sandbox/seccomp: native rule slice in helpers

These helper functions took FilterPreset as input for ease of integration. This moves them to []NativeRule.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/app/internal/setuid/shim.go

@@ -163,7 +163,10 @@ func ShimMain() {
 		hlog.PrintBaseError(err, "cannot configure container:")
 	}
 
-	if err := seccomp.Load(seccomp.PresetStrict, seccomp.AllowMultiarch); err != nil {
+	if err := seccomp.Load(
+		seccomp.Preset(seccomp.PresetStrict, seccomp.AllowMultiarch),
+		seccomp.AllowMultiarch,
+	); err != nil {
 		log.Fatalf("cannot load syscall filter: %v", err)
 	}
 

sandbox/init.go

@@ -237,7 +237,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		log.Fatalf("cannot capset: %v", err)
 	}
 
-	if err := seccomp.Load(params.Flags.seccomp(params.SeccompPresets), params.SeccompFlags); err != nil {
+	if err := seccomp.Load(seccomp.Preset(params.Flags.seccomp(params.SeccompPresets), params.SeccompFlags), params.SeccompFlags); err != nil {
 		log.Fatalf("cannot load syscall filter: %v", err)
 	}
 

sandbox/seccomp/libseccomp_test.go

@@ -88,7 +88,7 @@ func TestExport(t *testing.T) {
 	buf := make([]byte, 8)
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			e := New(tc.presets, tc.flags)
+			e := New(Preset(tc.presets, tc.flags), tc.flags)
 			digest := sha512.New()
 
 			if _, err := io.CopyBuffer(digest, e, buf); (err != nil) != tc.wantErr {
@@ -107,7 +107,7 @@ func TestExport(t *testing.T) {
 	}
 
 	t.Run("close without use", func(t *testing.T) {
-		e := New(0, 0)
+		e := New(Preset(0, 0), 0)
 		if err := e.Close(); !errors.Is(err, syscall.EINVAL) {
 			t.Errorf("Close: error = %v", err)
 			return
@@ -115,7 +115,7 @@ func TestExport(t *testing.T) {
 	})
 
 	t.Run("close partial read", func(t *testing.T) {
-		e := New(0, 0)
+		e := New(Preset(0, 0), 0)
 		if _, err := e.Read(nil); err != nil {
 			t.Errorf("Read: error = %v", err)
 			return
@@ -133,8 +133,9 @@ func TestExport(t *testing.T) {
 func BenchmarkExport(b *testing.B) {
 	buf := make([]byte, 8)
 	for i := 0; i < b.N; i++ {
-		e := New(PresetExt|
+		e := New(
-			PresetDenyNS|PresetDenyTTY|PresetDenyDevel|PresetLinux32,
+			Preset(PresetExt|PresetDenyNS|PresetDenyTTY|PresetDenyDevel|PresetLinux32,
+				AllowMultiarch|AllowCAN|AllowBluetooth),
 			AllowMultiarch|AllowCAN|AllowBluetooth)
 		if _, err := io.CopyBuffer(io.Discard, e, buf); err != nil {
 			b.Fatalf("cannot export: %v", err)

sandbox/seccomp/presets.go

@@ -21,7 +21,7 @@ const (
 	PresetLinux32
 )
 
-func preparePreset(fd int, presets FilterPreset, flags PrepareFlag) error {
+func Preset(presets FilterPreset, flags PrepareFlag) (rules []NativeRule) {
 	allowedPersonality := PER_LINUX
 	if presets&PresetLinux32 != 0 {
 		allowedPersonality = PER_LINUX32
@@ -51,7 +51,7 @@ func preparePreset(fd int, presets FilterPreset, flags PrepareFlag) error {
 		}
 	}
 
-	rules := make([]NativeRule, 0, l)
+	rules = make([]NativeRule, 0, l)
 	rules = append(rules, presetCommon...)
 	if presets&PresetDenyNS != 0 {
 		rules = append(rules, presetNamespace...)
@@ -75,7 +75,7 @@ func preparePreset(fd int, presets FilterPreset, flags PrepareFlag) error {
 		}
 	}
 
-	return Prepare(fd, rules, flags)
+	return
 }
 
 var (

sandbox/seccomp/proc.go

@@ -13,14 +13,10 @@ const (
 )
 
 // New returns an inactive Encoder instance.
-func New(presets FilterPreset, flags PrepareFlag) *Encoder {
+func New(rules []NativeRule, flags PrepareFlag) *Encoder { return &Encoder{newExporter(rules, flags)} }
-	return &Encoder{newExporter(presets, flags)}
-}
 
 // Load loads a filter into the kernel.
-func Load(presets FilterPreset, flags PrepareFlag) error {
+func Load(rules []NativeRule, flags PrepareFlag) error { return Prepare(-1, rules, flags) }
-	return preparePreset(-1, presets, flags)
-}
 
 /*
 An Encoder writes a BPF program to an output stream.
@@ -50,20 +46,20 @@ func (e *Encoder) Close() error {
 }
 
 // NewFile returns an instance of exporter implementing [proc.File].
-func NewFile(presets FilterPreset, flags PrepareFlag) proc.File {
+func NewFile(rules []NativeRule, flags PrepareFlag) proc.File {
-	return &File{presets: presets, flags: flags}
+	return &File{rules: rules, flags: flags}
 }
 
 // File implements [proc.File] and provides access to the read end of exporter pipe.
 type File struct {
-	presets FilterPreset
+	rules []NativeRule
-	flags   PrepareFlag
+	flags PrepareFlag
 	proc.BaseFile
 }
 
 func (f *File) ErrCount() int { return 2 }
 func (f *File) Fulfill(ctx context.Context, dispatchErr func(error)) error {
-	e := newExporter(f.presets, f.flags)
+	e := newExporter(f.rules, f.flags)
 	if err := e.prepare(); err != nil {
 		return err
 	}

sandbox/seccomp/seccomp.go

@@ -8,9 +8,9 @@ import (
 )
 
 type exporter struct {
-	presets FilterPreset
+	rules []NativeRule
-	flags   PrepareFlag
+	flags PrepareFlag
-	r, w    *os.File
+	r, w  *os.File
 
 	prepareOnce sync.Once
 	prepareErr  error
@@ -30,7 +30,7 @@ func (e *exporter) prepare() error {
 
 		ec := make(chan error, 1)
 		go func(fd uintptr) {
-			ec <- preparePreset(int(fd), e.presets, e.flags)
+			ec <- Prepare(int(fd), e.rules, e.flags)
 			close(ec)
 			_ = e.closeWrite()
 			runtime.KeepAlive(e.w)
@@ -55,6 +55,6 @@ func (e *exporter) closeWrite() error {
 	return e.closeErr
 }
 
-func newExporter(presets FilterPreset, flags PrepareFlag) *exporter {
+func newExporter(rules []NativeRule, flags PrepareFlag) *exporter {
-	return &exporter{presets: presets, flags: flags}
+	return &exporter{rules: rules, flags: flags}
 }