diff --git a/config.go b/config.go index 2b195e7..f58328f 100644 --- a/config.go +++ b/config.go @@ -10,6 +10,7 @@ type Config struct { ProfileDir string `json:"profile_dir" desc:"Directory containing the sandbox profiles"` ShellPath string `json:"shell_path" desc:"Path of the shell used when entering a sandbox"` PrefixPath string `json:"prefix_path" desc:"Prefix path containing the oz executables"` + EtcPrefix string `json:"etc_prefix" desc:"Prefix for configuration files"` SandboxPath string `json:"sandbox_path" desc:"Path of the sandboxes base"` BridgeMACAddr string `json:"bridge_mac" desc:"MAC Address of the bridge interface"` DivertSuffix string `json:"divert_suffix" desc:"Suffix using for dpkg-divert of application executables"` @@ -29,6 +30,7 @@ func NewDefaultConfig() *Config { ProfileDir: "/var/lib/oz/cells.d", ShellPath: "/bin/bash", PrefixPath: "/usr/local", + EtcPrefix: "/etc/oz", SandboxPath: "/srv/oz", NMIgnoreFile: "/etc/NetworkManager/conf.d/oz.conf", BridgeMACAddr: "6A:A8:2E:56:E8:9C", diff --git a/oz-init/init.go b/oz-init/init.go index a5761b7..f35923e 100644 --- a/oz-init/init.go +++ b/oz-init/init.go @@ -380,8 +380,17 @@ func (st *initState) launchApplication(cpath, pwd string, cmdArgs []string) (*ex cmd.Env = append(cmd.Env, st.launchEnv...) if st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST || - st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_BLACKLIST { - cmd.Env = append(cmd.Env, "_OZ_PROFILE="+st.profile.Name) + st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_BLACKLIST { + pi, err := cmd.StdinPipe() + if err != nil { + return nil, fmt.Errorf("error creating stdin pipe for seccomp process: %v", err) + } + jdata, err := json.Marshal(st.profile) + if err != nil { + return nil, fmt.Errorf("Unable to marshal seccomp state: %+v", err) + } + io.Copy(pi, bytes.NewBuffer(jdata)) + pi.Close() } cmd.Args = append(cmd.Args, cmdArgs...) diff --git a/oz-seccomp/seccomp.go b/oz-seccomp/seccomp.go index cd8154c..864040c 100644 --- a/oz-seccomp/seccomp.go +++ b/oz-seccomp/seccomp.go @@ -1,13 +1,16 @@ package seccomp import ( + "encoding/json" "fmt" "os" + "path" "syscall" - "github.com/op/go-logging" "github.com/subgraph/go-seccomp" "github.com/subgraph/oz" + + "github.com/op/go-logging" ) func createLogger() *logging.Logger { @@ -32,19 +35,8 @@ func Main() { os.Exit(1) } - var getvar = func(name string) string { - val := os.Getenv(name) - if val == "" { - log.Error("Error: missing required '%s' argument", name) - os.Exit(1) - } - os.Setenv(name, "") - return val - } - cmd := os.Args[2] cmdArgs := os.Args[2:] - pname := getvar("_OZ_PROFILE") config, err := oz.LoadConfig(oz.DefaultConfigPath) if err != nil { @@ -57,13 +49,19 @@ func Main() { } } + p := new(oz.Profile) + if err := json.NewDecoder(os.Stdin).Decode(&p); err != nil { + log.Error("unable to decode profile data: %v", err) + os.Exit(1) + } +/* p, err := loadProfile(config.ProfileDir, pname) if err != nil { log.Error("Could not load profile %s: %v", pname, err) os.Exit(1) } - +*/ switch os.Args[1] { case "-w": if p.Seccomp.Seccomp_Whitelist == "" { @@ -80,15 +78,14 @@ func Main() { log.Error("Error (seccomp): %v", err) os.Exit(1) } - err = syscall.Exec(cmd, cmdArgs, oz.Environ()) + err = syscall.Exec(cmd, cmdArgs, os.Environ()) if err != nil { log.Error("Error (exec): %v", err) os.Exit(1) } case "-b": if p.Seccomp.Seccomp_Blacklist == "" { - log.Error("No seccomp blacklist policy file.") - os.Exit(1) + p.Seccomp.Seccomp_Blacklist = path.Join(config.EtcPrefix, "blacklist-generic.seccomp") } filter, err := seccomp.CompileBlacklist(p.Seccomp.Seccomp_Blacklist) if err != nil {