From ef80b19f2fbd6953340ff463b865931f32d14fb7 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Wed, 18 Jun 2025 13:43:48 +0900 Subject: [PATCH] treewide: switch to clang-format Signed-off-by: Ophestra --- acl/acl-update.c | 110 +++++----- acl/acl-update.h | 3 +- sandbox/seccomp/seccomp-build.c | 377 +++++++++++++++++--------------- sandbox/seccomp/seccomp-build.h | 24 +- sandbox/wl/wayland-bind.c | 36 +-- sandbox/wl/wayland-bind.h | 3 +- 6 files changed, 293 insertions(+), 260 deletions(-) diff --git a/acl/acl-update.c b/acl/acl-update.c index 1d83c15..be796b5 100644 --- a/acl/acl-update.c +++ b/acl/acl-update.c @@ -1,69 +1,71 @@ #include "acl-update.h" -#include -#include -#include #include +#include +#include +#include -int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, size_t plen) { - int ret = -1; - bool v; - int i; - acl_t acl; - acl_entry_t entry; - acl_tag_t tag_type; - void *qualifier_p; - acl_permset_t permset; +int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, + size_t plen) { + int ret = -1; + bool v; + int i; + acl_t acl; + acl_entry_t entry; + acl_tag_t tag_type; + void *qualifier_p; + acl_permset_t permset; - acl = acl_get_file(path_p, ACL_TYPE_ACCESS); - if (acl == NULL) - goto out; + acl = acl_get_file(path_p, ACL_TYPE_ACCESS); + if (acl == NULL) + goto out; - // prune entries by uid - for (i = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); i == 1; i = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) { - if (acl_get_tag_type(entry, &tag_type) != 0) - return -1; - if (tag_type != ACL_USER) - continue; + // prune entries by uid + for (i = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); i == 1; + i = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) { + if (acl_get_tag_type(entry, &tag_type) != 0) + return -1; + if (tag_type != ACL_USER) + continue; - qualifier_p = acl_get_qualifier(entry); - if (qualifier_p == NULL) - return -1; - v = *(uid_t *)qualifier_p == uid; - acl_free(qualifier_p); + qualifier_p = acl_get_qualifier(entry); + if (qualifier_p == NULL) + return -1; + v = *(uid_t *)qualifier_p == uid; + acl_free(qualifier_p); - if (!v) - continue; + if (!v) + continue; - acl_delete_entry(acl, entry); - } + acl_delete_entry(acl, entry); + } - if (plen == 0) - goto set; + if (plen == 0) + goto set; - if (acl_create_entry(&acl, &entry) != 0) - goto out; - if (acl_get_permset(entry, &permset) != 0) - goto out; - for (i = 0; i < plen; i++) { - if (acl_add_perm(permset, perms[i]) != 0) - goto out; - } - if (acl_set_tag_type(entry, ACL_USER) != 0) - goto out; - if (acl_set_qualifier(entry, (void *)&uid) != 0) - goto out; + if (acl_create_entry(&acl, &entry) != 0) + goto out; + if (acl_get_permset(entry, &permset) != 0) + goto out; + for (i = 0; i < plen; i++) { + if (acl_add_perm(permset, perms[i]) != 0) + goto out; + } + if (acl_set_tag_type(entry, ACL_USER) != 0) + goto out; + if (acl_set_qualifier(entry, (void *)&uid) != 0) + goto out; set: - if (acl_calc_mask(&acl) != 0) - goto out; - if (acl_valid(acl) != 0) - goto out; - if (acl_set_file(path_p, ACL_TYPE_ACCESS, acl) == 0) - ret = 0; + if (acl_calc_mask(&acl) != 0) + goto out; + if (acl_valid(acl) != 0) + goto out; + if (acl_set_file(path_p, ACL_TYPE_ACCESS, acl) == 0) + ret = 0; out: - free((void *)path_p); - if (acl != NULL) - acl_free((void *)acl); - return ret; + free((void *)path_p); + if (acl != NULL) + acl_free((void *)acl); + return ret; } diff --git a/acl/acl-update.h b/acl/acl-update.h index e758788..fa1541f 100644 --- a/acl/acl-update.h +++ b/acl/acl-update.h @@ -1,3 +1,4 @@ #include -int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, size_t plen); +int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, + size_t plen); diff --git a/sandbox/seccomp/seccomp-build.c b/sandbox/seccomp/seccomp-build.c index ee2cc63..a6dc40d 100644 --- a/sandbox/seccomp/seccomp-build.c +++ b/sandbox/seccomp/seccomp-build.c @@ -1,224 +1,232 @@ #ifndef _GNU_SOURCE -#define _GNU_SOURCE // CLONE_NEWUSER +#define _GNU_SOURCE /* CLONE_NEWUSER */ #endif #include "seccomp-build.h" -#include -#include #include #include -#include -#include +#include +#include +#include #include #include -#include +#include +#include -#if (SCMP_VER_MAJOR < 2) || \ - (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) || \ +#if (SCMP_VER_MAJOR < 2) || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) || \ (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 5 && SCMP_VER_MICRO < 1) #error This package requires libseccomp >= v2.5.1 #endif struct f_syscall_act { - int syscall; - int m_errno; + int syscall; + int m_errno; struct scmp_arg_cmp *arg; }; #define LEN(arr) (sizeof(arr) / sizeof((arr)[0])) -#define SECCOMP_RULESET_ADD(ruleset) do { \ - if (opts & F_VERBOSE) f_println("adding seccomp ruleset \"" #ruleset "\""); \ - for (int i = 0; i < LEN(ruleset); i++) { \ - assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS); \ - \ - if (ruleset[i].arg) \ - *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ruleset[i].m_errno), ruleset[i].syscall, 1, *ruleset[i].arg); \ - else \ - *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ruleset[i].m_errno), ruleset[i].syscall, 0); \ - \ - if (*ret_p == -EFAULT) { \ - res = 4; \ - goto out; \ - } else if (*ret_p < 0) { \ - res = 5; \ - goto out; \ - } \ - } \ -} while (0) +#define SECCOMP_RULESET_ADD(ruleset) \ + do { \ + if (opts & F_VERBOSE) \ + f_println("adding seccomp ruleset \"" #ruleset "\""); \ + for (int i = 0; i < LEN(ruleset); i++) { \ + assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS); \ + \ + if (ruleset[i].arg) \ + *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ruleset[i].m_errno), \ + ruleset[i].syscall, 1, *ruleset[i].arg); \ + else \ + *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ruleset[i].m_errno), \ + ruleset[i].syscall, 0); \ + \ + if (*ret_p == -EFAULT) { \ + res = 4; \ + goto out; \ + } else if (*ret_p < 0) { \ + res = 5; \ + goto out; \ + } \ + } \ + } while (0) -int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, f_filter_opts opts) { - int32_t res = 0; // refer to resErr for meaning +int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, + f_filter_opts opts) { + int32_t res = 0; /* refer to resPrefix for message */ int allow_multiarch = opts & F_MULTIARCH; int allowed_personality = PER_LINUX; if (opts & F_LINUX32) allowed_personality = PER_LINUX32; - // flatpak commit 4c3bf179e2e4a2a298cd1db1d045adaf3f564532 + /* flatpak commit 4c3bf179e2e4a2a298cd1db1d045adaf3f564532 */ struct f_syscall_act deny_common[] = { - // Block dmesg - {SCMP_SYS(syslog), EPERM}, - // Useless old syscall - {SCMP_SYS(uselib), EPERM}, - // Don't allow disabling accounting - {SCMP_SYS(acct), EPERM}, - // Don't allow reading current quota use - {SCMP_SYS(quotactl), EPERM}, + /* Block dmesg */ + {SCMP_SYS(syslog), EPERM}, + /* Useless old syscall */ + {SCMP_SYS(uselib), EPERM}, + /* Don't allow disabling accounting */ + {SCMP_SYS(acct), EPERM}, + /* Don't allow reading current quota use */ + {SCMP_SYS(quotactl), EPERM}, - // Don't allow access to the kernel keyring - {SCMP_SYS(add_key), EPERM}, - {SCMP_SYS(keyctl), EPERM}, - {SCMP_SYS(request_key), EPERM}, + /* Don't allow access to the kernel keyring */ + {SCMP_SYS(add_key), EPERM}, + {SCMP_SYS(keyctl), EPERM}, + {SCMP_SYS(request_key), EPERM}, - // Scary VM/NUMA ops - {SCMP_SYS(move_pages), EPERM}, - {SCMP_SYS(mbind), EPERM}, - {SCMP_SYS(get_mempolicy), EPERM}, - {SCMP_SYS(set_mempolicy), EPERM}, - {SCMP_SYS(migrate_pages), EPERM}, + /* Scary VM/NUMA ops */ + {SCMP_SYS(move_pages), EPERM}, + {SCMP_SYS(mbind), EPERM}, + {SCMP_SYS(get_mempolicy), EPERM}, + {SCMP_SYS(set_mempolicy), EPERM}, + {SCMP_SYS(migrate_pages), EPERM}, }; - // fortify: project-specific extensions + /* fortify: project-specific extensions */ struct f_syscall_act deny_common_ext[] = { - // system calls for changing the system clock - {SCMP_SYS(adjtimex), EPERM}, - {SCMP_SYS(clock_adjtime), EPERM}, - {SCMP_SYS(clock_adjtime64), EPERM}, - {SCMP_SYS(clock_settime), EPERM}, - {SCMP_SYS(clock_settime64), EPERM}, - {SCMP_SYS(settimeofday), EPERM}, + /* system calls for changing the system clock */ + {SCMP_SYS(adjtimex), EPERM}, + {SCMP_SYS(clock_adjtime), EPERM}, + {SCMP_SYS(clock_adjtime64), EPERM}, + {SCMP_SYS(clock_settime), EPERM}, + {SCMP_SYS(clock_settime64), EPERM}, + {SCMP_SYS(settimeofday), EPERM}, - // loading and unloading of kernel modules - {SCMP_SYS(delete_module), EPERM}, - {SCMP_SYS(finit_module), EPERM}, - {SCMP_SYS(init_module), EPERM}, + /* loading and unloading of kernel modules */ + {SCMP_SYS(delete_module), EPERM}, + {SCMP_SYS(finit_module), EPERM}, + {SCMP_SYS(init_module), EPERM}, - // system calls for rebooting and reboot preparation - {SCMP_SYS(kexec_file_load), EPERM}, - {SCMP_SYS(kexec_load), EPERM}, - {SCMP_SYS(reboot), EPERM}, + /* system calls for rebooting and reboot preparation */ + {SCMP_SYS(kexec_file_load), EPERM}, + {SCMP_SYS(kexec_load), EPERM}, + {SCMP_SYS(reboot), EPERM}, - // system calls for enabling/disabling swap devices - {SCMP_SYS(swapoff), EPERM}, - {SCMP_SYS(swapon), EPERM}, + /* system calls for enabling/disabling swap devices */ + {SCMP_SYS(swapoff), EPERM}, + {SCMP_SYS(swapon), EPERM}, }; struct f_syscall_act deny_ns[] = { - // Don't allow subnamespace setups: - {SCMP_SYS(unshare), EPERM}, - {SCMP_SYS(setns), EPERM}, - {SCMP_SYS(mount), EPERM}, - {SCMP_SYS(umount), EPERM}, - {SCMP_SYS(umount2), EPERM}, - {SCMP_SYS(pivot_root), EPERM}, - {SCMP_SYS(chroot), EPERM}, + /* Don't allow subnamespace setups: */ + {SCMP_SYS(unshare), EPERM}, + {SCMP_SYS(setns), EPERM}, + {SCMP_SYS(mount), EPERM}, + {SCMP_SYS(umount), EPERM}, + {SCMP_SYS(umount2), EPERM}, + {SCMP_SYS(pivot_root), EPERM}, + {SCMP_SYS(chroot), EPERM}, #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - // Architectures with CONFIG_CLONE_BACKWARDS2: the child stack - // and flags arguments are reversed so the flags come second - {SCMP_SYS(clone), EPERM, &SCMP_A1(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack + * and flags arguments are reversed so the flags come second */ + {SCMP_SYS(clone), EPERM, + &SCMP_A1(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, #else - // Normally the flags come first - {SCMP_SYS(clone), EPERM, &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + /* Normally the flags come first */ + {SCMP_SYS(clone), EPERM, + &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, #endif - // seccomp can't look into clone3()'s struct clone_args to check whether - // the flags are OK, so we have no choice but to block clone3(). - // Return ENOSYS so user-space will fall back to clone(). - // (CVE-2021-41133; see also