treewide: rename to hakurei
All checks were successful
Test / Create distribution (push) Successful in 43s
Test / Sandbox (push) Successful in 2m18s
Test / Hakurei (push) Successful in 3m10s
Test / Sandbox (race detector) (push) Successful in 3m30s
Test / Hakurei (race detector) (push) Successful in 4m43s
Test / Fpkg (push) Successful in 5m4s
Test / Flake checks (push) Successful in 1m12s
All checks were successful
Test / Create distribution (push) Successful in 43s
Test / Sandbox (push) Successful in 2m18s
Test / Hakurei (push) Successful in 3m10s
Test / Sandbox (race detector) (push) Successful in 3m30s
Test / Hakurei (race detector) (push) Successful in 4m43s
Test / Fpkg (push) Successful in 5m4s
Test / Flake checks (push) Successful in 1m12s
Fortify makes little sense for a container tool. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -5,7 +5,7 @@ import (
|
||||
"errors"
|
||||
"syscall"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/helper/proc"
|
||||
"git.gensokyo.uk/security/hakurei/helper/proc"
|
||||
)
|
||||
|
||||
const (
|
||||
|
||||
@@ -8,7 +8,7 @@ import (
|
||||
"syscall"
|
||||
"testing"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/sandbox/seccomp"
|
||||
"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
|
||||
)
|
||||
|
||||
func TestExport(t *testing.T) {
|
||||
@@ -72,7 +72,7 @@ func TestExport(t *testing.T) {
|
||||
0x80, 0x8b, 0x1a, 0x6f, 0x84, 0xf3, 0x2b, 0xbd,
|
||||
0xe1, 0xaa, 0x02, 0xae, 0x30, 0xee, 0xdc, 0xfa,
|
||||
}, false},
|
||||
{"fortify default", seccomp.FilterExt | seccomp.FilterDenyDevel, []byte{
|
||||
{"hakurei default", seccomp.FilterExt | seccomp.FilterDenyDevel, []byte{
|
||||
0xc6, 0x98, 0xb0, 0x81, 0xff, 0x95, 0x7a, 0xfe,
|
||||
0x17, 0xa6, 0xd9, 0x43, 0x74, 0x53, 0x7d, 0x37,
|
||||
0xf2, 0xa6, 0x3f, 0x6f, 0x9d, 0xd7, 0x5d, 0xa7,
|
||||
|
||||
@@ -22,8 +22,8 @@ func GetOutput() func(v ...any) {
|
||||
}
|
||||
}
|
||||
|
||||
//export f_println
|
||||
func f_println(v *C.char) {
|
||||
//export hakurei_println
|
||||
func hakurei_println(v *C.char) {
|
||||
if fp := printlnP.Load(); fp != nil {
|
||||
(*fp)(C.GoString(v))
|
||||
}
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
#error This package requires libseccomp >= v2.5.1
|
||||
#endif
|
||||
|
||||
struct f_syscall_act {
|
||||
struct hakurei_syscall_act {
|
||||
int syscall;
|
||||
int m_errno;
|
||||
struct scmp_arg_cmp *arg;
|
||||
@@ -28,8 +28,8 @@ struct f_syscall_act {
|
||||
|
||||
#define SECCOMP_RULESET_ADD(ruleset) \
|
||||
do { \
|
||||
if (opts & F_VERBOSE) \
|
||||
f_println("adding seccomp ruleset \"" #ruleset "\""); \
|
||||
if (opts & HAKUREI_VERBOSE) \
|
||||
hakurei_println("adding seccomp ruleset \"" #ruleset "\""); \
|
||||
for (int i = 0; i < LEN(ruleset); i++) { \
|
||||
assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS); \
|
||||
\
|
||||
@@ -50,18 +50,18 @@ struct f_syscall_act {
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
f_filter_opts opts) {
|
||||
int32_t hakurei_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
hakurei_filter_opts opts) {
|
||||
int32_t res = 0; /* refer to resPrefix for message */
|
||||
int allow_multiarch = opts & F_MULTIARCH;
|
||||
int allow_multiarch = opts & HAKUREI_MULTIARCH;
|
||||
int allowed_personality = PER_LINUX;
|
||||
|
||||
if (opts & F_LINUX32)
|
||||
if (opts & HAKUREI_LINUX32)
|
||||
allowed_personality = PER_LINUX32;
|
||||
|
||||
/* flatpak commit 4c3bf179e2e4a2a298cd1db1d045adaf3f564532 */
|
||||
|
||||
struct f_syscall_act deny_common[] = {
|
||||
struct hakurei_syscall_act deny_common[] = {
|
||||
/* Block dmesg */
|
||||
{SCMP_SYS(syslog), EPERM},
|
||||
/* Useless old syscall */
|
||||
@@ -84,8 +84,8 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
{SCMP_SYS(migrate_pages), EPERM},
|
||||
};
|
||||
|
||||
/* fortify: project-specific extensions */
