security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

sandbox: resolve tty name
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Fortify (push) Successful in 2m17s
Details
Test / Fpkg (push) Successful in 3m15s
Details
Test / Data race detector (push) Successful in 4m10s
Details
Test / Flake checks (push) Successful in 56s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-24 15:28:25 +09:00
parent b989a4601a
commit ad3576c164
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
3 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
sandbox/container_test.go
View File

@ -57,12 +57,12 @@ func TestContainer(t *testing.T) {
Mqueue("/dev/mqueue"),
[]*vfs.MountInfoEntry{
e("/", "/dev", "rw,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
e("/null", "/dev/null", "ro,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/zero", "/dev/zero", "ro,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/full", "/dev/full", "ro,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/random", "/dev/random", "ro,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/urandom", "/dev/urandom", "ro,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/tty", "/dev/tty", "ro,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
e("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
e("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
}, ""},

1
sandbox/init.go
View File

@ -239,7 +239,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
cmd := exec.Command(params.Path)
cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
cmd.Args = params.Args
cmd.Env = params.Env
cmd.ExtraFiles = extraFiles

10
sandbox/sequential.go
View File

@ -156,7 +156,7 @@ func (d MountDev) apply(params *Params) error {
if err := hostProc.bindMount(
toHost("/dev/"+name),
targetPath,
syscall.MS_RDONLY,
0,
true,
); err != nil {
return err
@ -204,10 +204,12 @@ func (d MountDev) apply(params *Params) error {
if err := ensureFile(consolePath, 0444, 0755); err != nil {
return err
}
if err := hostProc.bindMount(
hostProc.stdout(),
if name, err := os.Readlink(hostProc.stdout()); err != nil {
return msg.WrapErr(err, err.Error())
} else if err = hostProc.bindMount(
toHost(name),
consolePath,
syscall.MS_RDONLY,
0,
false,
); err != nil {
return err