diff --git a/container/container.go b/container/container.go index 86fd7ce..f9e7cf1 100644 --- a/container/container.go +++ b/container/container.go @@ -85,7 +85,7 @@ type ( *Ops // Seccomp system call filter rules. - SeccompRules []seccomp.NativeRule + SeccompRules []std.NativeRule // Extra seccomp flags. SeccompFlags seccomp.ExportFlag // Seccomp presets. Has no effect unless SeccompRules is zero-length. @@ -327,7 +327,7 @@ func (p *Container) Serve() error { p.Dir = fhs.AbsRoot } if p.SeccompRules == nil { - p.SeccompRules = make([]seccomp.NativeRule, 0) + p.SeccompRules = make([]std.NativeRule, 0) } err := gob.NewEncoder(setup).Encode(&initParams{ diff --git a/container/container_test.go b/container/container_test.go index cf699f2..b77ce5f 100644 --- a/container/container_test.go +++ b/container/container_test.go @@ -204,7 +204,7 @@ var containerTestCases = []struct { uid int gid int - rules []seccomp.NativeRule + rules []std.NativeRule flags seccomp.ExportFlag presets std.FilterPreset }{ @@ -219,7 +219,7 @@ var containerTestCases = []struct { 1000, 100, nil, 0, std.PresetExt}, {"custom rules", true, true, true, false, emptyOps, emptyMnt, - 1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt}, + 1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt}, {"tmpfs", true, false, false, true, earlyOps(new(container.Ops). diff --git a/container/dispatcher.go b/container/dispatcher.go index 5f8c72c..e1dae6e 100644 --- a/container/dispatcher.go +++ b/container/dispatcher.go @@ -11,6 +11,7 @@ import ( "syscall" "hakurei.app/container/seccomp" + "hakurei.app/container/std" "hakurei.app/message" ) @@ -62,7 +63,7 @@ type syscallDispatcher interface { ensureFile(name string, perm, pperm os.FileMode) error // seccompLoad provides [seccomp.Load]. - seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error + seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error // notify provides [signal.Notify]. notify(c chan<- os.Signal, sig ...os.Signal) // start starts [os/exec.Cmd]. @@ -164,7 +165,7 @@ func (direct) ensureFile(name string, perm, pperm os.FileMode) error { return ensureFile(name, perm, pperm) } -func (direct) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error { +func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error { return seccomp.Load(rules, flags) } func (direct) notify(c chan<- os.Signal, sig ...os.Signal) { signal.Notify(c, sig...) } diff --git a/container/dispatcher_test.go b/container/dispatcher_test.go index 3e5cb91..ee31f91 100644 --- a/container/dispatcher_test.go +++ b/container/dispatcher_test.go @@ -17,6 +17,7 @@ import ( "time" "hakurei.app/container/seccomp" + "hakurei.app/container/std" "hakurei.app/container/stub" "hakurei.app/message" ) @@ -456,7 +457,7 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error { stub.CheckArg(k.Stub, "pperm", pperm, 2)) } -func (k *kstub) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error { +func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error { k.Helper() return k.Expects("seccompLoad").Error( stub.CheckArgReflect(k.Stub, "rules", rules, 0), diff --git a/container/init_test.go b/container/init_test.go index ae03721..7ab4c91 100644 --- a/container/init_test.go +++ b/container/init_test.go @@ -69,7 +69,7 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -94,7 +94,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -122,7 +122,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -151,7 +151,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -181,7 +181,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -212,7 +212,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -244,7 +244,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -278,7 +278,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -314,7 +314,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -352,7 +352,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(nil, nil, std.BindDevice), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -390,7 +390,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -429,7 +429,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -468,7 +468,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -508,7 +508,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -549,7 +549,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -591,7 +591,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -634,7 +634,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -678,7 +678,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -723,7 +723,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -769,7 +769,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -824,7 +824,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -879,7 +879,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -935,7 +935,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -992,7 +992,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1051,7 +1051,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1111,7 +1111,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1172,7 +1172,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1234,7 +1234,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1297,7 +1297,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1361,7 +1361,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1426,7 +1426,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1492,7 +1492,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1566,7 +1566,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1673,7 +1673,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1781,7 +1781,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, @@ -1891,7 +1891,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 47, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, }, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(13), nil), @@ -2005,7 +2005,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 47, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, }, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(10), nil), @@ -2103,7 +2103,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 47, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, }, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(7), nil), @@ -2201,7 +2201,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 47, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, }, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(7), nil), @@ -2292,7 +2292,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 47, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, }, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(5), nil), @@ -2385,7 +2385,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 47, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, }, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(3), nil), @@ -2485,7 +2485,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 47, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, }, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(1), nil), @@ -2621,7 +2621,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")), - SeccompRules: make([]seccomp.NativeRule, 0), + SeccompRules: make([]std.NativeRule, 0), SeccompPresets: std.PresetStrict, RetainSession: true, Privileged: true, diff --git a/container/seccomp/libseccomp.go b/container/seccomp/libseccomp.go index c355029..962d684 100644 --- a/container/seccomp/libseccomp.go +++ b/container/seccomp/libseccomp.go @@ -14,6 +14,8 @@ import ( "runtime/cgo" "syscall" "unsafe" + + "hakurei.app/container/std" ) // ErrInvalidRules is returned for a zero-length rules slice. @@ -54,31 +56,12 @@ func (e *LibraryError) Is(err error) bool { } type ( - // scmpUint is equivalent to [ScmpUint]. + // scmpUint is equivalent to [std.ScmpUint]. scmpUint = C.uint - // ScmpUint is equivalent to C.uint. - ScmpUint uint32 - // scmpInt is equivalent to [ScmpInt]. + // scmpInt is equivalent to [std.ScmpInt]. scmpInt = C.int - // ScmpInt is equivalent to C.int. - ScmpInt int32 - // ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall]. - ScmpSyscall ScmpInt - // ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno]. - ScmpErrno ScmpInt - - // A NativeRule specifies an arch-specific action taken by seccomp under certain conditions. - NativeRule struct { - // Syscall is the arch-dependent syscall number to act against. - Syscall ScmpSyscall - // Errno is the errno value to return when the condition is satisfied. - Errno ScmpErrno - // Arg is the optional struct scmp_arg_cmp passed to libseccomp. - Arg *ScmpArgCmp - } - - // syscallRule is equivalent to [NativeRule]. + // syscallRule is equivalent to [std.NativeRule]. syscallRule = C.struct_hakurei_syscall_rule ) @@ -115,9 +98,9 @@ func hakurei_scmp_allocate(f C.uintptr_t, len C.size_t) (buf unsafe.Pointer) { return cgo.Handle(f).Value().(cbAllocateBuffer)(len) } -// makeFilter generates a bpf program from a slice of [NativeRule] and writes the resulting byte slice to p. +// makeFilter generates a bpf program from a slice of [std.NativeRule] and writes the resulting byte slice to p. // The filter is installed to the current process if p is nil. -func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error { +func makeFilter(rules []std.NativeRule, flags ExportFlag, p *[]byte) error { if len(rules) == 0 { return ErrInvalidRules } @@ -180,22 +163,26 @@ func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error { return err } -// Export generates a bpf program from a slice of [NativeRule]. +// Export generates a bpf program from a slice of [std.NativeRule]. // Errors returned by libseccomp is wrapped in [LibraryError]. -func Export(rules []NativeRule, flags ExportFlag) (data []byte, err error) { +func Export(rules []std.NativeRule, flags ExportFlag) (data []byte, err error) { err = makeFilter(rules, flags, &data) return } -// Load generates a bpf program from a slice of [NativeRule] and enforces it on the current process. +// Load generates a bpf program from a slice of [std.NativeRule] and enforces it on the current process. // Errors returned by libseccomp is wrapped in [LibraryError]. -func Load(rules []NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) } +func Load(rules []std.NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) } type ( // Comparison operators. scmpCompare = C.enum_scmp_compare - // ScmpCompare is equivalent to enum scmp_compare; - ScmpCompare ScmpUint + + // Argument datum. + scmpDatum = C.scmp_datum_t + + // Argument / Value comparison definition. + scmpArgCmp = C.struct_scmp_arg_cmp ) const ( @@ -219,29 +206,10 @@ const ( _SCMP_CMP_MAX = C._SCMP_CMP_MAX ) -type ( - // Argument datum. - scmpDatum = C.scmp_datum_t - // ScmpDatum is equivalent to scmp_datum_t. - ScmpDatum uint64 - - // Argument / Value comparison definition. - scmpArgCmp = C.struct_scmp_arg_cmp - // ScmpArgCmp is equivalent to struct scmp_arg_cmp. - ScmpArgCmp struct { - // argument number, starting at 0 - Arg ScmpUint - // the comparison op, e.g. SCMP_CMP_* - Op ScmpCompare - - DatumA, DatumB ScmpDatum - } -) - const ( - // PersonaLinux is passed in a [ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY. + // PersonaLinux is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY. PersonaLinux = C.PER_LINUX - // PersonaLinux32 is passed in a [ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY. + // PersonaLinux32 is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY. PersonaLinux32 = C.PER_LINUX32 ) diff --git a/container/seccomp/syscall_test.go b/container/seccomp/std_test.go similarity index 85% rename from container/seccomp/syscall_test.go rename to container/seccomp/std_test.go index 98076cf..438a5e3 100644 --- a/container/seccomp/syscall_test.go +++ b/container/seccomp/std_test.go @@ -24,13 +24,13 @@ func TestSyscallResolveName(t *testing.T) { } func TestRuleType(t *testing.T) { - assertKind[ScmpUint, scmpUint](t) - assertKind[ScmpInt, scmpInt](t) + assertKind[std.ScmpUint, scmpUint](t) + assertKind[std.ScmpInt, scmpInt](t) - assertSize[NativeRule, syscallRule](t) - assertKind[ScmpDatum, scmpDatum](t) - assertKind[ScmpCompare, scmpCompare](t) - assertSize[ScmpArgCmp, scmpArgCmp](t) + assertSize[std.NativeRule, syscallRule](t) + assertKind[std.ScmpDatum, scmpDatum](t) + assertKind[std.ScmpCompare, scmpCompare](t) + assertSize[std.ScmpArgCmp, scmpArgCmp](t) } // assertSize asserts that native and equivalent are of the same size. diff --git a/container/std/seccomp.go b/container/std/seccomp.go new file mode 100644 index 0000000..f3189ca --- /dev/null +++ b/container/std/seccomp.go @@ -0,0 +1,38 @@ +package std + +type ( + // ScmpUint is equivalent to C.uint. + ScmpUint uint32 + // ScmpInt is equivalent to C.int. + ScmpInt int32 + + // ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall]. + ScmpSyscall ScmpInt + // ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno]. + ScmpErrno ScmpInt + + // ScmpCompare is equivalent to enum scmp_compare; + ScmpCompare ScmpUint + // ScmpDatum is equivalent to scmp_datum_t. + ScmpDatum uint64 + + // ScmpArgCmp is equivalent to struct scmp_arg_cmp. + ScmpArgCmp struct { + // argument number, starting at 0 + Arg ScmpUint + // the comparison op, e.g. SCMP_CMP_* + Op ScmpCompare + + DatumA, DatumB ScmpDatum + } + + // A NativeRule specifies an arch-specific action taken by seccomp under certain conditions. + NativeRule struct { + // Syscall is the arch-dependent syscall number to act against. + Syscall ScmpSyscall + // Errno is the errno value to return when the condition is satisfied. + Errno ScmpErrno + // Arg is the optional struct scmp_arg_cmp passed to libseccomp. + Arg *ScmpArgCmp + } +) diff --git a/internal/outcome/dispatcher.go b/internal/outcome/dispatcher.go index 443148c..3427a48 100644 --- a/internal/outcome/dispatcher.go +++ b/internal/outcome/dispatcher.go @@ -13,6 +13,7 @@ import ( "hakurei.app/container" "hakurei.app/container/check" "hakurei.app/container/seccomp" + "hakurei.app/container/std" "hakurei.app/internal" "hakurei.app/message" "hakurei.app/system/dbus" @@ -86,7 +87,7 @@ type syscallDispatcher interface { containerWait(z *container.Container) error // seccompLoad provides [seccomp.Load]. - seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error + seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error // mustHsuPath provides [internal.MustHsuPath]. mustHsuPath() *check.Absolute @@ -151,7 +152,7 @@ func (direct) containerStart(z *container.Container) error { return z.Start() } func (direct) containerServe(z *container.Container) error { return z.Serve() } func (direct) containerWait(z *container.Container) error { return z.Wait() } -func (direct) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error { +func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error { return seccomp.Load(rules, flags) } diff --git a/internal/outcome/dispatcher_test.go b/internal/outcome/dispatcher_test.go index 87a24e6..41a2a31 100644 --- a/internal/outcome/dispatcher_test.go +++ b/internal/outcome/dispatcher_test.go @@ -21,6 +21,7 @@ import ( "hakurei.app/container" "hakurei.app/container/check" "hakurei.app/container/seccomp" + "hakurei.app/container/std" "hakurei.app/container/stub" "hakurei.app/hst" "hakurei.app/message" @@ -435,7 +436,7 @@ func (k *kstub) containerWait(z *container.Container) error { return k.expectCheckContainer(k.Expects("containerWait"), z) } -func (k *kstub) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error { +func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error { k.Helper() return k.Expects("seccompLoad").Error( stub.CheckArgReflect(k.Stub, "rules", rules, 0), @@ -722,6 +723,6 @@ func (panicDispatcher) fatalf(string, ...any) { pa func (panicDispatcher) notifyContext(context.Context, ...os.Signal) (context.Context, context.CancelFunc) { panic("unreachable") } -func (panicDispatcher) seccompLoad([]seccomp.NativeRule, seccomp.ExportFlag) error { +func (panicDispatcher) seccompLoad([]std.NativeRule, seccomp.ExportFlag) error { panic("unreachable") }