|
||||
struct f_syscall_act deny_common_ext[] = {
|
||||
/* hakurei: project-specific extensions */
|
||||
struct hakurei_syscall_act deny_common_ext[] = {
|
||||
/* system calls for changing the system clock */
|
||||
{SCMP_SYS(adjtimex), EPERM},
|
||||
{SCMP_SYS(clock_adjtime), EPERM},
|
||||
@@ -109,7 +109,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
{SCMP_SYS(swapon), EPERM},
|
||||
};
|
||||
|
||||
struct f_syscall_act deny_ns[] = {
|
||||
struct hakurei_syscall_act deny_ns[] = {
|
||||
/* Don't allow subnamespace setups: */
|
||||
{SCMP_SYS(unshare), EPERM},
|
||||
{SCMP_SYS(setns), EPERM},
|
||||
@@ -149,8 +149,8 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
{SCMP_SYS(mount_setattr), ENOSYS},
|
||||
};
|
||||
|
||||
/* fortify: project-specific extensions */
|
||||
struct f_syscall_act deny_ns_ext[] = {
|
||||
/* hakurei: project-specific extensions */
|
||||
struct hakurei_syscall_act deny_ns_ext[] = {
|
||||
/* changing file ownership */
|
||||
{SCMP_SYS(chown), EPERM},
|
||||
{SCMP_SYS(chown32), EPERM},
|
||||
@@ -177,7 +177,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
{SCMP_SYS(setuid32), EPERM},
|
||||
};
|
||||
|
||||
struct f_syscall_act deny_tty[] = {
|
||||
struct hakurei_syscall_act deny_tty[] = {
|
||||
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
|
||||
{SCMP_SYS(ioctl), EPERM,
|
||||
&SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
|
||||
@@ -188,7 +188,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
&SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCLINUX)},
|
||||
};
|
||||
|
||||
struct f_syscall_act deny_devel[] = {
|
||||
struct hakurei_syscall_act deny_devel[] = {
|
||||
/* Profiling operations; we expect these to be done by tools from outside
|
||||
* the sandbox. In particular perf has been the source of many CVEs. */
|
||||
{SCMP_SYS(perf_event_open), EPERM},
|
||||
@@ -198,7 +198,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
|
||||
{SCMP_SYS(ptrace), EPERM}};
|
||||
|
||||
struct f_syscall_act deny_emu[] = {
|
||||
struct hakurei_syscall_act deny_emu[] = {
|
||||
/* modify_ldt is a historic source of interesting information leaks,
|
||||
* so it's disabled as a hardening measure.
|
||||
* However, it is required to run old 16-bit applications
|
||||
@@ -206,8 +206,8 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
{SCMP_SYS(modify_ldt), EPERM},
|
||||
};
|
||||
|
||||
/* fortify: project-specific extensions */
|
||||
struct f_syscall_act deny_emu_ext[] = {
|
||||
/* hakurei: project-specific extensions */
|
||||
struct hakurei_syscall_act deny_emu_ext[] = {
|
||||
{SCMP_SYS(subpage_prot), ENOSYS},
|
||||
{SCMP_SYS(switch_endian), ENOSYS},
|
||||
{SCMP_SYS(vm86), ENOSYS},
|
||||
@@ -217,7 +217,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
/* Blocklist all but unix, inet, inet6 and netlink */
|
||||
struct {
|
||||
int family;
|
||||
f_filter_opts flags_mask;
|
||||
hakurei_filter_opts flags_mask;
|
||||
} socket_family_allowlist[] = {
|
||||
/* NOTE: Keep in numerical order */
|
||||
{AF_UNSPEC, 0},
|
||||
@@ -225,8 +225,8 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
{AF_INET, 0},
|
||||
{AF_INET6, 0},
|
||||
{AF_NETLINK, 0},
|
||||
{AF_CAN, F_CAN},
|
||||
{AF_BLUETOOTH, F_BLUETOOTH},
|
||||
{AF_CAN, HAKUREI_CAN},
|
||||
{AF_BLUETOOTH, HAKUREI_BLUETOOTH},
|
||||
};
|
||||
|
||||
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
|
||||
@@ -260,17 +260,17 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
}
|
||||
|
||||
SECCOMP_RULESET_ADD(deny_common);
|
||||
if (opts & F_DENY_NS)
|
||||
if (opts & HAKUREI_DENY_NS)
|
||||
SECCOMP_RULESET_ADD(deny_ns);
|
||||
if (opts & F_DENY_TTY)
|
||||
if (opts & HAKUREI_DENY_TTY)
|
||||
SECCOMP_RULESET_ADD(deny_tty);
|
||||
if (opts & F_DENY_DEVEL)
|
||||
if (opts & HAKUREI_DENY_DEVEL)
|
||||
SECCOMP_RULESET_ADD(deny_devel);
