security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

sandbox: remove hardcoded parent perm
All checks were successful
Test / Create distribution (push) Successful in 27s
Details
Test / Fortify (push) Successful in 2m43s
Details
Test / Fpkg (push) Successful in 3m41s
Details
Test / Data race detector (push) Successful in 4m32s
Details
Test / Flake checks (push) Successful in 59s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-25 19:49:51 +09:00
parent f86d868274
commit 971c79bb80
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
3 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sandbox/container.go
View File

@ -96,6 +96,9 @@ type (
*Ops *Ops
// Extra seccomp options. // Extra seccomp options.
Seccomp seccomp.SyscallOpts Seccomp seccomp.SyscallOpts
// Permission bits of newly created parent directories.
// The zero value is interpreted as 0755.
ParentPerm os.FileMode
Flags HardeningFlags Flags HardeningFlags
} }

3
sandbox/init.go
View File

@ -68,6 +68,9 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
if params.Ops == nil { if params.Ops == nil {
log.Fatal("invalid setup parameters") log.Fatal("invalid setup parameters")
} }
if params.ParentPerm == 0 {
params.ParentPerm = 0755
}
setVerbose(params.Verbose) setVerbose(params.Verbose)
msg.Verbose("received setup parameters") msg.Verbose("received setup parameters")

24
sandbox/sequential.go
View File

@ -104,7 +104,7 @@ func init() { gob.Register(new(MountProc)) }
type MountProc string type MountProc string
func (p MountProc) early(*Params) error { return nil } func (p MountProc) early(*Params) error { return nil }
func (p MountProc) apply(*Params) error { func (p MountProc) apply(params *Params) error {
v := string(p) v := string(p)
if !path.IsAbs(v) { if !path.IsAbs(v) {
@ -113,7 +113,7 @@ func (p MountProc) apply(*Params) error {
} }
target := toSysroot(v) target := toSysroot(v)
if err := os.MkdirAll(target, 0755); err != nil { if err := os.MkdirAll(target, params.ParentPerm); err != nil {
return wrapErrSelf(err) return wrapErrSelf(err)
} }
return wrapErrSuffix(syscall.Mount("proc", target, "proc", return wrapErrSuffix(syscall.Mount("proc", target, "proc",
@ -144,13 +144,13 @@ func (d MountDev) apply(params *Params) error {
} }
target := toSysroot(v) target := toSysroot(v)
if err := mountTmpfs("devtmpfs", v, 0, 0755); err != nil { if err := mountTmpfs("devtmpfs", v, 0, params.ParentPerm); err != nil {
return err return err
} }
for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} { for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
targetPath := toSysroot(path.Join(v, name)) targetPath := toSysroot(path.Join(v, name))
if err := ensureFile(targetPath, 0444, 0755); err != nil { if err := ensureFile(targetPath, 0444, params.ParentPerm); err != nil {
return err return err
} }
if err := hostProc.bindMount( if err := hostProc.bindMount(
@ -182,7 +182,7 @@ func (d MountDev) apply(params *Params) error {
devPtsPath := path.Join(target, "pts") devPtsPath := path.Join(target, "pts")
for _, name := range []string{path.Join(target, "shm"), devPtsPath} { for _, name := range []string{path.Join(target, "shm"), devPtsPath} {
if err := os.Mkdir(name, 0755); err != nil { if err := os.Mkdir(name, params.ParentPerm); err != nil {
return wrapErrSelf(err) return wrapErrSelf(err)
} }
} }
@ -201,7 +201,7 @@ func (d MountDev) apply(params *Params) error {
uintptr(unsafe.Pointer(&buf[0])), uintptr(unsafe.Pointer(&buf[0])),
); errno == 0 { ); errno == 0 {
consolePath := toSysroot(path.Join(v, "console")) consolePath := toSysroot(path.Join(v, "console"))
if err := ensureFile(consolePath, 0444, 0755); err != nil { if err := ensureFile(consolePath, 0444, params.ParentPerm); err != nil {
return err return err
} }
if name, err := os.Readlink(hostProc.stdout()); err != nil { if name, err := os.Readlink(hostProc.stdout()); err != nil {
@ -234,7 +234,7 @@ func init() { gob.Register(new(MountMqueue)) }
type MountMqueue string type MountMqueue string
func (m MountMqueue) early(*Params) error { return nil } func (m MountMqueue) early(*Params) error { return nil }
func (m MountMqueue) apply(*Params) error { func (m MountMqueue) apply(params *Params) error {
v := string(m) v := string(m)
if !path.IsAbs(v) { if !path.IsAbs(v) {
@ -243,7 +243,7 @@ func (m MountMqueue) apply(*Params) error {
} }
target := toSysroot(v) target := toSysroot(v)
if err := os.MkdirAll(target, 0755); err != nil { if err := os.MkdirAll(target, params.ParentPerm); err != nil {
return wrapErrSelf(err) return wrapErrSelf(err)
} }
return wrapErrSuffix(syscall.Mount("mqueue", target, "mqueue", return wrapErrSuffix(syscall.Mount("mqueue", target, "mqueue",
@ -295,7 +295,7 @@ func init() { gob.Register(new(Symlink)) }
type Symlink [2]string type Symlink [2]string
func (l *Symlink) early(*Params) error { return nil } func (l *Symlink) early(*Params) error { return nil }
func (l *Symlink) apply(*Params) error { func (l *Symlink) apply(params *Params) error {
// symlink target is an arbitrary path value, so only validate link name here // symlink target is an arbitrary path value, so only validate link name here
if !path.IsAbs(l[1]) { if !path.IsAbs(l[1]) {
return msg.WrapErr(syscall.EBADE, return msg.WrapErr(syscall.EBADE,
@ -303,7 +303,7 @@ func (l *Symlink) apply(*Params) error {
} }
target := toSysroot(l[1]) target := toSysroot(l[1])
if err := os.MkdirAll(path.Dir(target), 0755); err != nil { if err := os.MkdirAll(path.Dir(target), params.ParentPerm); err != nil {
return wrapErrSelf(err) return wrapErrSelf(err)
} }
if err := os.Symlink(l[0], target); err != nil { if err := os.Symlink(l[0], target); err != nil {
@ -358,7 +358,7 @@ type Tmpfile struct {
} }
func (t *Tmpfile) early(*Params) error { return nil } func (t *Tmpfile) early(*Params) error { return nil }
func (t *Tmpfile) apply(*Params) error { func (t *Tmpfile) apply(params *Params) error {
if !path.IsAbs(t.Path) { if !path.IsAbs(t.Path) {
return msg.WrapErr(syscall.EBADE, return msg.WrapErr(syscall.EBADE,
fmt.Sprintf("path %q is not absolute", t.Path)) fmt.Sprintf("path %q is not absolute", t.Path))
@ -378,7 +378,7 @@ func (t *Tmpfile) apply(*Params) error {
} }
target := toSysroot(t.Path) target := toSysroot(t.Path)
if err := ensureFile(target, 0444, 0755); err != nil { if err := ensureFile(target, 0444, params.ParentPerm); err != nil {
return err return err
} else if err = hostProc.bindMount( } else if err = hostProc.bindMount(
tmpPath, tmpPath,