security/hakurei
security/hakurei
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

sandbox/seccomp: prepare -> export
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 1m51s
Details
Test / Sandbox (race detector) (push) Successful in 3m3s
Details
Test / Planterette (push) Successful in 3m37s
Details
Test / Hakurei (race detector) (push) Successful in 4m17s
Details
Test / Hakurei (push) Successful in 2m12s
Details
Test / Flake checks (push) Successful in 1m12s
Details

Browse Source 
Export makes a lot more sense, and also matches the libseccomp function.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-07-02 00:32:48 +09:00
parent d5532aade0
commit 26b7afc890
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
9 changed files with 34 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hst/container.go
View File

@ -11,7 +11,7 @@ type (
Hostname string `json:"hostname,omitempty"` Hostname string `json:"hostname,omitempty"`
// extra seccomp flags // extra seccomp flags
SeccompFlags seccomp.PrepareFlag `json:"seccomp_flags"` SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"`
// extra seccomp presets // extra seccomp presets
SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"` SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"`
// allow ptrace and friends // allow ptrace and friends

2
sandbox/container.go
View File

@ -95,7 +95,7 @@ type (
// Sequential container setup ops. // Sequential container setup ops.
*Ops *Ops
// Extra seccomp flags. // Extra seccomp flags.
SeccompFlags seccomp.PrepareFlag SeccompFlags seccomp.ExportFlag
// Extra seccomp presets. // Extra seccomp presets.
SeccompPresets seccomp.FilterPreset SeccompPresets seccomp.FilterPreset
// Permission bits of newly created parent directories. // Permission bits of newly created parent directories.

16
sandbox/seccomp/libseccomp-helper.c
View File

@ -9,10 +9,10 @@
#define LEN(arr) (sizeof(arr) / sizeof((arr)[0])) #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch, int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch,
uint32_t multiarch, uint32_t multiarch,
struct hakurei_syscall_rule *rules, struct hakurei_syscall_rule *rules,
size_t rules_sz, hakurei_prepare_flag flags) { size_t rules_sz, hakurei_export_flag flags) {
int i; int i;
int last_allowed_family; int last_allowed_family;
int disallowed; int disallowed;
@ -23,7 +23,7 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
/* Blocklist all but unix, inet, inet6 and netlink */ /* Blocklist all but unix, inet, inet6 and netlink */
struct { struct {
int family; int family;
hakurei_prepare_flag flags_mask; hakurei_export_flag flags_mask;
} socket_family_allowlist[] = { } socket_family_allowlist[] = {
/* NOTE: Keep in numerical order */ /* NOTE: Keep in numerical order */
{AF_UNSPEC, 0}, {AF_UNSPEC, 0},
@ -31,8 +31,8 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
{AF_INET, 0}, {AF_INET, 0},
{AF_INET6, 0}, {AF_INET6, 0},
{AF_NETLINK, 0}, {AF_NETLINK, 0},
{AF_CAN, HAKUREI_PREPARE_CAN}, {AF_CAN, HAKUREI_EXPORT_CAN},
{AF_BLUETOOTH, HAKUREI_PREPARE_BLUETOOTH}, {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
}; };
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW); scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
@ -56,7 +56,7 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
goto out; goto out;
} }
if (flags & HAKUREI_PREPARE_MULTIARCH && multiarch != 0) { if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
*ret_p = seccomp_arch_add(ctx, multiarch); *ret_p = seccomp_arch_add(ctx, multiarch);
if (*ret_p < 0 && *ret_p != -EEXIST) { if (*ret_p < 0 && *ret_p != -EEXIST) {
res = 3; res = 3;

16
sandbox/seccomp/libseccomp-helper.h
View File

@ -7,10 +7,10 @@
#endif #endif
typedef enum { typedef enum {
HAKUREI_PREPARE_MULTIARCH = 1 << 0, HAKUREI_EXPORT_MULTIARCH = 1 << 0,
HAKUREI_PREPARE_CAN = 1 << 1, HAKUREI_EXPORT_CAN = 1 << 1,
HAKUREI_PREPARE_BLUETOOTH = 1 << 2, HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
} hakurei_prepare_flag; } hakurei_export_flag;
struct hakurei_syscall_rule { struct hakurei_syscall_rule {
int syscall; int syscall;
@ -18,7 +18,7 @@ struct hakurei_syscall_rule {
struct scmp_arg_cmp *arg; struct scmp_arg_cmp *arg;
}; };
int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch, int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch,
uint32_t multiarch, uint32_t multiarch,
struct hakurei_syscall_rule *rules, struct hakurei_syscall_rule *rules,
size_t rules_sz, hakurei_prepare_flag flags); size_t rules_sz, hakurei_export_flag flags);

