security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

test/sandbox/mount: work around /run tmpfs nondeterminism
Some checks failed
Test / Create distribution (push) Successful in 24s
Details
Test / Fortify (push) Failing after 1m46s
Details
Test / Data race detector (push) Failing after 2m29s
Details
Test / Fpkg (push) Successful in 3m27s
Details
Test / Flake checks (push) Has been skipped
Details

Browse Source 
The special case is ugly and does not work for all paths, but it is guaranteed to work in the test.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-12 14:12:21 +09:00
parent c8ed7aae6e
commit d2c3d1bfbd
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
7 changed files with 33 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
helper/seccomp/api.go
View File

@ -11,6 +11,9 @@ import (
// New returns an inactive Encoder instance.
func New(opts SyscallOpts) *Encoder { return &Encoder{newExporter(opts)} }
// Load loads a filter into the kernel.
func Load(opts SyscallOpts) error { return buildFilter(-1, opts) }
/*
An Encoder writes a BPF program to an output stream.

2
helper/seccomp/export.go
View File

@ -28,7 +28,7 @@ func (e *exporter) prepare() error {
ec := make(chan error, 1)
go func(fd uintptr) {
ec <- exportFilter(fd, e.opts)
ec <- buildFilter(int(fd), e.opts)
close(ec)
_ = e.closeWrite()
runtime.KeepAlive(e.w)

23
helper/seccomp/seccomp-export.c → helper/seccomp/seccomp-build.c
View File

@ -2,7 +2,7 @@
#define _GNU_SOURCE // CLONE_NEWUSER
#endif
#include "seccomp-export.h"
#include "seccomp-build.h"
#include <stdlib.h>
#include <stdio.h>
#include <assert.h>
@ -48,7 +48,7 @@ struct f_syscall_act {
} \
} while (0)
int32_t f_export_bpf(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts opts) {
int32_t f_build_filter(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts opts) {
int32_t res = 0; // refer to resErr for meaning
int allow_multiarch = opts & F_MULTIARCH;
int allowed_personality = PER_LINUX;
@ -285,11 +285,20 @@ int32_t f_export_bpf(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts o
// Blocklist the rest
seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
ret = seccomp_export_bpf(ctx, fd);
if (ret != 0) {
res = 6;
errno = -ret;
goto out;
if (fd < 0) {
ret = seccomp_load(ctx);
if (ret != 0) {
res = 7;
errno = -ret;
goto out;
}
} else {
ret = seccomp_export_bpf(ctx, fd);
if (ret != 0) {
res = 6;
errno = -ret;
goto out;
}
}
out:

2
helper/seccomp/seccomp-export.h → helper/seccomp/seccomp-build.h
View File

@ -20,4 +20,4 @@ typedef enum {
} f_syscall_opts;
extern void F_println(char *v);
int32_t f_export_bpf(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts opts);
int32_t f_build_filter(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts opts);

7
helper/seccomp/seccomp.go
View File

@ -3,7 +3,7 @@ package seccomp
/*
#cgo linux pkg-config: --static libseccomp
#include "seccomp-export.h"
#include "seccomp-build.h"
*/
import "C"
import (
@ -22,6 +22,7 @@ var resErr = [...]error{
4: errors.New("internal libseccomp failure"),
5: errors.New("seccomp_rule_add failed"),
6: errors.New("seccomp_export_bpf failed"),
7: errors.New("seccomp_load failed"),
}
type SyscallOpts = C.f_syscall_opts
@ -46,7 +47,7 @@ const (
FlagBluetooth SyscallOpts = C.F_BLUETOOTH
)
func exportFilter(fd uintptr, opts SyscallOpts) error {
func buildFilter(fd int, opts SyscallOpts) error {
var (
arch C.uint32_t = 0
multiarch C.uint32_t = 0
@ -70,7 +71,7 @@ func exportFilter(fd uintptr, opts SyscallOpts) error {
opts |= flagVerbose
}
res, err := C.f_export_bpf(C.int(fd), arch, multiarch, opts)
res, err := C.f_build_filter(C.int(fd), arch, multiarch, opts)
if re := resErr[res]; re != nil {
if err == nil {
return re

7
test/sandbox/assert.go
View File

@ -5,6 +5,7 @@ import (
"io/fs"
"log"
"os"
"strings"
)
var (
@ -39,8 +40,14 @@ func MustAssertMounts(name, hostMountsFile, wantFile string) {
for i := range want {
if want[i].Opts == "host_passthrough" {
isRunBind := want[i].FSName == "tmpfs" && strings.HasPrefix(want[i].Dir, "/run/")
for _, ent := range hostMounts {
if want[i].FSName == ent.FSName {
// special case for /run bind mount
if isRunBind && ent.Dir != "/run" {
continue
}
want[i].Opts = ent.Opts
goto out
}

2
test/sandbox/mount.nix
View File

@ -51,7 +51,7 @@ let
(ent "tmpfs" "/etc/passwd" "tmpfs" "ro,nosuid,nodev,relatime,uid=1000001,gid=1000001" 0 0)
(ent "tmpfs" "/etc/group" "tmpfs" "ro,nosuid,nodev,relatime,uid=1000001,gid=1000001" 0 0)
(ent "/dev/disk/by-label/nixos" "/run/user/65534/wayland-0" "ext4" "ro,nosuid,nodev,relatime" 0 0)
(ent "tmpfs" "/run/user/65534/pulse/native" "tmpfs" "ro,nosuid,nodev,relatime,size=98784k,nr_inodes=24696,mode=700,uid=1000,gid=100" 0 0)
(ent "tmpfs" "/run/user/65534/pulse/native" "tmpfs" "host_passthrough" 0 0)
(ent "/dev/disk/by-label/nixos" "/run/user/65534/bus" "ext4" "ro,nosuid,nodev,relatime" 0 0)
(ent "tmpfs" "/var/run/nscd" "tmpfs" "rw,nosuid,nodev,relatime,size=8k,mode=755,uid=1000001,gid=1000001" 0 0)
(ent "overlay" "/.fortify/sbin/fortify" "overlay" "ro,nosuid,nodev,relatime,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on" 0 0)