helper/bwrap: integrate seccomp into helper interface
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
95
helper/bwrap/seccomp-resolve.go
Normal file
95
helper/bwrap/seccomp-resolve.go
Normal file
@@ -0,0 +1,95 @@
|
||||
package bwrap
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
type SyscallPolicy struct {
|
||||
DenyDevel bool `json:"deny_devel"`
|
||||
Multiarch bool `json:"multiarch"`
|
||||
Linux32 bool `json:"linux32"`
|
||||
Can bool `json:"can"`
|
||||
Bluetooth bool `json:"bluetooth"`
|
||||
}
|
||||
|
||||
type seccompBuilder struct {
|
||||
config *Config
|
||||
}
|
||||
|
||||
func (s *seccompBuilder) Len() int {
|
||||
if s == nil {
|
||||
return 0
|
||||
}
|
||||
return 2
|
||||
}
|
||||
|
||||
func (s *seccompBuilder) Append(args *[]string, extraFiles *[]*os.File) error {
|
||||
if s == nil {
|
||||
return nil
|
||||
}
|
||||
if f, err := s.config.resolveSeccomp(); err != nil {
|
||||
return err
|
||||
} else {
|
||||
extraFile(args, extraFiles, positionalArgs[Seccomp], f)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func (c *Config) resolveSeccomp() (*os.File, error) {
|
||||
if c.Syscall == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// resolve seccomp filter opts
|
||||
var (
|
||||
opts syscallOpts
|
||||
optd []string
|
||||
optCond = [...]struct {
|
||||
v bool
|
||||
o syscallOpts
|
||||
d string
|
||||
}{
|
||||
{!c.UserNS, flagDenyNS, "denyns"},
|
||||
{c.NewSession, flagDenyTTY, "denytty"},
|
||||
{c.Syscall.DenyDevel, flagDenyDevel, "denydevel"},
|
||||
{c.Syscall.Multiarch, flagMultiarch, "multiarch"},
|
||||
{c.Syscall.Linux32, flagLinux32, "linux32"},
|
||||
{c.Syscall.Can, flagCan, "can"},
|
||||
{c.Syscall.Bluetooth, flagBluetooth, "bluetooth"},
|
||||
}
|
||||
)
|
||||
if CPrintln != nil {
|
||||
optd = make([]string, 1, len(optCond)+1)
|
||||
optd[0] = "common"
|
||||
}
|
||||
for _, opt := range optCond {
|
||||
if opt.v {
|
||||
opts |= opt.o
|
||||
if fmsg.Verbose() {
|
||||
optd = append(optd, opt.d)
|
||||
}
|
||||
}
|
||||
}
|
||||
if CPrintln != nil {
|
||||
CPrintln(fmt.Sprintf("seccomp flags: %s", optd))
|
||||
}
|
||||
|
||||
// export seccomp filter to tmpfile
|
||||
if f, err := tmpfile(); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
return f, exportAndSeek(f, opts)
|
||||
}
|
||||
}
|
||||
|
||||
func exportAndSeek(f *os.File, opts syscallOpts) error {
|
||||
if err := exportFilter(f.Fd(), opts); err != nil {
|
||||
return err
|
||||
}
|
||||
_, err := f.Seek(0, io.SeekStart)
|
||||
return err
|
||||
}
|
||||
Reference in New Issue
Block a user