helper/bwrap: integrate seccomp into helper interface

This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 01:51:10 +09:00
parent 82029948e6
commit 9a239fa1a5
21 changed files with 224 additions and 187 deletions
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@@ -39,6 +39,7 @@ var testCasesPd = []sealTestCase{
 			Net:      true,
 			UserNS:   true,
 			Clearenv: true,
+			Syscall:  new(bwrap.SyscallPolicy),
 			Chdir:    "/home/chronos",
 			SetEnv: map[string]string{
 				"HOME":              "/home/chronos",
@@ -258,6 +259,7 @@ var testCasesPd = []sealTestCase{
 			UserNS:   true,
 			Chdir:    "/home/chronos",
 			Clearenv: true,
+			Syscall:  new(bwrap.SyscallPolicy),
 			SetEnv: map[string]string{
 				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS":  "unix:path=/run/dbus/system_bus_socket",
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@@ -14,6 +14,7 @@ import (
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
 	"git.gensokyo.uk/security/fortify/internal/state"
@@ -52,8 +53,6 @@ type appSeal struct {
 	et system.Enablements
 	// initial config gob encoding buffer
 	ct io.WriterTo
-	// pass-through seccomp config from config
-	scmp *fst.SyscallConfig
 	// wayland socket direct access
 	directWayland bool
 	// extra UpdatePerm ops
@@ -196,6 +195,7 @@ func (a *app) Seal(config *fst.Config) error {
 		conf := &fst.SandboxConfig{
 			UserNS:       true,
 			Net:          true,
+			Syscall:      new(bwrap.SyscallPolicy),
 			NoNewSession: true,
 			AutoEtc:      true,
 		}
@@ -233,12 +233,6 @@ func (a *app) Seal(config *fst.Config) error {
 		conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})

 		config.Confinement.Sandbox = conf
-
-		// ensure syscall filter
-		if config.Confinement.Syscall == nil {
-			config.Confinement.Syscall = new(fst.SyscallConfig)
-			config.Confinement.Syscall.Multiarch = true
-		}
 	}
 	seal.directWayland = config.Confinement.Sandbox.DirectWayland
 	if b, err := config.Confinement.Sandbox.Bwrap(a.os); err != nil {
@@ -259,9 +253,8 @@ func (a *app) Seal(config *fst.Config) error {
 	// initialise system interface with full uid
 	seal.sys.I = system.New(seal.sys.user.uid)

-	// pass through enablements and seccomp
+	// pass through enablements
 	seal.et = config.Confinement.Enablements
-	seal.scmp = config.Confinement.Syscall

 	// this method calls all share methods in sequence
 	if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
--- a/internal/app/start.go
+++ b/internal/app/start.go
@@ -76,11 +76,10 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {

 		// send payload
 		if err = a.shim.Serve(shimSetupCtx, &shim.Payload{
-			Argv:    a.seal.command,
-			Exec:    shimExec,
-			Bwrap:   a.seal.sys.bwrap,
-			Home:    a.seal.sys.user.data,
-			Syscall: a.seal.scmp,
+			Argv:  a.seal.command,
+			Exec:  shimExec,
+			Bwrap: a.seal.sys.bwrap,
+			Home:  a.seal.sys.user.data,

 			Verbose: fmsg.Verbose(),
 		}); err != nil {