security/hakurei
security/hakurei
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

sandbox/seccomp: prepare -> export
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 1m51s
Details
Test / Sandbox (race detector) (push) Successful in 3m3s
Details
Test / Planterette (push) Successful in 3m37s
Details
Test / Hakurei (race detector) (push) Successful in 4m17s
Details
Test / Hakurei (push) Successful in 2m12s
Details
Test / Flake checks (push) Successful in 1m12s
Details

Browse Source 
Export makes a lot more sense, and also matches the libseccomp function.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-07-02 00:32:48 +09:00
parent d5532aade0
commit 26b7afc890
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
9 changed files with 34 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hst/container.go
View File

@ -11,7 +11,7 @@ type (
Hostname string `json:"hostname,omitempty"`
// extra seccomp flags
SeccompFlags seccomp.PrepareFlag `json:"seccomp_flags"`
SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"`
// extra seccomp presets
SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"`
// allow ptrace and friends

2
sandbox/container.go
View File

@ -95,7 +95,7 @@ type (
// Sequential container setup ops.
*Ops
// Extra seccomp flags.
SeccompFlags seccomp.PrepareFlag
SeccompFlags seccomp.ExportFlag
// Extra seccomp presets.
SeccompPresets seccomp.FilterPreset
// Permission bits of newly created parent directories.

16
sandbox/seccomp/libseccomp-helper.c
View File

@ -9,10 +9,10 @@
#define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
uint32_t multiarch,
struct hakurei_syscall_rule *rules,
size_t rules_sz, hakurei_prepare_flag flags) {
int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch,
uint32_t multiarch,
struct hakurei_syscall_rule *rules,
size_t rules_sz, hakurei_export_flag flags) {
int i;
int last_allowed_family;
int disallowed;
@ -23,7 +23,7 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
/* Blocklist all but unix, inet, inet6 and netlink */
struct {
int family;
hakurei_prepare_flag flags_mask;
hakurei_export_flag flags_mask;
} socket_family_allowlist[] = {
/* NOTE: Keep in numerical order */
{AF_UNSPEC, 0},
@ -31,8 +31,8 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
{AF_INET, 0},
{AF_INET6, 0},
{AF_NETLINK, 0},
{AF_CAN, HAKUREI_PREPARE_CAN},
{AF_BLUETOOTH, HAKUREI_PREPARE_BLUETOOTH},
{AF_CAN, HAKUREI_EXPORT_CAN},
{AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
};
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
@ -56,7 +56,7 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
goto out;
}
if (flags & HAKUREI_PREPARE_MULTIARCH && multiarch != 0) {
if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
*ret_p = seccomp_arch_add(ctx, multiarch);
if (*ret_p < 0 && *ret_p != -EEXIST) {
res = 3;

16
sandbox/seccomp/libseccomp-helper.h
View File

@ -7,10 +7,10 @@
#endif
typedef enum {
HAKUREI_PREPARE_MULTIARCH = 1 << 0,
HAKUREI_PREPARE_CAN = 1 << 1,
HAKUREI_PREPARE_BLUETOOTH = 1 << 2,
} hakurei_prepare_flag;
HAKUREI_EXPORT_MULTIARCH = 1 << 0,
HAKUREI_EXPORT_CAN = 1 << 1,
HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
} hakurei_export_flag;
struct hakurei_syscall_rule {
int syscall;
@ -18,7 +18,7 @@ struct hakurei_syscall_rule {
struct scmp_arg_cmp *arg;
};
int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
uint32_t multiarch,
struct hakurei_syscall_rule *rules,
size_t rules_sz, hakurei_prepare_flag flags);
int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch,
uint32_t multiarch,
struct hakurei_syscall_rule *rules,
size_t rules_sz, hakurei_export_flag flags);

