From 94895bbacb42b82673b07142e786855a8ac756dc Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Fri, 14 Mar 2025 02:38:32 +0900
Subject: [PATCH] sandbox: invert seccomp ruleset defaults

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 internal/sandbox/container.go      | 10 +++++++++-
 internal/sandbox/container_test.go |  2 --
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/internal/sandbox/container.go b/internal/sandbox/container.go
index 4f8be1d..de71f37 100644
--- a/internal/sandbox/container.go
+++ b/internal/sandbox/container.go
@@ -20,12 +20,20 @@ import (
 type HardeningFlags uintptr
 
 const (
-	FAllowUserns HardeningFlags = 1 << iota
+	FSyscallCompat HardeningFlags = 1 << iota
+	FAllowDevel
+	FAllowUserns
 	FAllowTTY
 	FAllowNet
 )
 
 func (flags HardeningFlags) seccomp(opts seccomp.SyscallOpts) seccomp.SyscallOpts {
+	if flags&FSyscallCompat == 0 {
+		opts |= seccomp.FlagExt
+	}
+	if flags&FAllowDevel == 0 {
+		opts |= seccomp.FlagDenyDevel
+	}
 	if flags&FAllowUserns == 0 {
 		opts |= seccomp.FlagDenyNS
 	}
diff --git a/internal/sandbox/container_test.go b/internal/sandbox/container_test.go
index 1579dba..9837e11 100644
--- a/internal/sandbox/container_test.go
+++ b/internal/sandbox/container_test.go
@@ -13,7 +13,6 @@ import (
 	"time"
 
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/seccomp"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/sandbox"
@@ -71,7 +70,6 @@ func TestContainer(t *testing.T) {
 				return exec.CommandContext(ctx, os.Args[0], "-test.v",
 					"-test.run=TestHelperInit", "--", "init")
 			}
-			container.Seccomp |= seccomp.FlagExt
 			container.Flags |= tc.flags
 			container.Stdout, container.Stderr = os.Stdout, os.Stderr
 			container.Ops = tc.ops