.Wait() } func (p *Container) Wait() error { defer p.cancel(); return p.cmd.Wait() }