https://github.com/moby/moby/commit/9f6b562d) - {SCMP_SYS(clone3), ENOSYS}, + /* seccomp can't look into clone3()'s struct clone_args to check whether + * the flags are OK, so we have no choice but to block clone3(). + * Return ENOSYS so user-space will fall back to clone(). + * (CVE-2021-41133; see also https://github.com/moby/moby/commit/9f6b562d) + */ + {SCMP_SYS(clone3), ENOSYS}, - // New mount manipulation APIs can also change our VFS. There's no - // legitimate reason to do these in the sandbox, so block all of them - // rather than thinking about which ones might be dangerous. - // (CVE-2021-41133) - {SCMP_SYS(open_tree), ENOSYS}, - {SCMP_SYS(move_mount), ENOSYS}, - {SCMP_SYS(fsopen), ENOSYS}, - {SCMP_SYS(fsconfig), ENOSYS}, - {SCMP_SYS(fsmount), ENOSYS}, - {SCMP_SYS(fspick), ENOSYS}, - {SCMP_SYS(mount_setattr), ENOSYS}, + /* New mount manipulation APIs can also change our VFS. There's no + * legitimate reason to do these in the sandbox, so block all of them + * rather than thinking about which ones might be dangerous. + * (CVE-2021-41133) */ + {SCMP_SYS(open_tree), ENOSYS}, + {SCMP_SYS(move_mount), ENOSYS}, + {SCMP_SYS(fsopen), ENOSYS}, + {SCMP_SYS(fsconfig), ENOSYS}, + {SCMP_SYS(fsmount), ENOSYS}, + {SCMP_SYS(fspick), ENOSYS}, + {SCMP_SYS(mount_setattr), ENOSYS}, }; - // fortify: project-specific extensions + /* fortify: project-specific extensions */ struct f_syscall_act deny_ns_ext[] = { - // changing file ownership - {SCMP_SYS(chown), EPERM}, - {SCMP_SYS(chown32), EPERM}, - {SCMP_SYS(fchown), EPERM}, - {SCMP_SYS(fchown32), EPERM}, - {SCMP_SYS(fchownat), EPERM}, - {SCMP_SYS(lchown), EPERM}, - {SCMP_SYS(lchown32), EPERM}, + /* changing file ownership */ + {SCMP_SYS(chown), EPERM}, + {SCMP_SYS(chown32), EPERM}, + {SCMP_SYS(fchown), EPERM}, + {SCMP_SYS(fchown32), EPERM}, + {SCMP_SYS(fchownat), EPERM}, + {SCMP_SYS(lchown), EPERM}, + {SCMP_SYS(lchown32), EPERM}, - // system calls for changing user ID and group ID credentials - {SCMP_SYS(setgid), EPERM}, - {SCMP_SYS(setgid32), EPERM}, - {SCMP_SYS(setgroups), EPERM}, - {SCMP_SYS(setgroups32), EPERM}, - {SCMP_SYS(setregid), EPERM}, - {SCMP_SYS(setregid32), EPERM}, - {SCMP_SYS(setresgid), EPERM}, - {SCMP_SYS(setresgid32), EPERM}, - {SCMP_SYS(setresuid), EPERM}, - {SCMP_SYS(setresuid32), EPERM}, - {SCMP_SYS(setreuid), EPERM}, - {SCMP_SYS(setreuid32), EPERM}, - {SCMP_SYS(setuid), EPERM}, - {SCMP_SYS(setuid32), EPERM}, + /* system calls for changing user ID and group ID credentials */ + {SCMP_SYS(setgid), EPERM}, + {SCMP_SYS(setgid32), EPERM}, + {SCMP_SYS(setgroups), EPERM}, + {SCMP_SYS(setgroups32), EPERM}, + {SCMP_SYS(setregid), EPERM}, + {SCMP_SYS(setregid32), EPERM}, + {SCMP_SYS(setresgid), EPERM}, + {SCMP_SYS(setresgid32), EPERM}, + {SCMP_SYS(setresuid), EPERM}, + {SCMP_SYS(setresuid32), EPERM}, + {SCMP_SYS(setreuid), EPERM}, + {SCMP_SYS(setreuid32), EPERM}, + {SCMP_SYS(setuid), EPERM}, + {SCMP_SYS(setuid32), EPERM}, }; struct f_syscall_act deny_tty[] = { - // Don't allow faking input to the controlling tty (CVE-2017-5226) - {SCMP_SYS(ioctl), EPERM, &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)}, - // In the unlikely event that the controlling tty is a Linux virtual - // console (/dev/tty2 or similar), copy/paste operations have an effect - // similar to TIOCSTI (CVE-2023-28100) - {SCMP_SYS(ioctl), EPERM, &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCLINUX)}, + /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ + {SCMP_SYS(ioctl), EPERM, + &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)}, + /* In the unlikely event that the