Cleanup passing profile to seccomp wrapper and generic blacklist

master
xSmurf 10 years ago
parent 4ff81d924f
commit 2f7e27f121

@ -10,6 +10,7 @@ type Config struct {
ProfileDir string `json:"profile_dir" desc:"Directory containing the sandbox profiles"`
ShellPath string `json:"shell_path" desc:"Path of the shell used when entering a sandbox"`
PrefixPath string `json:"prefix_path" desc:"Prefix path containing the oz executables"`
EtcPrefix string `json:"etc_prefix" desc:"Prefix for configuration files"`
SandboxPath string `json:"sandbox_path" desc:"Path of the sandboxes base"`
BridgeMACAddr string `json:"bridge_mac" desc:"MAC Address of the bridge interface"`
DivertSuffix string `json:"divert_suffix" desc:"Suffix using for dpkg-divert of application executables"`
@ -29,6 +30,7 @@ func NewDefaultConfig() *Config {
ProfileDir: "/var/lib/oz/cells.d",
ShellPath: "/bin/bash",
PrefixPath: "/usr/local",
EtcPrefix: "/etc/oz",
SandboxPath: "/srv/oz",
NMIgnoreFile: "/etc/NetworkManager/conf.d/oz.conf",
BridgeMACAddr: "6A:A8:2E:56:E8:9C",

@ -380,8 +380,17 @@ func (st *initState) launchApplication(cpath, pwd string, cmdArgs []string) (*ex
cmd.Env = append(cmd.Env, st.launchEnv...)
if st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST ||
st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_BLACKLIST {
cmd.Env = append(cmd.Env, "_OZ_PROFILE="+st.profile.Name)
st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_BLACKLIST {
pi, err := cmd.StdinPipe()
if err != nil {
return nil, fmt.Errorf("error creating stdin pipe for seccomp process: %v", err)
}
jdata, err := json.Marshal(st.profile)
if err != nil {
return nil, fmt.Errorf("Unable to marshal seccomp state: %+v", err)
}
io.Copy(pi, bytes.NewBuffer(jdata))
pi.Close()
}
cmd.Args = append(cmd.Args, cmdArgs...)

@ -1,13 +1,16 @@
package seccomp
import (
"encoding/json"
"fmt"
"os"
"path"
"syscall"
"github.com/op/go-logging"
"github.com/subgraph/go-seccomp"
"github.com/subgraph/oz"
"github.com/op/go-logging"
)
func createLogger() *logging.Logger {
@ -32,19 +35,8 @@ func Main() {
os.Exit(1)
}
var getvar = func(name string) string {
val := os.Getenv(name)
if val == "" {
log.Error("Error: missing required '%s' argument", name)
os.Exit(1)
}
os.Setenv(name, "")
return val
}
cmd := os.Args[2]
cmdArgs := os.Args[2:]
pname := getvar("_OZ_PROFILE")
config, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil {
@ -57,13 +49,19 @@ func Main() {
}
}
p := new(oz.Profile)
if err := json.NewDecoder(os.Stdin).Decode(&p); err != nil {
log.Error("unable to decode profile data: %v", err)
os.Exit(1)
}
/*
p, err := loadProfile(config.ProfileDir, pname)
if err != nil {
log.Error("Could not load profile %s: %v", pname, err)
os.Exit(1)
}
*/
switch os.Args[1] {
case "-w":
if p.Seccomp.Seccomp_Whitelist == "" {
@ -80,15 +78,14 @@ func Main() {
log.Error("Error (seccomp): %v", err)
os.Exit(1)
}
err = syscall.Exec(cmd, cmdArgs, oz.Environ())
err = syscall.Exec(cmd, cmdArgs, os.Environ())
if err != nil {
log.Error("Error (exec): %v", err)
os.Exit(1)
}
case "-b":
if p.Seccomp.Seccomp_Blacklist == "" {
log.Error("No seccomp blacklist policy file.")
os.Exit(1)
p.Seccomp.Seccomp_Blacklist = path.Join(config.EtcPrefix, "blacklist-generic.seccomp")
}
filter, err := seccomp.CompileBlacklist(p.Seccomp.Seccomp_Blacklist)
if err != nil {

Loading…
Cancel
Save