sandbox: expose seccomp interface

There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-02 04:38:28 +09:00
parent a6887f7253
commit 31aef905fa
12 changed files with 117 additions and 77 deletions
--- a/dbus/dbus_test.go
+++ b/dbus/dbus_test.go
@@ -178,7 +178,7 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
 				t.Run("string", func(t *testing.T) {
 					wantSubstr := fmt.Sprintf("%s -test.run=TestHelperStub -- --args=3 --fd=4", os.Args[0])
 					if useSandbox {
-						wantSubstr = fmt.Sprintf(`argv: ["%s" "-test.run=TestHelperStub" "--" "--args=3" "--fd=4"], flags: 0x0, seccomp: 0x1, presets: 0xf`, os.Args[0])
+						wantSubstr = fmt.Sprintf(`argv: ["%s" "-test.run=TestHelperStub" "--" "--args=3" "--fd=4"], filter: true, rules: 0, flags: 0x1, presets: 0xf`, os.Args[0])
 					}
 					if got := p.String(); !strings.Contains(got, wantSubstr) {
 						t.Errorf("String: %q, want %q",
--- a/dbus/proc.go
+++ b/dbus/proc.go
@@ -67,6 +67,7 @@ func (p *Proxy) Start() error {
 			p.final, true,
 			argF, func(container *sandbox.Container) {
 				container.SeccompFlags |= seccomp.AllowMultiarch
+				container.SeccompPresets |= seccomp.PresetStrict
 				container.Hostname = "hakurei-dbus"
 				container.CommandContext = p.CommandContext
 				if p.output != nil {