diff --git a/hst/container.go b/hst/container.go index 32ddef2..43d7577 100644 --- a/hst/container.go +++ b/hst/container.go @@ -11,7 +11,7 @@ type ( Hostname string `json:"hostname,omitempty"` // extra seccomp flags - SeccompFlags seccomp.PrepareFlag `json:"seccomp_flags"` + SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"` // extra seccomp presets SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"` // allow ptrace and friends diff --git a/sandbox/container.go b/sandbox/container.go index efb3e48..fd6c588 100644 --- a/sandbox/container.go +++ b/sandbox/container.go @@ -95,7 +95,7 @@ type ( // Sequential container setup ops. *Ops // Extra seccomp flags. - SeccompFlags seccomp.PrepareFlag + SeccompFlags seccomp.ExportFlag // Extra seccomp presets. SeccompPresets seccomp.FilterPreset // Permission bits of newly created parent directories. diff --git a/sandbox/seccomp/libseccomp-helper.c b/sandbox/seccomp/libseccomp-helper.c index aa11b6f..b09c3eb 100644 --- a/sandbox/seccomp/libseccomp-helper.c +++ b/sandbox/seccomp/libseccomp-helper.c @@ -9,10 +9,10 @@ #define LEN(arr) (sizeof(arr) / sizeof((arr)[0])) -int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch, - uint32_t multiarch, - struct hakurei_syscall_rule *rules, - size_t rules_sz, hakurei_prepare_flag flags) { +int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch, + uint32_t multiarch, + struct hakurei_syscall_rule *rules, + size_t rules_sz, hakurei_export_flag flags) { int i; int last_allowed_family; int disallowed; @@ -23,7 +23,7 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch, /* Blocklist all but unix, inet, inet6 and netlink */ struct { int family; - hakurei_prepare_flag flags_mask; + hakurei_export_flag flags_mask; } socket_family_allowlist[] = { /* NOTE: Keep in numerical order */ {AF_UNSPEC, 0}, @@ -31,8 +31,8 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch, {AF_INET, 0}, {AF_INET6, 0}, {AF_NETLINK, 0}, - {AF_CAN, HAKUREI_PREPARE_CAN}, - {AF_BLUETOOTH, HAKUREI_PREPARE_BLUETOOTH}, + {AF_CAN, HAKUREI_EXPORT_CAN}, + {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH}, }; scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW); @@ -56,7 +56,7 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch, goto out; } - if (flags & HAKUREI_PREPARE_MULTIARCH && multiarch != 0) { + if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) { *ret_p = seccomp_arch_add(ctx, multiarch); if (*ret_p < 0 && *ret_p != -EEXIST) { res = 3; diff --git a/sandbox/seccomp/libseccomp-helper.h b/sandbox/seccomp/libseccomp-helper.h index 79a13de..330fc99 100644 --- a/sandbox/seccomp/libseccomp-helper.h +++ b/sandbox/seccomp/libseccomp-helper.h @@ -7,10 +7,10 @@ #endif typedef enum { - HAKUREI_PREPARE_MULTIARCH = 1 << 0, - HAKUREI_PREPARE_CAN = 1 << 1, - HAKUREI_PREPARE_BLUETOOTH = 1 << 2, -} hakurei_prepare_flag; + HAKUREI_EXPORT_MULTIARCH = 1 << 0, + HAKUREI_EXPORT_CAN = 1 << 1, + HAKUREI_EXPORT_BLUETOOTH = 1 << 2, +} hakurei_export_flag; struct hakurei_syscall_rule { int syscall; @@ -18,7 +18,7 @@ struct hakurei_syscall_rule { struct scmp_arg_cmp *arg; }; -int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch, - uint32_t multiarch, - struct hakurei_syscall_rule *rules, - size_t rules_sz, hakurei_prepare_flag flags); \ No newline at end of file +int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch, + uint32_t multiarch, + struct hakurei_syscall_rule *rules, + size_t rules_sz, hakurei_export_flag flags); \ No newline at end of file diff --git a/sandbox/seccomp/libseccomp.go b/sandbox/seccomp/libseccomp.go index 28a9628..d28df63 100644 --- a/sandbox/seccomp/libseccomp.go +++ b/sandbox/seccomp/libseccomp.go @@ -64,15 +64,15 @@ type NativeRule struct { Arg *ScmpArgCmp } -type PrepareFlag = C.hakurei_prepare_flag +type ExportFlag = C.hakurei_export_flag const ( // AllowMultiarch allows multiarch/emulation. - AllowMultiarch PrepareFlag = C.HAKUREI_PREPARE_MULTIARCH + AllowMultiarch ExportFlag = C.HAKUREI_EXPORT_MULTIARCH // AllowCAN allows AF_CAN. - AllowCAN PrepareFlag = C.HAKUREI_PREPARE_CAN + AllowCAN ExportFlag = C.HAKUREI_EXPORT_CAN // AllowBluetooth allows AF_BLUETOOTH. - AllowBluetooth PrepareFlag = C.HAKUREI_PREPARE_BLUETOOTH + AllowBluetooth ExportFlag = C.HAKUREI_EXPORT_BLUETOOTH ) var resPrefix = [...]string{ @@ -86,8 +86,8 @@ var resPrefix = [...]string{ 7: "seccomp_load failed", } -// Prepare streams filter contents to fd, or installs it to the current process if fd < 0. -func Prepare(fd int, rules []NativeRule, flags PrepareFlag) error { +// Export streams filter contents to fd, or installs it to the current process if fd < 0. +func Export(fd int, rules []NativeRule, flags ExportFlag) error { if len(rules) == 0 { return ErrInvalidRules } @@ -119,7 +119,7 @@ func Prepare(fd int, rules []NativeRule, flags PrepareFlag) error { rulesPinner.Pin(rule.Arg) } } - res, err := C.hakurei_prepare_filter( + res, err := C.hakurei_export_filter( &ret, C.int(fd), arch, multiarch, (*C.struct_hakurei_syscall_rule)(unsafe.Pointer(&rules[0])), diff --git a/sandbox/seccomp/libseccomp_test.go b/sandbox/seccomp/libseccomp_test.go index a4ca9a1..f5c0105 100644 --- a/sandbox/seccomp/libseccomp_test.go +++ b/sandbox/seccomp/libseccomp_test.go @@ -15,7 +15,7 @@ func TestExport(t *testing.T) { testCases := []struct { name string presets FilterPreset - flags PrepareFlag + flags ExportFlag want []byte wantErr bool }{ diff --git a/sandbox/seccomp/presets.go b/sandbox/seccomp/presets.go index c3b8f04..4a01d2b 100644 --- a/sandbox/seccomp/presets.go +++ b/sandbox/seccomp/presets.go @@ -21,7 +21,7 @@ const ( PresetLinux32 ) -func Preset(presets FilterPreset, flags PrepareFlag) (rules []NativeRule) { +func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) { allowedPersonality := PER_LINUX if presets&PresetLinux32 != 0 { allowedPersonality = PER_LINUX32 diff --git a/sandbox/seccomp/proc.go b/sandbox/seccomp/proc.go index 51c3bce..e4ce185 100644 --- a/sandbox/seccomp/proc.go +++ b/sandbox/seccomp/proc.go @@ -13,10 +13,10 @@ const ( ) // New returns an inactive Encoder instance. -func New(rules []NativeRule, flags PrepareFlag) *Encoder { return &Encoder{newExporter(rules, flags)} } +func New(rules []NativeRule, flags ExportFlag) *Encoder { return &Encoder{newExporter(rules, flags)} } // Load loads a filter into the kernel. -func Load(rules []NativeRule, flags PrepareFlag) error { return Prepare(-1, rules, flags) } +func Load(rules []NativeRule, flags ExportFlag) error { return Export(-1, rules, flags) } /* An Encoder writes a BPF program to an output stream. @@ -46,14 +46,14 @@ func (e *Encoder) Close() error { } // NewFile returns an instance of exporter implementing [proc.File]. -func NewFile(rules []NativeRule, flags PrepareFlag) proc.File { +func NewFile(rules []NativeRule, flags ExportFlag) proc.File { return &File{rules: rules, flags: flags} } // File implements [proc.File] and provides access to the read end of exporter pipe. type File struct { rules []NativeRule - flags PrepareFlag + flags ExportFlag proc.BaseFile } diff --git a/sandbox/seccomp/seccomp.go b/sandbox/seccomp/seccomp.go index c538e4e..664b31c 100644 --- a/sandbox/seccomp/seccomp.go +++ b/sandbox/seccomp/seccomp.go @@ -9,7 +9,7 @@ import ( type exporter struct { rules []NativeRule - flags PrepareFlag + flags ExportFlag r, w *os.File prepareOnce sync.Once @@ -30,7 +30,7 @@ func (e *exporter) prepare() error { ec := make(chan error, 1) go func(fd uintptr) { - ec <- Prepare(int(fd), e.rules, e.flags) + ec <- Export(int(fd), e.rules, e.flags) close(ec) _ = e.closeWrite() runtime.KeepAlive(e.w) @@ -55,6 +55,6 @@ func (e *exporter) closeWrite() error { return e.closeErr } -func newExporter(rules []NativeRule, flags PrepareFlag) *exporter { +func newExporter(rules []NativeRule, flags ExportFlag) *exporter { return &exporter{rules: rules, flags: flags} }