security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

sandbox: invert seccomp ruleset defaults
All checks were successful
Test / Create distribution (push) Successful in 24s
Details
Test / Fortify (push) Successful in 2m31s
Details
Test / Fpkg (push) Successful in 3m20s
Details
Test / Data race detector (push) Successful in 3m35s
Details
Test / Flake checks (push) Successful in 50s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-14 02:38:32 +09:00
parent f332200ca4
commit 94895bbacb
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
internal/sandbox/container.go
View File

@ -20,12 +20,20 @@ import (
type HardeningFlags uintptr type HardeningFlags uintptr
const ( const (
FAllowUserns HardeningFlags = 1 << iota FSyscallCompat HardeningFlags = 1 << iota
FAllowDevel
FAllowUserns
FAllowTTY FAllowTTY
FAllowNet FAllowNet
) )
func (flags HardeningFlags) seccomp(opts seccomp.SyscallOpts) seccomp.SyscallOpts { func (flags HardeningFlags) seccomp(opts seccomp.SyscallOpts) seccomp.SyscallOpts {
if flags&FSyscallCompat == 0 {
opts |= seccomp.FlagExt
}
if flags&FAllowDevel == 0 {
opts |= seccomp.FlagDenyDevel
}
if flags&FAllowUserns == 0 { if flags&FAllowUserns == 0 {
opts |= seccomp.FlagDenyNS opts |= seccomp.FlagDenyNS
} }

2
internal/sandbox/container_test.go
View File

@ -13,7 +13,6 @@ import (
"time" "time"
"git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/helper/seccomp"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/sandbox" "git.gensokyo.uk/security/fortify/internal/sandbox"
@ -71,7 +70,6 @@ func TestContainer(t *testing.T) {
return exec.CommandContext(ctx, os.Args[0], "-test.v", return exec.CommandContext(ctx, os.Args[0], "-test.v",
"-test.run=TestHelperInit", "--", "init") "-test.run=TestHelperInit", "--", "init")
} }
container.Seccomp |= seccomp.FlagExt
container.Flags |= tc.flags container.Flags |= tc.flags
container.Stdout, container.Stderr = os.Stdout, os.Stderr container.Stdout, container.Stderr = os.Stdout, os.Stderr
container.Ops = tc.ops container.Ops = tc.ops