security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity

ldd: pass absolute path to bwrap
All checks were successful
Test / Create distribution (push) Successful in 27s
Details
Test / Run NixOS test (push) Successful in 3m31s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-02-23 17:46:22 +09:00
parent 478b27922c
commit 83c8f0488b
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ldd/exec.go
View File

@ -3,6 +3,7 @@ package ldd
import ( import (
"context" "context"
"os" "os"
"os/exec"
"strings" "strings"
"time" "time"
@ -15,20 +16,20 @@ const lddTimeout = 2 * time.Second
func Exec(ctx context.Context, p string) ([]*Entry, error) { func Exec(ctx context.Context, p string) ([]*Entry, error) {
var h helper.Helper var h helper.Helper
if b, err := helper.NewBwrap( if toolPath, err := exec.LookPath("ldd"); err != nil {
return nil, err
} else if h, err = helper.NewBwrap(
(&bwrap.Config{ (&bwrap.Config{
Hostname: "fortify-ldd", Hostname: "fortify-ldd",
Chdir: "/", Chdir: "/",
Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true}, Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
NewSession: true, NewSession: true,
DieWithParent: true, DieWithParent: true,
}).Bind("/", "/").DevTmpfs("/dev"), "ldd", }).Bind("/", "/").DevTmpfs("/dev"), toolPath,
nil, func(_, _ int) []string { return []string{p} }, nil, func(_, _ int) []string { return []string{p} },
nil, nil, nil, nil,
); err != nil { ); err != nil {
return nil, err return nil, err
} else {
h = b
} }
stdout := new(strings.Builder) stdout := new(strings.Builder)