security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 36 Wiki Activity
9f43c2a263
fortify/internal/sandbox/proc.go
Ophestra 9f43c2a263
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m31s
Details
Test / Fpkg (push) Successful in 3m27s
Details
Test / Data race detector (push) Successful in 3m32s
Details
Test / Flake checks (push) Successful in 51s
Details
sandbox: native container tooling 
This should eventually replace bwrap.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-13 20:59:03 +09:00

40 lines
950 B
Go
Raw Blame History

package sandbox
import (
"encoding/gob"
"fmt"
"os"
"path"
"syscall"
"git.gensokyo.uk/security/fortify/internal/fmsg"
)
func init() { gob.Register(new(MountProc)) }
type MountProc struct {
Path string
}
func (p *MountProc) apply() error {
if !path.IsAbs(p.Path) {
return fmsg.WrapError(syscall.EBADE,
fmt.Sprintf("path %q is not absolute", p.Path))
}
target := toSysroot(p.Path)
if err := os.MkdirAll(target, 0755); err != nil {
return fmsg.WrapError(err, err.Error())
}
return fmsg.WrapErrorSuffix(syscall.Mount("proc", target, "proc",
syscall.MS_NOSUID|syscall.MS_NOEXEC|syscall.MS_NODEV, ""),
fmt.Sprintf("cannot mount proc on %q:", p.Path))
}
func (p *MountProc) Is(op FSOp) bool { vp, ok := op.(*MountProc); return ok && *p == *vp }
func (p *MountProc) String() string { return fmt.Sprintf("proc on %q", p.Path) }
func (f *Filesystem) Proc(dest string) *Filesystem {
*f = append(*f, &MountProc{dest})
return f
}
Reference in New Issue View Git Blame Copy Permalink