security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

dbus: enable syscall filter
All checks were successful
Build / Create distribution (push) Successful in 1m33s
Details
Test / Run NixOS test (push) Successful in 3m42s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-01-22 02:01:01 +09:00
parent 5a64cdaf4f
commit 8c51012ef5
3 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
dbus/run.go
View File

@@ -16,7 +16,7 @@ import (
// Start launches the D-Bus proxy and sets up the Wait method.
// ready should be buffered and must only be received from once.
func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
func (p *Proxy) Start(ready chan error, output io.Writer, sandbox, seccomp bool) error {
p.lock.Lock()
defer p.lock.Unlock()
@@ -67,11 +67,16 @@ func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
Unshare: nil,
Hostname: "fortify-dbus",
Chdir: "/",
Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
Clearenv: true,
NewSession: true,
DieWithParent: true,
}
if !seccomp {
bc.Syscall = nil
}
// resolve proxy socket directories
bindTarget := make(map[string]struct{}, 2)
for _, ps := range []string{p.session[1], p.system[1]} {