security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

cmd/fpkg: expose syscall policy options
All checks were successful
Build / Create distribution (push) Successful in 1m34s
Details
Test / Run NixOS test (push) Successful in 3m44s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-01-22 12:01:30 +09:00
parent 23e1152baa
commit 580128922b
3 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/fpkg/with.go
View File

@@ -5,6 +5,7 @@ import (
"strings"
"git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/helper/bwrap"
"git.gensokyo.uk/security/fortify/internal/fmsg"
)
@@ -34,6 +35,7 @@ func withNixDaemon(
Hostname: formatHostname(app.Name) + "-" + action,
UserNS: true, // nix sandbox requires userns
Net: net,
Syscall: &bwrap.SyscallPolicy{Multiarch: true},
NoNewSession: dropShell,
Filesystem: []*fst.FilesystemConfig{
{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
@@ -65,6 +67,7 @@ func withCacheDir(action string, command []string, workDir string, app *bundleIn
Outer: pathSet.cacheDir, // this also ensures cacheDir via shim
Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(app.Name) + "-" + action,
Syscall: &bwrap.SyscallPolicy{Multiarch: true},
NoNewSession: dropShell,
Filesystem: []*fst.FilesystemConfig{
{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},