security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

sandbox: expose seccomp interface
All checks were successful
Test / Create distribution (push) Successful in 31s
Details
Test / Sandbox (push) Successful in 1m59s
Details
Test / Hakurei (push) Successful in 2m47s
Details
Test / Sandbox (race detector) (push) Successful in 3m11s
Details
Test / Planterette (push) Successful in 3m34s
Details
Test / Hakurei (race detector) (push) Successful in 4m22s
Details
Test / Flake checks (push) Successful in 1m8s
Details

Browse Source 
There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-07-02 04:38:28 +09:00
parent a6887f7253
commit 31aef905fa
12 changed files with 117 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ldd/exec.go
View File

@@ -9,6 +9,7 @@ import (
"time"
"git.gensokyo.uk/security/hakurei/sandbox"
"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
)
const lddTimeout = 2 * time.Second
@@ -29,6 +30,8 @@ func ExecFilter(ctx context.Context,
container := sandbox.New(c, "ldd", p)
container.CommandContext = commandContext
container.Hostname = "hakurei-ldd"
container.SeccompFlags |= seccomp.AllowMultiarch
container.SeccompPresets |= seccomp.PresetStrict
stdout, stderr := new(bytes.Buffer), new(bytes.Buffer)
container.Stdout = stdout
container.Stderr = stderr