security/hakurei
security/hakurei
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
hakurei/ldd/exec.go
Ophestra 31aef905fa
All checks were successful
Test / Create distribution (push) Successful in 31s
Details
Test / Sandbox (push) Successful in 1m59s
Details
Test / Hakurei (push) Successful in 2m47s
Details
Test / Sandbox (race detector) (push) Successful in 3m11s
Details
Test / Planterette (push) Successful in 3m34s
Details
Test / Hakurei (race detector) (push) Successful in 4m22s
Details
Test / Flake checks (push) Successful in 1m8s
Details
sandbox: expose seccomp interface 
There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-02 04:47:13 +09:00

62 lines
1.4 KiB
Go
Raw Blame History

package ldd
import (
"bytes"
"context"
"io"
"os"
"os/exec"
"time"
"git.gensokyo.uk/security/hakurei/sandbox"
"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
)
const lddTimeout = 2 * time.Second
var (
msgStatic = []byte("Not a valid dynamic program")
msgStaticGlibc = []byte("not a dynamic executable")
)
func Exec(ctx context.Context, p string) ([]*Entry, error) { return ExecFilter(ctx, nil, nil, p) }
func ExecFilter(ctx context.Context,
commandContext func(context.Context) *exec.Cmd,
f func([]byte) []byte,
p string) ([]*Entry, error) {
c, cancel := context.WithTimeout(ctx, lddTimeout)
defer cancel()
container := sandbox.New(c, "ldd", p)
container.CommandContext = commandContext
container.Hostname = "hakurei-ldd"
container.SeccompFlags |= seccomp.AllowMultiarch
container.SeccompPresets |= seccomp.PresetStrict
stdout, stderr := new(bytes.Buffer), new(bytes.Buffer)
container.Stdout = stdout
container.Stderr = stderr
container.Bind("/", "/", 0).Proc("/proc").Dev("/dev")
if err := container.Start(); err != nil {
return nil, err
}
defer func() { _, _ = io.Copy(os.Stderr, stderr) }()
if err := container.Serve(); err != nil {
return nil, err
}
if err := container.Wait(); err != nil {
m := stderr.Bytes()
if bytes.Contains(m, append([]byte(p+": "), msgStatic...)) ||
bytes.Contains(m, msgStaticGlibc) {
return nil, nil
}
return nil, err
}
v := stdout.Bytes()
if f != nil {
v = f(v)
}
return Parse(v)
}
Reference in New Issue View Git Blame Copy Permalink