security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 25 Wiki Activity

dbus: enable syscall filter
All checks were successful
Build / Create distribution (push) Successful in 1m33s
Details
Test / Run NixOS test (push) Successful in 3m42s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-01-22 02:01:01 +09:00
parent 5a64cdaf4f
commit 8c51012ef5
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
3 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dbus/dbus_test.go
View File

@ -141,7 +141,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
t.Run("unsealed start of "+id, func(t *testing.T) { t.Run("unsealed start of "+id, func(t *testing.T) {
want := "proxy not sealed" want := "proxy not sealed"
if err := p.Start(nil, nil, sandbox); err == nil || err.Error() != want { if err := p.Start(nil, nil, sandbox, false); err == nil || err.Error() != want {
t.Errorf("Start() error = %v, wantErr %q", t.Errorf("Start() error = %v, wantErr %q",
err, errors.New(want)) err, errors.New(want))
return return
@ -175,7 +175,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
} }
t.Run("sealed start of "+id, func(t *testing.T) { t.Run("sealed start of "+id, func(t *testing.T) {
if err := p.Start(nil, output, sandbox); err != nil { if err := p.Start(nil, output, sandbox, false); err != nil {
t.Fatalf("Start(nil, nil) error = %v", t.Fatalf("Start(nil, nil) error = %v",
err) err)
} }

7
dbus/run.go
View File

@ -16,7 +16,7 @@ import (
// Start launches the D-Bus proxy and sets up the Wait method. // Start launches the D-Bus proxy and sets up the Wait method.
// ready should be buffered and must only be received from once. // ready should be buffered and must only be received from once.
func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error { func (p *Proxy) Start(ready chan error, output io.Writer, sandbox, seccomp bool) error {
p.lock.Lock() p.lock.Lock()
defer p.lock.Unlock() defer p.lock.Unlock()
@ -67,11 +67,16 @@ func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
Unshare: nil, Unshare: nil,
Hostname: "fortify-dbus", Hostname: "fortify-dbus",
Chdir: "/", Chdir: "/",
Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
Clearenv: true, Clearenv: true,
NewSession: true, NewSession: true,
DieWithParent: true, DieWithParent: true,
} }
if !seccomp {
bc.Syscall = nil
}
// resolve proxy socket directories // resolve proxy socket directories
bindTarget := make(map[string]struct{}, 2) bindTarget := make(map[string]struct{}, 2)
for _, ps := range []string{p.session[1], p.system[1]} { for _, ps := range []string{p.session[1], p.system[1]} {

2
internal/system/dbus.go
View File

@ -93,7 +93,7 @@ func (d *DBus) apply(_ *I) error {
ready := make(chan error, 1) ready := make(chan error, 1)
// background dbus proxy start // background dbus proxy start
if err := d.proxy.Start(ready, d.out, true); err != nil { if err := d.proxy.Start(ready, d.out, true, true); err != nil {
return fmsg.WrapErrorSuffix(err, return fmsg.WrapErrorSuffix(err,
"cannot start message bus proxy:") "cannot start message bus proxy:")
} }