14
sandbox/seccomp/libseccomp.go
View File

@ -64,15 +64,15 @@ type NativeRule struct {
Arg *ScmpArgCmp Arg *ScmpArgCmp
} }
type PrepareFlag = C.hakurei_prepare_flag type ExportFlag = C.hakurei_export_flag
const ( const (
// AllowMultiarch allows multiarch/emulation. // AllowMultiarch allows multiarch/emulation.
AllowMultiarch PrepareFlag = C.HAKUREI_PREPARE_MULTIARCH AllowMultiarch ExportFlag = C.HAKUREI_EXPORT_MULTIARCH
// AllowCAN allows AF_CAN. // AllowCAN allows AF_CAN.
AllowCAN PrepareFlag = C.HAKUREI_PREPARE_CAN AllowCAN ExportFlag = C.HAKUREI_EXPORT_CAN
// AllowBluetooth allows AF_BLUETOOTH. // AllowBluetooth allows AF_BLUETOOTH.
AllowBluetooth PrepareFlag = C.HAKUREI_PREPARE_BLUETOOTH AllowBluetooth ExportFlag = C.HAKUREI_EXPORT_BLUETOOTH
) )
var resPrefix = [...]string{ var resPrefix = [...]string{
@ -86,8 +86,8 @@ var resPrefix = [...]string{
7: "seccomp_load failed", 7: "seccomp_load failed",
} }
// Prepare streams filter contents to fd, or installs it to the current process if fd < 0. // Export streams filter contents to fd, or installs it to the current process if fd < 0.
func Prepare(fd int, rules []NativeRule, flags PrepareFlag) error { func Export(fd int, rules []NativeRule, flags ExportFlag) error {
if len(rules) == 0 { if len(rules) == 0 {
return ErrInvalidRules return ErrInvalidRules
} }
@ -119,7 +119,7 @@ func Prepare(fd int, rules []NativeRule, flags PrepareFlag) error {
rulesPinner.Pin(rule.Arg) rulesPinner.Pin(rule.Arg)
} }
} }
res, err := C.hakurei_prepare_filter( res, err := C.hakurei_export_filter(
&ret, C.int(fd), &ret, C.int(fd),
arch, multiarch, arch, multiarch,
(*C.struct_hakurei_syscall_rule)(unsafe.Pointer(&rules[0])), (*C.struct_hakurei_syscall_rule)(unsafe.Pointer(&rules[0])),

2
sandbox/seccomp/libseccomp_test.go
View File

@ -15,7 +15,7 @@ func TestExport(t *testing.T) {
testCases := []struct { testCases := []struct {
name string name string
presets FilterPreset presets FilterPreset
flags PrepareFlag flags ExportFlag
want []byte want []byte
wantErr bool wantErr bool
}{ }{

2
sandbox/seccomp/presets.go
View File

@ -21,7 +21,7 @@ const (
PresetLinux32 PresetLinux32
) )
func Preset(presets FilterPreset, flags PrepareFlag) (rules []NativeRule) { func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
allowedPersonality := PER_LINUX allowedPersonality := PER_LINUX
if presets&PresetLinux32 != 0 { if presets&PresetLinux32 != 0 {
allowedPersonality = PER_LINUX32 allowedPersonality = PER_LINUX32

8
sandbox/seccomp/proc.go
View File

@ -13,10 +13,10 @@ const (
) )
// New returns an inactive Encoder instance. // New returns an inactive Encoder instance.
func New(rules []NativeRule, flags PrepareFlag) *Encoder { return &Encoder{newExporter(rules, flags)} } func New(rules []NativeRule, flags ExportFlag) *Encoder { return &Encoder{newExporter(rules, flags)} }
// Load loads a filter into the kernel. // Load loads a filter into the kernel.
func Load(rules []NativeRule, flags PrepareFlag) error { return Prepare(-1, rules, flags) } func Load(rules []NativeRule, flags ExportFlag) error { return Export(-1, rules, flags) }
/* /*
An Encoder writes a BPF program to an output stream. An Encoder writes a BPF program to an output stream.
@ -46,14 +46,14 @@ func (e *Encoder) Close() error {
} }
// NewFile returns an instance of exporter implementing [proc.File]. // NewFile returns an instance of exporter implementing [proc.File].
func NewFile(rules []NativeRule, flags PrepareFlag) proc.File { func NewFile(rules []NativeRule, flags ExportFlag) proc.File {
return &File{rules: rules, flags: flags} return &File{rules: rules, flags: flags}
} }
// File implements [proc.File] and provides access to the read end of exporter pipe. // File implements [proc.File] and provides access to the read end of exporter pipe.
type File struct { type File struct {
rules []NativeRule rules []NativeRule
flags PrepareFlag flags ExportFlag
proc.BaseFile proc.BaseFile
} }

6
sandbox/seccomp/seccomp.go
View File

@ -9,7 +9,7 @@ import (
type exporter struct { type exporter struct {
rules []NativeRule rules []NativeRule
flags PrepareFlag flags ExportFlag
r, w *os.File r, w *os.File
prepareOnce sync.Once prepareOnce sync.Once
@ -30,7 +30,7 @@ func (e *exporter) prepare() error {
ec := make(chan error, 1) ec := make(chan error, 1)
go func(fd uintptr) { go func(fd uintptr) {
ec <- Prepare(int(fd), e.rules, e.flags) ec <- Export(int(fd), e.rules, e.flags)
close(ec) close(ec)
_ = e.closeWrite() _ = e.closeWrite()
runtime.KeepAlive(e.w) runtime.KeepAlive(e.w)
@ -55,6 +55,6 @@ func (e *exporter) closeWrite() error {
return e.closeErr return e.closeErr
} }
func newExporter(rules []NativeRule, flags PrepareFlag) *exporter { func newExporter(rules []NativeRule, flags ExportFlag) *exporter {
return &exporter{rules: rules, flags: flags} return &exporter{rules: rules, flags: flags}
} }