security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

sandbox: expose cancel behaviour
All checks were successful
Test / Create distribution (push) Successful in 40s
Details
Test / Fpkg (push) Successful in 11m53s
Details
Test / Fortify (push) Successful in 1m57s
Details
Test / Data race detector (push) Successful in 2m33s
Details
Test / Flake checks (push) Successful in 58s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-15 03:04:27 +09:00
parent 10a21ce3ef
commit e64e7608ca
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
internal/sandbox/container.go
View File

@ -10,6 +10,7 @@ import (
"path" "path"
"strconv" "strconv"
"syscall" "syscall"
"time"
"git.gensokyo.uk/security/fortify/helper/proc" "git.gensokyo.uk/security/fortify/helper/proc"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
@ -68,6 +69,9 @@ type (
Stdout io.Writer Stdout io.Writer
Stderr io.Writer Stderr io.Writer
Cancel func() error
WaitDelay time.Duration
cmd *exec.Cmd cmd *exec.Cmd
ctx context.Context ctx context.Context
} }
@ -130,6 +134,7 @@ func (p *Container) Start() error {
p.cmd = p.CommandContext(c) p.cmd = p.CommandContext(c)
p.cmd.Stdin, p.cmd.Stdout, p.cmd.Stderr = p.Stdin, p.Stdout, p.Stderr p.cmd.Stdin, p.cmd.Stdout, p.cmd.Stderr = p.Stdin, p.Stdout, p.Stderr
p.cmd.Cancel, p.cmd.WaitDelay = p.Cancel, p.WaitDelay
p.cmd.Dir = "/" p.cmd.Dir = "/"
p.cmd.SysProcAttr = &syscall.SysProcAttr{ p.cmd.SysProcAttr = &syscall.SysProcAttr{
Setsid: p.Flags&FAllowTTY == 0, Setsid: p.Flags&FAllowTTY == 0,
@ -208,6 +213,11 @@ func (p *Container) Serve() error {
func (p *Container) Wait() error { defer p.cancel(); return p.cmd.Wait() } func (p *Container) Wait() error { defer p.cancel(); return p.cmd.Wait() }
func (p *Container) String() string {
return fmt.Sprintf("argv: %q, flags: %#x, seccomp: %#x",
p.Args, p.Flags, int(p.Flags.seccomp(p.Seccomp)))
}
func New(ctx context.Context, name string, args ...string) *Container { func New(ctx context.Context, name string, args ...string) *Container {
return &Container{name: name, ctx: ctx, return &Container{name: name, ctx: ctx,
InitParams: InitParams{Args: append([]string{name}, args...), Dir: "/", Ops: new(Ops)}, InitParams: InitParams{Args: append([]string{name}, args...), Dir: "/", Ops: new(Ops)},

11
internal/sandbox/container_test.go
View File

@ -18,6 +18,7 @@ import (
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/sandbox" "git.gensokyo.uk/security/fortify/internal/sandbox"
"git.gensokyo.uk/security/fortify/ldd" "git.gensokyo.uk/security/fortify/ldd"
"git.gensokyo.uk/security/fortify/seccomp"
check "git.gensokyo.uk/security/fortify/test/sandbox" check "git.gensokyo.uk/security/fortify/test/sandbox"
) )
@ -146,6 +147,16 @@ func TestContainer(t *testing.T) {
} }
} }
func TestContainerString(t *testing.T) {
container := sandbox.New(context.TODO(), "ldd", "/usr/bin/env")
container.Flags |= sandbox.FAllowDevel
container.Seccomp |= seccomp.FlagMultiarch
want := `argv: ["ldd" "/usr/bin/env"], flags: 0x2, seccomp: 0x2e`
if got := container.String(); got != want {
t.Errorf("String: %s, want %s", got, want)
}
}
func TestHelperInit(t *testing.T) { func TestHelperInit(t *testing.T) {
if len(os.Args) != 5 || os.Args[4] != "init" { if len(os.Args) != 5 || os.Args[4] != "init" {
return return