14
sandbox/seccomp/libseccomp.go
View File

@ -64,15 +64,15 @@ type NativeRule struct {
Arg *ScmpArgCmp
}
type PrepareFlag = C.hakurei_prepare_flag
type ExportFlag = C.hakurei_export_flag
const (
// AllowMultiarch allows multiarch/emulation.
AllowMultiarch PrepareFlag = C.HAKUREI_PREPARE_MULTIARCH
AllowMultiarch ExportFlag = C.HAKUREI_EXPORT_MULTIARCH
// AllowCAN allows AF_CAN.
AllowCAN PrepareFlag = C.HAKUREI_PREPARE_CAN
AllowCAN ExportFlag = C.HAKUREI_EXPORT_CAN
// AllowBluetooth allows AF_BLUETOOTH.
AllowBluetooth PrepareFlag = C.HAKUREI_PREPARE_BLUETOOTH
AllowBluetooth ExportFlag = C.HAKUREI_EXPORT_BLUETOOTH
)
var resPrefix = [...]string{
@ -86,8 +86,8 @@ var resPrefix = [...]string{
7: "seccomp_load failed",
}
// Prepare streams filter contents to fd, or installs it to the current process if fd < 0.
func Prepare(fd int, rules []NativeRule, flags PrepareFlag) error {
// Export streams filter contents to fd, or installs it to the current process if fd < 0.
func Export(fd int, rules []NativeRule, flags ExportFlag) error {
if len(rules) == 0 {
return ErrInvalidRules
}
@ -119,7 +119,7 @@ func Prepare(fd int, rules []NativeRule, flags PrepareFlag) error {
rulesPinner.Pin(rule.Arg)
}
}
res, err := C.hakurei_prepare_filter(
res, err := C.hakurei_export_filter(
&ret, C.int(fd),
arch, multiarch,
(*C.struct_hakurei_syscall_rule)(unsafe.Pointer(&rules[0])),

2
sandbox/seccomp/libseccomp_test.go
View File

@ -15,7 +15,7 @@ func TestExport(t *testing.T) {
testCases := []struct {
name string
presets FilterPreset
flags PrepareFlag
flags ExportFlag
want []byte
wantErr bool
}{

2
sandbox/seccomp/presets.go
View File

@ -21,7 +21,7 @@ const (
PresetLinux32
)
func Preset(presets FilterPreset, flags PrepareFlag) (rules []NativeRule) {
func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
allowedPersonality := PER_LINUX
if presets&PresetLinux32 != 0 {
allowedPersonality = PER_LINUX32

8
sandbox/seccomp/proc.go
View File

@ -13,10 +13,10 @@ const (
)
// New returns an inactive Encoder instance.
func New(rules []NativeRule, flags PrepareFlag) *Encoder { return &Encoder{newExporter(rules, flags)} }
func New(rules []NativeRule, flags ExportFlag) *Encoder { return &Encoder{newExporter(rules, flags)} }
// Load loads a filter into the kernel.
func Load(rules []NativeRule, flags PrepareFlag) error { return Prepare(-1, rules, flags) }
func Load(rules []NativeRule, flags ExportFlag) error { return Export(-1, rules, flags) }
/*
An Encoder writes a BPF program to an output stream.
@ -46,14 +46,14 @@ func (e *Encoder) Close() error {
}
// NewFile returns an instance of exporter implementing [proc.File].
func NewFile(rules []NativeRule, flags PrepareFlag) proc.File {
func NewFile(rules []NativeRule, flags ExportFlag) proc.File {
return &File{rules: rules, flags: flags}
}
// File implements [proc.File] and provides access to the read end of exporter pipe.
type File struct {
rules []NativeRule
flags PrepareFlag
flags ExportFlag
proc.BaseFile
}

6
sandbox/seccomp/seccomp.go
View File

@ -9,7 +9,7 @@ import (
type exporter struct {
rules []NativeRule
flags PrepareFlag
flags ExportFlag
r, w *os.File
prepareOnce sync.Once
@ -30,7 +30,7 @@ func (e *exporter) prepare() error {
ec := make(chan error, 1)
go func(fd uintptr) {
ec <- Prepare(int(fd), e.rules, e.flags)
ec <- Export(int(fd), e.rules, e.flags)
close(ec)
_ = e.closeWrite()
runtime.KeepAlive(e.w)
@ -55,6 +55,6 @@ func (e *exporter) closeWrite() error {
return e.closeErr
}
func newExporter(rules []NativeRule, flags PrepareFlag) *exporter {
func newExporter(rules []NativeRule, flags ExportFlag) *exporter {
return &exporter{rules: rules, flags: flags}
}