security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

fst/sandbox: do not create /etc in advance
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m43s
Details
Test / Fpkg (push) Successful in 3m36s
Details
Test / Data race detector (push) Successful in 4m31s
Details
Test / Flake checks (push) Successful in 56s
Details

Browse Source 
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-25 20:00:34 +09:00
parent 971c79bb80
commit c326c3f97d
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
6 changed files with 4 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fst/sandbox.go
View File

@ -245,9 +245,7 @@ func (s *SandboxConfig) ToContainer(sys SandboxSys, uid, gid *int) (*sandbox.Par
if etcPath == "" { if etcPath == "" {
etcPath = "/etc" etcPath = "/etc"
} }
container. container.Bind(etcPath, Tmp+"/etc", 0)
Bind(etcPath, Tmp+"/etc", 0).
Mkdir("/etc", 0700)
// link host /etc contents to prevent dropping passwd/group bind mounts // link host /etc contents to prevent dropping passwd/group bind mounts
if d, err := sys.ReadDir(etcPath); err != nil { if d, err := sys.ReadDir(etcPath); err != nil {

1
internal/app/app_nixos_test.go
View File

@ -124,7 +124,6 @@ var testCasesNixos = []sealTestCase{
Bind("/run/opengl-driver", "/run/opengl-driver", 0). Bind("/run/opengl-driver", "/run/opengl-driver", 0).
Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional). Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
Bind("/etc", fst.Tmp+"/etc", 0). Bind("/etc", fst.Tmp+"/etc", 0).
Mkdir("/etc", 0700).
Link(fst.Tmp+"/etc/alsa", "/etc/alsa"). Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d"). Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").

2
internal/app/app_pd_test.go
View File

@ -67,7 +67,6 @@ var testCasesPd = []sealTestCase{
Tmpfs("/run/user/1971", 8192, 0755). Tmpfs("/run/user/1971", 8192, 0755).
Tmpfs("/run/dbus", 8192, 0755). Tmpfs("/run/dbus", 8192, 0755).
Bind("/etc", fst.Tmp+"/etc", 0). Bind("/etc", fst.Tmp+"/etc", 0).
Mkdir("/etc", 0700).
Link(fst.Tmp+"/etc/alsa", "/etc/alsa"). Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d"). Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
@ -288,7 +287,6 @@ var testCasesPd = []sealTestCase{
Tmpfs("/run/user/1971", 8192, 0755). Tmpfs("/run/user/1971", 8192, 0755).
Tmpfs("/run/dbus", 8192, 0755). Tmpfs("/run/dbus", 8192, 0755).
Bind("/etc", fst.Tmp+"/etc", 0). Bind("/etc", fst.Tmp+"/etc", 0).
Mkdir("/etc", 0700).
Link(fst.Tmp+"/etc/alsa", "/etc/alsa"). Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d"). Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").

2
test/sandbox/case/mapuid.nix
View File

@ -39,7 +39,7 @@
urandom = fs "42001b6" null null; urandom = fs "42001b6" null null;
zero = fs "42001b6" null null; zero = fs "42001b6" null null;
} null; } null;
etc = fs "800001c0" { etc = fs "800001ed" {
".clean" = fs "80001ff" null null; ".clean" = fs "80001ff" null null;
".updated" = fs "80001ff" null null; ".updated" = fs "80001ff" null null;
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;

2
test/sandbox/case/preset.nix
View File

@ -39,7 +39,7 @@
urandom = fs "42001b6" null null; urandom = fs "42001b6" null null;
zero = fs "42001b6" null null; zero = fs "42001b6" null null;
} null; } null;
etc = fs "800001c0" { etc = fs "800001ed" {
".clean" = fs "80001ff" null null; ".clean" = fs "80001ff" null null;
".updated" = fs "80001ff" null null; ".updated" = fs "80001ff" null null;
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;

2
test/sandbox/case/tty.nix
View File

@ -40,7 +40,7 @@
urandom = fs "42001b6" null null; urandom = fs "42001b6" null null;
zero = fs "42001b6" null null; zero = fs "42001b6" null null;
} null; } null;
etc = fs "800001c0" { etc = fs "800001ed" {
".clean" = fs "80001ff" null null; ".clean" = fs "80001ff" null null;
".updated" = fs "80001ff" null null; ".updated" = fs "80001ff" null null;
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;