diff --git a/internal/app/internal/setuid/shim.go b/internal/app/internal/setuid/shim.go index 196fcfe..100cf1c 100644 --- a/internal/app/internal/setuid/shim.go +++ b/internal/app/internal/setuid/shim.go @@ -163,7 +163,10 @@ func ShimMain() { hlog.PrintBaseError(err, "cannot configure container:") } - if err := seccomp.Load(seccomp.PresetStrict, seccomp.AllowMultiarch); err != nil { + if err := seccomp.Load( + seccomp.Preset(seccomp.PresetStrict, seccomp.AllowMultiarch), + seccomp.AllowMultiarch, + ); err != nil { log.Fatalf("cannot load syscall filter: %v", err) } diff --git a/sandbox/init.go b/sandbox/init.go index 9828ada..4fcdd9c 100644 --- a/sandbox/init.go +++ b/sandbox/init.go @@ -237,7 +237,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) { log.Fatalf("cannot capset: %v", err) } - if err := seccomp.Load(params.Flags.seccomp(params.SeccompPresets), params.SeccompFlags); err != nil { + if err := seccomp.Load(seccomp.Preset(params.Flags.seccomp(params.SeccompPresets), params.SeccompFlags), params.SeccompFlags); err != nil { log.Fatalf("cannot load syscall filter: %v", err) } diff --git a/sandbox/seccomp/libseccomp_test.go b/sandbox/seccomp/libseccomp_test.go index 236a8d8..a4ca9a1 100644 --- a/sandbox/seccomp/libseccomp_test.go +++ b/sandbox/seccomp/libseccomp_test.go @@ -88,7 +88,7 @@ func TestExport(t *testing.T) { buf := make([]byte, 8) for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - e := New(tc.presets, tc.flags) + e := New(Preset(tc.presets, tc.flags), tc.flags) digest := sha512.New() if _, err := io.CopyBuffer(digest, e, buf); (err != nil) != tc.wantErr { @@ -107,7 +107,7 @@ func TestExport(t *testing.T) { } t.Run("close without use", func(t *testing.T) { - e := New(0, 0) + e := New(Preset(0, 0), 0) if err := e.Close(); !errors.Is(err, syscall.EINVAL) { t.Errorf("Close: error = %v", err) return @@ -115,7 +115,7 @@ func TestExport(t *testing.T) { }) t.Run("close partial read", func(t *testing.T) { - e := New(0, 0) + e := New(Preset(0, 0), 0) if _, err := e.Read(nil); err != nil { t.Errorf("Read: error = %v", err) return @@ -133,8 +133,9 @@ func TestExport(t *testing.T) { func BenchmarkExport(b *testing.B) { buf := make([]byte, 8) for i := 0; i < b.N; i++ { - e := New(PresetExt| - PresetDenyNS|PresetDenyTTY|PresetDenyDevel|PresetLinux32, + e := New( + Preset(PresetExt|PresetDenyNS|PresetDenyTTY|PresetDenyDevel|PresetLinux32, + AllowMultiarch|AllowCAN|AllowBluetooth), AllowMultiarch|AllowCAN|AllowBluetooth) if _, err := io.CopyBuffer(io.Discard, e, buf); err != nil { b.Fatalf("cannot export: %v", err) diff --git a/sandbox/seccomp/presets.go b/sandbox/seccomp/presets.go index cb86864..c3b8f04 100644 --- a/sandbox/seccomp/presets.go +++ b/sandbox/seccomp/presets.go @@ -21,7 +21,7 @@ const ( PresetLinux32 ) -func preparePreset(fd int, presets FilterPreset, flags PrepareFlag) error { +func Preset(presets FilterPreset, flags PrepareFlag) (rules []NativeRule) { allowedPersonality := PER_LINUX if presets&PresetLinux32 != 0 { allowedPersonality = PER_LINUX32 @@ -51,7 +51,7 @@ func preparePreset(fd int, presets FilterPreset, flags PrepareFlag) error { } } - rules := make([]NativeRule, 0, l) + rules = make([]NativeRule, 0, l) rules = append(rules, presetCommon...) if presets&PresetDenyNS != 0 { rules = append(rules, presetNamespace...) @@ -75,7 +75,7 @@ func preparePreset(fd int, presets FilterPreset, flags PrepareFlag) error { } } - return Prepare(fd, rules, flags) + return } var ( diff --git a/sandbox/seccomp/proc.go b/sandbox/seccomp/proc.go index 2541782..51c3bce 100644 --- a/sandbox/seccomp/proc.go +++ b/sandbox/seccomp/proc.go @@ -13,14 +13,10 @@ const ( ) // New returns an inactive Encoder instance. -func New(presets FilterPreset, flags PrepareFlag) *Encoder { - return &Encoder{newExporter(presets, flags)} -} +func New(rules []NativeRule, flags PrepareFlag) *Encoder { return &Encoder{newExporter(rules, flags)} } // Load loads a filter into the kernel. -func Load(presets FilterPreset, flags PrepareFlag) error { - return preparePreset(-1, presets, flags) -} +func Load(rules []NativeRule, flags PrepareFlag) error { return Prepare(-1, rules, flags) } /* An Encoder writes a BPF program to an output stream. @@ -50,20 +46,20 @@ func (e *Encoder) Close() error { } // NewFile returns an instance of exporter implementing [proc.File]. -func NewFile(presets FilterPreset, flags PrepareFlag) proc.File { - return &File{presets: presets, flags: flags} +func NewFile(rules []NativeRule, flags PrepareFlag) proc.File { + return &File{rules: rules, flags: flags} } // File implements [proc.File] and provides access to the read end of exporter pipe. type File struct { - presets FilterPreset - flags PrepareFlag + rules []NativeRule + flags PrepareFlag proc.BaseFile } func (f *File) ErrCount() int { return 2 } func (f *File) Fulfill(ctx context.Context, dispatchErr func(error)) error { - e := newExporter(f.presets, f.flags) + e := newExporter(f.rules, f.flags) if err := e.prepare(); err != nil { return err } diff --git a/sandbox/seccomp/seccomp.go b/sandbox/seccomp/seccomp.go index adbe4d0..c538e4e 100644 --- a/sandbox/seccomp/seccomp.go +++ b/sandbox/seccomp/seccomp.go @@ -8,9 +8,9 @@ import ( ) type exporter struct { - presets FilterPreset - flags PrepareFlag - r, w *os.File + rules []NativeRule + flags PrepareFlag + r, w *os.File prepareOnce sync.Once prepareErr error @@ -30,7 +30,7 @@ func (e *exporter) prepare() error { ec := make(chan error, 1) go func(fd uintptr) { - ec <- preparePreset(int(fd), e.presets, e.flags) + ec <- Prepare(int(fd), e.rules, e.flags) close(ec) _ = e.closeWrite() runtime.KeepAlive(e.w) @@ -55,6 +55,6 @@ func (e *exporter) closeWrite() error { return e.closeErr } -func newExporter(presets FilterPreset, flags PrepareFlag) *exporter { - return &exporter{presets: presets, flags: flags} +func newExporter(rules []NativeRule, flags PrepareFlag) *exporter { + return &exporter{rules: rules, flags: flags} }