|
||||
if (!allow_multiarch)
|
||||
SECCOMP_RULESET_ADD(deny_emu);
|
||||
if (opts & F_EXT) {
|
||||
if (opts & HAKUREI_EXT) {
|
||||
SECCOMP_RULESET_ADD(deny_common_ext);
|
||||
if (opts & F_DENY_NS)
|
||||
if (opts & HAKUREI_DENY_NS)
|
||||
SECCOMP_RULESET_ADD(deny_ns_ext);
|
||||
if (!allow_multiarch)
|
||||
SECCOMP_RULESET_ADD(deny_emu_ext);
|
||||
|
||||
@@ -7,17 +7,17 @@
|
||||
#endif
|
||||
|
||||
typedef enum {
|
||||
F_VERBOSE = 1 << 0,
|
||||
F_EXT = 1 << 1,
|
||||
F_DENY_NS = 1 << 2,
|
||||
F_DENY_TTY = 1 << 3,
|
||||
F_DENY_DEVEL = 1 << 4,
|
||||
F_MULTIARCH = 1 << 5,
|
||||
F_LINUX32 = 1 << 6,
|
||||
F_CAN = 1 << 7,
|
||||
F_BLUETOOTH = 1 << 8,
|
||||
} f_filter_opts;
|
||||
HAKUREI_VERBOSE = 1 << 0,
|
||||
HAKUREI_EXT = 1 << 1,
|
||||
HAKUREI_DENY_NS = 1 << 2,
|
||||
HAKUREI_DENY_TTY = 1 << 3,
|
||||
HAKUREI_DENY_DEVEL = 1 << 4,
|
||||
HAKUREI_MULTIARCH = 1 << 5,
|
||||
HAKUREI_LINUX32 = 1 << 6,
|
||||
HAKUREI_CAN = 1 << 7,
|
||||
HAKUREI_BLUETOOTH = 1 << 8,
|
||||
} hakurei_filter_opts;
|
||||
|
||||
extern void f_println(char *v);
|
||||
int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
f_filter_opts opts);
|
||||
extern void hakurei_println(char *v);
|
||||
int32_t hakurei_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
|
||||
hakurei_filter_opts opts);
|
||||
@@ -57,26 +57,26 @@ var resPrefix = [...]string{
|
||||
7: "seccomp_load failed",
|
||||
}
|
||||
|
||||
type FilterOpts = C.f_filter_opts
|
||||
type FilterOpts = C.hakurei_filter_opts
|
||||
|
||||
const (
|
||||
filterVerbose FilterOpts = C.F_VERBOSE
|
||||
filterVerbose FilterOpts = C.HAKUREI_VERBOSE
|
||||
// FilterExt are project-specific extensions.
|
||||
FilterExt FilterOpts = C.F_EXT
|
||||
FilterExt FilterOpts = C.HAKUREI_EXT
|
||||
// FilterDenyNS denies namespace setup syscalls.
|
||||
FilterDenyNS FilterOpts = C.F_DENY_NS
|
||||
FilterDenyNS FilterOpts = C.HAKUREI_DENY_NS
|
||||
// FilterDenyTTY denies faking input.
|
||||
FilterDenyTTY FilterOpts = C.F_DENY_TTY
|
||||
FilterDenyTTY FilterOpts = C.HAKUREI_DENY_TTY
|
||||
// FilterDenyDevel denies development-related syscalls.
|
||||
FilterDenyDevel FilterOpts = C.F_DENY_DEVEL
|
||||
FilterDenyDevel FilterOpts = C.HAKUREI_DENY_DEVEL
|
||||
// FilterMultiarch allows multiarch/emulation.
|
||||
FilterMultiarch FilterOpts = C.F_MULTIARCH
|
||||
FilterMultiarch FilterOpts = C.HAKUREI_MULTIARCH
|
||||
// FilterLinux32 sets PER_LINUX32.
|
||||
FilterLinux32 FilterOpts = C.F_LINUX32
|
||||
FilterLinux32 FilterOpts = C.HAKUREI_LINUX32
|
||||
// FilterCan allows AF_CAN.
|
||||
FilterCan FilterOpts = C.F_CAN
|
||||
FilterCan FilterOpts = C.HAKUREI_CAN
|
||||
// FilterBluetooth allows AF_BLUETOOTH.
|
||||
FilterBluetooth FilterOpts = C.F_BLUETOOTH
|
||||
FilterBluetooth FilterOpts = C.HAKUREI_BLUETOOTH
|
||||
)
|
||||
|
||||
func buildFilter(fd int, opts FilterOpts) error {
|
||||
@@ -98,13 +98,13 @@ func buildFilter(fd int, opts FilterOpts) error {
|
||||
}
|
||||
|
||||
// this removes repeated transitions between C and Go execution
|
||||
// when producing log output via F_println and CPrintln is nil
|
||||
// when producing log output via hakurei_println and CPrintln is nil
|
||||
if fp := printlnP.Load(); fp != nil {
|
||||
opts |= filterVerbose
|
||||
}
|
||||
|
||||
var ret C.int
|
||||
res, err := C.f_build_filter(&ret, C.int(fd), arch, multiarch, opts)
|
||||
res, err := C.hakurei_build_filter(&ret, C.int(fd), arch, multiarch, opts)
|
||||
if prefix := resPrefix[res]; prefix != "" {
|
||||
return &LibraryError{
|
||||
prefix,
|
||||
|
||||
@@ -6,7 +6,7 @@ import (
|
||||
"syscall"
|
||||
"testing"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/sandbox/seccomp"
|
||||
"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
|
||||
)
|
||||
|
||||
func TestLibraryError(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user