security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

proc/priv/init: early init check
All checks were successful
Build / Create distribution (push) Successful in 1m39s
Details
Test / Run NixOS test (push) Successful in 3m45s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-01-18 12:23:07 +09:00
parent 7baca66a56
commit b31d055e20
4 changed files with 30 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
internal/proc/priv/shim/main.go
View File

@@ -125,14 +125,17 @@ func Main() {
}
// bind fortify inside sandbox
innerSbin := path.Join(fst.Tmp, "sbin")
fortifyInnerPath := path.Join(innerSbin, "fortify")
conf.Bind(proc.MustExecutable(), fortifyInnerPath)
conf.Symlink(fortifyInnerPath, path.Join(innerSbin, "init"))
var (
innerSbin = path.Join(fst.Tmp, "sbin")
innerFortify = path.Join(innerSbin, "fortify")
innerInit = path.Join(innerSbin, "init")
)
conf.Bind(proc.MustExecutable(), innerFortify)
conf.Symlink("fortify", innerInit)
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
if b, err := helper.NewBwrap(conf, nil, fortifyInnerPath,
func(int, int) []string { return []string{"init"} }); err != nil {
if b, err := helper.NewBwrap(conf, nil, innerInit,
func(int, int) []string { return make([]string, 0) }); err != nil {
fmsg.Fatalf("malformed sandbox config: %v", err)
} else {
cmd := b.Unwrap()