security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 25 Wiki Activity

helper/bwrap: generic extra file interface
All checks were successful
Build / Create distribution (push) Successful in 1m32s
Details
Test / Run NixOS test (push) Successful in 3m50s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-01-19 19:18:22 +09:00
parent 2f70506865
commit eb0ef2d115
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
helper/bwrap.go
View File

@ -15,15 +15,19 @@ import (
// BubblewrapName is the file name or path to bubblewrap. // BubblewrapName is the file name or path to bubblewrap.
var BubblewrapName = "bwrap" var BubblewrapName = "bwrap"
type BwrapExtraFile struct {
Name string
File *os.File
}
type bubblewrap struct { type bubblewrap struct {
// bwrap child file name // bwrap child file name
name string name string
// bwrap pipes // bwrap pipes
control *pipes control *pipes
// keep this fd open while sandbox is running // extra files with fd passed as argument
// (--sync-fd FD) extra []BwrapExtraFile
sync *os.File
// returns an array of arguments passed directly // returns an array of arguments passed directly
// to the child process spawned by bwrap // to the child process spawned by bwrap
argF func(argsFD, statFD int) []string argF func(argsFD, statFD int) []string
@ -50,9 +54,12 @@ func (b *bubblewrap) StartNotify(ready chan error) error {
return errors.New("exec: already started") return errors.New("exec: already started")
} }
// pass sync fd to bwrap // pass extra fd to bwrap
if b.sync != nil { for _, e := range b.extra {
b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(int(proc.ExtraFile(b.Cmd, b.sync)))) if e.File == nil {
continue
}
b.Cmd.Args = append(b.Cmd.Args, e.Name, strconv.Itoa(int(proc.ExtraFile(b.Cmd, e.File))))
} }
// prepare bwrap pipe and args // prepare bwrap pipe and args
@ -123,9 +130,9 @@ func (b *bubblewrap) Unwrap() *exec.Cmd {
func MustNewBwrap( func MustNewBwrap(
conf *bwrap.Config, name string, conf *bwrap.Config, name string,
wt io.WriterTo, argF func(argsFD, statFD int) []string, wt io.WriterTo, argF func(argsFD, statFD int) []string,
syncFd *os.File, extra []BwrapExtraFile,
) Helper { ) Helper {
b, err := NewBwrap(conf, name, wt, argF, syncFd) b, err := NewBwrap(conf, name, wt, argF, extra)
if err != nil { if err != nil {
panic(err.Error()) panic(err.Error())
} else { } else {
@ -139,7 +146,7 @@ func MustNewBwrap(
func NewBwrap( func NewBwrap(
conf *bwrap.Config, name string, conf *bwrap.Config, name string,
wt io.WriterTo, argF func(argsFD, statFD int) []string, wt io.WriterTo, argF func(argsFD, statFD int) []string,
syncFd *os.File, extra []BwrapExtraFile,
) (Helper, error) { ) (Helper, error) {
b := new(bubblewrap) b := new(bubblewrap)
@ -149,7 +156,7 @@ func NewBwrap(
b.control = &pipes{args: args} b.control = &pipes{args: args}
} }
b.sync = syncFd b.extra = extra
b.argF = argF b.argF = argF
b.name = name b.name = name
if wt != nil { if wt != nil {

6
internal/proc/priv/shim/main.go
View File

@ -138,7 +138,11 @@ func Main() {
if b, err := helper.NewBwrap( if b, err := helper.NewBwrap(
conf, innerInit, conf, innerInit,
nil, func(int, int) []string { return make([]string, 0) }, nil, func(int, int) []string { return make([]string, 0) },
syncFd, []helper.BwrapExtraFile{
// keep this fd open while sandbox is running
// (--sync-fd FD)
{"--sync-fd", syncFd},
},
); err != nil { ); err != nil {
fmsg.Fatalf("malformed sandbox config: %v", err) fmsg.Fatalf("malformed sandbox config: %v", err)
} else { } else {