internal/pkg: export seccomp presets
All checks were successful
Test / Create distribution (push) Successful in 1m0s
Test / Sandbox (push) Successful in 2m38s
Test / Hakurei (push) Successful in 3m48s
Test / ShareFS (push) Successful in 3m58s
Test / Hpkg (push) Successful in 4m25s
Test / Sandbox (race detector) (push) Successful in 5m0s
Test / Hakurei (race detector) (push) Successful in 6m11s
Test / Flake checks (push) Successful in 1m41s
All checks were successful
Test / Create distribution (push) Successful in 1m0s
Test / Sandbox (push) Successful in 2m38s
Test / Hakurei (push) Successful in 3m48s
Test / ShareFS (push) Successful in 3m58s
Test / Hpkg (push) Successful in 4m25s
Test / Sandbox (race detector) (push) Successful in 5m0s
Test / Hakurei (race detector) (push) Successful in 6m11s
Test / Flake checks (push) Successful in 1m41s
This is useful for external tooling providing an execArtifact-like environment. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -365,6 +365,10 @@ func scanVerbose(
|
||||
}
|
||||
}
|
||||
|
||||
// SeccompPresets is the [seccomp] presets used by exec artifacts.
|
||||
const SeccompPresets = std.PresetStrict &
|
||||
^(std.PresetDenyNS | std.PresetDenyDevel)
|
||||
|
||||
// cure is like Cure but allows optional host net namespace. This is used for
|
||||
// the [KnownChecksum] variant where networking is allowed.
|
||||
func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
|
||||
@@ -388,8 +392,7 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
|
||||
|
||||
z := container.New(ctx, f.GetMessage())
|
||||
z.WaitDelay = execWaitDelay
|
||||
z.SeccompPresets |= std.PresetStrict &
|
||||
^(std.PresetDenyNS | std.PresetDenyDevel)
|
||||
z.SeccompPresets = SeccompPresets
|
||||
z.SeccompFlags |= seccomp.AllowMultiarch
|
||||
z.ParentPerm = 0700
|
||||
z.HostNet = hostNet
|
||||
|
||||
Reference in New Issue
Block a user