controlling tty is a Linux virtual + * console (/dev/tty2 or similar), copy/paste operations have an effect + * similar to TIOCSTI (CVE-2023-28100) */ + {SCMP_SYS(ioctl), EPERM, + &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCLINUX)}, }; struct f_syscall_act deny_devel[] = { - // Profiling operations; we expect these to be done by tools from outside - // the sandbox. In particular perf has been the source of many CVEs. - {SCMP_SYS(perf_event_open), EPERM}, - // Don't allow you to switch to bsd emulation or whatnot - {SCMP_SYS(personality), EPERM, &SCMP_A0(SCMP_CMP_NE, allowed_personality)}, + /* Profiling operations; we expect these to be done by tools from outside + * the sandbox. In particular perf has been the source of many CVEs. */ + {SCMP_SYS(perf_event_open), EPERM}, + /* Don't allow you to switch to bsd emulation or whatnot */ + {SCMP_SYS(personality), EPERM, + &SCMP_A0(SCMP_CMP_NE, allowed_personality)}, - {SCMP_SYS(ptrace), EPERM} - }; + {SCMP_SYS(ptrace), EPERM}}; struct f_syscall_act deny_emu[] = { - // modify_ldt is a historic source of interesting information leaks, - // so it's disabled as a hardening measure. - // However, it is required to run old 16-bit applications - // as well as some Wine patches, so it's allowed in multiarch. - {SCMP_SYS(modify_ldt), EPERM}, + /* modify_ldt is a historic source of interesting information leaks, + * so it's disabled as a hardening measure. + * However, it is required to run old 16-bit applications + * as well as some Wine patches, so it's allowed in multiarch. */ + {SCMP_SYS(modify_ldt), EPERM}, }; - // fortify: project-specific extensions + /* fortify: project-specific extensions */ struct f_syscall_act deny_emu_ext[] = { - {SCMP_SYS(subpage_prot), ENOSYS}, - {SCMP_SYS(switch_endian), ENOSYS}, - {SCMP_SYS(vm86), ENOSYS}, - {SCMP_SYS(vm86old), ENOSYS}, + {SCMP_SYS(subpage_prot), ENOSYS}, + {SCMP_SYS(switch_endian), ENOSYS}, + {SCMP_SYS(vm86), ENOSYS}, + {SCMP_SYS(vm86old), ENOSYS}, }; - // Blocklist all but unix, inet, inet6 and netlink - struct - { - int family; + /* Blocklist all but unix, inet, inet6 and netlink */ + struct { + int family; f_filter_opts flags_mask; } socket_family_allowlist[] = { - // NOTE: Keep in numerical order - { AF_UNSPEC, 0 }, - { AF_LOCAL, 0 }, - { AF_INET, 0 }, - { AF_INET6, 0 }, - { AF_NETLINK, 0 }, - { AF_CAN, F_CAN }, - { AF_BLUETOOTH, F_BLUETOOTH }, + /* NOTE: Keep in numerical order */ + {AF_UNSPEC, 0}, + {AF_LOCAL, 0}, + {AF_INET, 0}, + {AF_INET6, 0}, + {AF_NETLINK, 0}, + {AF_CAN, F_CAN}, + {AF_BLUETOOTH, F_BLUETOOTH}, }; scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW); @@ -228,14 +236,14 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, f_ } else errno = 0; - // We only really need to handle arches on multiarch systems. - // If only one arch is supported the default is fine + /* We only really need to handle arches on multiarch systems. + * If only one arch is supported the default is fine */ if (arch != 0) { - // This *adds* the target arch, instead of replacing the - // native one. This is not ideal, because we'd like to only - // allow the target arch, but we can't really disallow the - // native arch at this point, because then bubblewrap - // couldn't continue running. + /* This *adds* the target arch, instead of replacing the + * native one. This is not ideal, because we'd like to only + * allow the target arch, but we can't really disallow the + * native arch at this point, because then bubblewrap + * couldn't continue running. */ *ret_p = seccomp_arch_add(ctx, arch); if (*ret_p < 0 && *ret_p != -EEXIST) { res = 2; @@ -252,33 +260,44 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, f_ } SECCOMP_RULESET_ADD(deny_common); - if (opts & F_DENY_NS) SECCOMP_RULESET_ADD(deny_ns); - if (opts & F_DENY_TTY) SECCOMP_RULESET_ADD(deny_tty); - if (opts & F_DENY_DEVEL) SECCOMP_RULESET_ADD(deny_devel); - if (!allow_multiarch) SECCOMP_RULESET_ADD(deny_emu); + if (opts & F_DENY_NS) + SECCOMP_RULESET_ADD(deny_ns); + if (opts & F_DENY_TTY) + SECCOMP_RULESET_ADD(deny_tty); + if (opts & F_DENY_DEVEL) + SECCOMP_RULESET_ADD(deny_devel); + if (!allow_multiarch) + SECCOMP_RULESET_ADD(deny_emu); if (opts & F_EXT) { SECCOMP_RULESET_ADD(deny_common_ext); - if (opts & F_DENY_NS) SECCOMP_RULESET_ADD(deny_ns_ext); - if (!allow_multiarch) SECCOMP_RULESET_ADD(deny_emu_ext); + if (opts & F_DENY_NS) + SECCOMP_RULESET_ADD(deny_ns_ext); + if (!allow_multiarch) + SECCOMP_RULESET_ADD(deny_emu_ext); } - // Socket filtering doesn't work on e.g. i386, so ignore failures here - // However, we need to user seccomp_rule_add_exact to avoid libseccomp doing - // something else: https://github.com/seccomp/libseccomp/issues/8 + /* Socket filtering doesn't work on e.g. i386, so ignore failures here + * However, we need to user seccomp_rule_add_exact to avoid libseccomp doing + * something else: https://github.com/seccomp/libseccomp/issues/8 */ int last_allowed_family = -1; for (int i = 0; i < LEN(socket_family_allowlist); i++) { if (socket_family_allowlist[i].flags_mask != 0 && - (socket_family_allowlist[i].flags_mask & opts) != socket_family_allowlist[i].flags_mask) + (socket_family_allowlist[i].flags_mask & opts) != + socket_family_allowlist[i].flags_mask) continue; - for (int disallowed = last_allowed_family + 1; disallowed < socket_family_allowlist[i].family; disallowed++) { - // Blocklist the in-between valid families - seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, disallowed)); + for (int disallowed = last_allowed_family + 1; + disallowed < socket_family_allowlist[i].family; disallowed++) { + /* Blocklist the in-between valid families */ + seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), + SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, disallowed)); } last_allowed_family = socket_family_allowlist[i].family; } - // Blocklist the rest - seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1)); + /* Blocklist the rest */ + seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1)); if (fd < 0) { *ret_p = seccomp_load(ctx); diff --git a/sandbox/seccomp/seccomp-build.h b/sandbox/seccomp/seccomp-build.h index 0b3a095..9a4e4d7 100644 --- a/sandbox/seccomp/seccomp-build.h +++ b/sandbox/seccomp/seccomp-build.h @@ -1,23 +1,23 @@ -#include #include +#include -#if (SCMP_VER_MAJOR < 2) || \ - (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) || \ +#if (SCMP_VER_MAJOR < 2) || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) || \ (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 5 && SCMP_VER_MICRO < 1) #error This package requires libseccomp >= v2.5.1 #endif typedef enum { - F_VERBOSE = 1 << 0, - F_EXT = 1 << 1, - F_DENY_NS = 1 << 2, - F_DENY_TTY = 1 << 3, + F_VERBOSE = 1 << 0, + F_EXT = 1 << 1, + F_DENY_NS = 1 << 2, + F_DENY_TTY = 1 << 3, F_DENY_DEVEL = 1 << 4, - F_MULTIARCH = 1 << 5, - F_LINUX32 = 1 << 6, - F_CAN = 1 << 7, - F_BLUETOOTH = 1 << 8, + F_MULTIARCH = 1 << 5, + F_LINUX32 = 1 << 6, + F_CAN = 1 << 7, + F_BLUETOOTH = 1 << 8, } f_filter_opts; extern void f_println(char *v); -int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, f_filter_opts