container: move seccomp preset bits

This allows holding the bits without cgo. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-10-07 18:28:20 +09:00
parent 2489766efe
commit 3ce63e95d7
15 changed files with 116 additions and 98 deletions
--- a/internal/app/app_test.go
+++ b/internal/app/app_test.go
@@ -15,7 +15,7 @@ import (
 	"time"

 	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
+	"hakurei.app/container/bits"
 	"hakurei.app/hst"
 	"hakurei.app/internal/app/state"
 	"hakurei.app/system"
@@ -109,7 +109,7 @@ func TestApp(t *testing.T) {
 					Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 					Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
 					Remount(m("/"), syscall.MS_RDONLY),
-				SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
+				SeccompPresets: bits.PresetExt | bits.PresetDenyDevel,
 				HostNet:        true,
 				HostAbstract:   true,
 				RetainSession:  true,
@@ -282,7 +282,7 @@ func TestApp(t *testing.T) {
 					Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/bus"), m("/run/user/65534/bus"), 0).
 					Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/system_bus_socket"), m("/run/dbus/system_bus_socket"), 0).
 					Remount(m("/"), syscall.MS_RDONLY),
-				SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
+				SeccompPresets: bits.PresetExt | bits.PresetDenyDevel,
 				HostNet:        true,
 				HostAbstract:   true,
 				RetainSession:  true,
@@ -432,7 +432,7 @@ func TestApp(t *testing.T) {
 					Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/bus"), m("/run/user/1971/bus"), 0).
 					Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket"), m("/run/dbus/system_bus_socket"), 0).
 					Remount(m("/"), syscall.MS_RDONLY),
-				SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyTTY | seccomp.PresetDenyDevel,
+				SeccompPresets: bits.PresetExt | bits.PresetDenyTTY | bits.PresetDenyDevel,
 				HostNet:        true,
 				ForwardCancel:  true,
 			},
--- a/internal/app/shim.go
+++ b/internal/app/shim.go
@@ -14,6 +14,7 @@ import (
 	"time"

 	"hakurei.app/container"
+	"hakurei.app/container/bits"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 )
@@ -150,7 +151,7 @@ func ShimMain() {
 	}

 	if err := seccomp.Load(
-		seccomp.Preset(seccomp.PresetStrict, seccomp.AllowMultiarch),
+		seccomp.Preset(bits.PresetStrict, seccomp.AllowMultiarch),
 		seccomp.AllowMultiarch,
 	); err != nil {
 		log.Fatalf("cannot load syscall filter: %v", err)
--- a/internal/app/spcontainer.go
+++ b/internal/app/spcontainer.go
@@ -8,6 +8,7 @@ import (
 	"syscall"

 	"hakurei.app/container"
+	"hakurei.app/container/bits"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/system/dbus"
@@ -64,16 +65,16 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
 	}

 	if !state.Container.SeccompCompat {
-		state.params.SeccompPresets |= seccomp.PresetExt
+		state.params.SeccompPresets |= bits.PresetExt
 	}
 	if !state.Container.Devel {
-		state.params.SeccompPresets |= seccomp.PresetDenyDevel
+		state.params.SeccompPresets |= bits.PresetDenyDevel
 	}
 	if !state.Container.Userns {
-		state.params.SeccompPresets |= seccomp.PresetDenyNS
+		state.params.SeccompPresets |= bits.PresetDenyNS
 	}
 	if !state.Container.Tty {
-		state.params.SeccompPresets |= seccomp.PresetDenyTTY
+		state.params.SeccompPresets |= bits.PresetDenyTTY
 	}

 	if state.Container.MapRealUID {