fst: include syscall filter configuration

This value is passed through to shim. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 21:12:39 +09:00
parent 2cf1f46ea2
commit 27f5922d5c
4 changed files with 31 additions and 6 deletions
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@@ -47,6 +47,8 @@ type appSeal struct {

 	// pass-through enablement tracking from config
 	et system.Enablements
+	// pass-through seccomp config from config
+	scmp *fst.SyscallConfig
 	// wayland socket direct access
 	directWayland bool
 	// extra UpdatePerm ops
@@ -218,6 +220,12 @@ func (a *app) Seal(config *fst.Config) error {
 		conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})

 		config.Confinement.Sandbox = conf
+
+		// ensure syscall filter
+		if config.Confinement.Syscall == nil {
+			config.Confinement.Syscall = new(fst.SyscallConfig)
+			config.Confinement.Syscall.Multiarch = true
+		}
 	}
 	seal.directWayland = config.Confinement.Sandbox.DirectWayland
 	if b, err := config.Confinement.Sandbox.Bwrap(a.os); err != nil {
@@ -238,8 +246,9 @@ func (a *app) Seal(config *fst.Config) error {
 	// initialise system interface with full uid
 	seal.sys.I = system.New(seal.sys.user.uid)

-	// pass through enablements
+	// pass through enablements and seccomp
 	seal.et = config.Confinement.Enablements
+	seal.scmp = config.Confinement.Syscall

 	// this method calls all share methods in sequence
 	if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
--- a/internal/app/start.go
+++ b/internal/app/start.go
@@ -76,10 +76,11 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {

 		// send payload
 		if err = a.shim.Serve(shimSetupCtx, &shim.Payload{
-			Argv:  a.seal.command,
-			Exec:  shimExec,
-			Bwrap: a.seal.sys.bwrap,
-			Home:  a.seal.sys.user.data,
+			Argv:    a.seal.command,
+			Exec:    shimExec,
+			Bwrap:   a.seal.sys.bwrap,
+			Home:    a.seal.sys.user.data,
+			Syscall: a.seal.scmp,

 			Verbose: fmsg.Verbose(),
 		}); err != nil {
--- a/internal/proc/priv/shim/payload.go
+++ b/internal/proc/priv/shim/payload.go
@@ -1,6 +1,9 @@
 package shim

-import "git.gensokyo.uk/security/fortify/helper/bwrap"
+import (
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+)

 const Env = "FORTIFY_SHIM"

@@ -15,6 +18,8 @@ type Payload struct {
 	Home string
 	// sync fd
 	Sync *uintptr
+	// seccomp opts pass through
+	Syscall *fst.SyscallConfig

 	// verbosity pass through
 	Verbose bool