opts); \ No newline at end of file +int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, + f_filter_opts opts); \ No newline at end of file diff --git a/sandbox/wl/wayland-bind.c b/sandbox/wl/wayland-bind.c index 01e8b88..5bbf206 100644 --- a/sandbox/wl/wayland-bind.c +++ b/sandbox/wl/wayland-bind.c @@ -1,30 +1,36 @@ #include "wayland-bind.h" -#include #include +#include #include -#include #include #include +#include -#include #include "security-context-v1-protocol.h" +#include -static void registry_handle_global(void *data, struct wl_registry *registry, uint32_t name, const char *interface, uint32_t version) { +static void registry_handle_global(void *data, struct wl_registry *registry, + uint32_t name, const char *interface, + uint32_t version) { struct wp_security_context_manager_v1 **out = data; if (strcmp(interface, wp_security_context_manager_v1_interface.name) == 0) - *out = wl_registry_bind(registry, name, &wp_security_context_manager_v1_interface, 1); + *out = wl_registry_bind(registry, name, + &wp_security_context_manager_v1_interface, 1); } -static void registry_handle_global_remove(void *data, struct wl_registry *registry, uint32_t name) { } // no-op +static void registry_handle_global_remove(void *data, + struct wl_registry *registry, + uint32_t name) {} /* no-op */ static const struct wl_registry_listener registry_listener = { - .global = registry_handle_global, - .global_remove = registry_handle_global_remove, + .global = registry_handle_global, + .global_remove = registry_handle_global_remove, }; -int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id, const char *instance_id, int sync_fd) { - int32_t res = 0; // refer to resErr for meaning +int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id, + const char *instance_id, int sync_fd) { + int32_t res = 0; /* refer to resErr for corresponding Go error */ struct wl_display *display; display = wl_display_connect_to_fd(fd); @@ -37,7 +43,8 @@ int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id, const c registry = wl_display_get_registry(display); struct wp_security_context_manager_v1 *security_context_manager = NULL; - wl_registry_add_listener(registry, ®istry_listener, &security_context_manager); + wl_registry_add_listener(registry, ®istry_listener, + &security_context_manager); int ret; ret = wl_display_roundtrip(display); wl_registry_destroy(registry); @@ -64,8 +71,11 @@ int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id, const c goto out; struct wp_security_context_v1 *security_context; - security_context = wp_security_context_manager_v1_create_listener(security_context_manager, listen_fd, sync_fd); - wp_security_context_v1_set_sandbox_engine(security_context, "uk.gensokyo.fortify"); + security_context = wp_security_context_manager_v1_create_listener( + security_context_manager, listen_fd, sync_fd); + wp_security_context_v1_set_sandbox_engine(security_context, + "uk.gensokyo.fortify"); + wp_security_context_v1_set_app_id(security_context, app_id); wp_security_context_v1_set_instance_id(security_context, instance_id); wp_security_context_v1_commit(security_context); diff --git a/sandbox/wl/wayland-bind.h b/sandbox/wl/wayland-bind.h index 720dfe4..283d529 100644 --- a/sandbox/wl/wayland-bind.h +++ b/sandbox/wl/wayland-bind.h @@ -1,3 +1,4 @@ #include -int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id, const char *instance_id, int sync_fd); \ No newline at end of file +int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id, + const char *instance_id, int sync_fd); \ No newline at end of file