sandbox: expose seccomp interface

There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/app/instance/common/container.go

@@ -30,6 +30,8 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 		Hostname:       s.Hostname,
 		SeccompFlags:   s.SeccompFlags,
 		SeccompPresets: s.SeccompPresets,
+		RetainSession:  s.Tty,
+		HostNet:        s.Net,
 	}
 
 	{
@@ -41,17 +43,17 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 		container.SeccompFlags |= seccomp.AllowMultiarch
 	}
 
-	if s.Devel {
-		container.Flags |= sandbox.FAllowDevel
+	if !s.SeccompCompat {
+		container.SeccompPresets |= seccomp.PresetExt
 	}
-	if s.Userns {
-		container.Flags |= sandbox.FAllowUserns
+	if !s.Devel {
+		container.SeccompPresets |= seccomp.PresetDenyDevel
 	}
-	if s.Net {
-		container.Flags |= sandbox.FAllowNet
+	if !s.Userns {
+		container.SeccompPresets |= seccomp.PresetDenyNS
 	}
-	if s.Tty {
-		container.Flags |= sandbox.FAllowTTY
+	if !s.Tty {
+		container.SeccompPresets |= seccomp.PresetDenyTTY
 	}
 
 	if s.MapRealUID {

internal/app/internal/setuid/app_nixos_test.go

@@ -6,6 +6,7 @@ import (
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
@@ -94,12 +95,11 @@ var testCasesNixos = []sealTestCase{
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
 		&sandbox.Params{
-			Uid:   1971,
-			Gid:   100,
-			Flags: sandbox.FAllowNet | sandbox.FAllowUserns,
-			Dir:   "/var/lib/persist/module/hakurei/0/1",
-			Path:  "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
-			Args:  []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
+			Uid:  1971,
+			Gid:  100,
+			Dir:  "/var/lib/persist/module/hakurei/0/1",
+			Path: "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
+			Args: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
 			Env: []string{
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
@@ -142,6 +142,8 @@ var testCasesNixos = []sealTestCase{
 				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
 				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
 				Tmpfs("/var/run/nscd", 8192, 0755),
+			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyTTY | seccomp.PresetDenyDevel,
+			HostNet:        true,
 		},
 	},
 }

internal/app/internal/setuid/app_pd_test.go

@@ -8,6 +8,7 @@ import (
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
@@ -28,10 +29,9 @@ var testCasesPd = []sealTestCase{
 			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
 		&sandbox.Params{
-			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
-			Dir:   "/home/chronos",
-			Path:  "/run/current-system/sw/bin/zsh",
-			Args:  []string{"/run/current-system/sw/bin/zsh"},
+			Dir:  "/home/chronos",
+			Path: "/run/current-system/sw/bin/zsh",
+			Args: []string{"/run/current-system/sw/bin/zsh"},
 			Env: []string{
 				"HOME=/home/chronos",
 				"SHELL=/run/current-system/sw/bin/zsh",
@@ -68,6 +68,9 @@ var testCasesPd = []sealTestCase{
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:65534:\n")).
 				Tmpfs("/var/run/nscd", 8192, 0755),
+			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
+			HostNet:        true,
+			RetainSession:  true,
 		},
 	},
 	{
@@ -164,10 +167,9 @@ var testCasesPd = []sealTestCase{
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
 		&sandbox.Params{
-			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
-			Dir:   "/home/chronos",
-			Path:  "/run/current-system/sw/bin/zsh",
-			Args:  []string{"zsh", "-c", "exec chromium "},
+			Dir:  "/home/chronos",
+			Path: "/run/current-system/sw/bin/zsh",
+			Args: []string{"zsh", "-c", "exec chromium "},
 			Env: []string{
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
@@ -215,6 +217,9 @@ var testCasesPd = []sealTestCase{
 				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
 				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
 				Tmpfs("/var/run/nscd", 8192, 0755),
+			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
+			HostNet:        true,
+			RetainSession:  true,
 		},
 	},
 }