Cleanup passing profile to seccomp wrapper and generic blacklist

master
xSmurf 10 years ago
parent 4ff81d924f
commit 2f7e27f121

@ -10,6 +10,7 @@ type Config struct {
ProfileDir string `json:"profile_dir" desc:"Directory containing the sandbox profiles"` ProfileDir string `json:"profile_dir" desc:"Directory containing the sandbox profiles"`
ShellPath string `json:"shell_path" desc:"Path of the shell used when entering a sandbox"` ShellPath string `json:"shell_path" desc:"Path of the shell used when entering a sandbox"`
PrefixPath string `json:"prefix_path" desc:"Prefix path containing the oz executables"` PrefixPath string `json:"prefix_path" desc:"Prefix path containing the oz executables"`
EtcPrefix string `json:"etc_prefix" desc:"Prefix for configuration files"`
SandboxPath string `json:"sandbox_path" desc:"Path of the sandboxes base"` SandboxPath string `json:"sandbox_path" desc:"Path of the sandboxes base"`
BridgeMACAddr string `json:"bridge_mac" desc:"MAC Address of the bridge interface"` BridgeMACAddr string `json:"bridge_mac" desc:"MAC Address of the bridge interface"`
DivertSuffix string `json:"divert_suffix" desc:"Suffix using for dpkg-divert of application executables"` DivertSuffix string `json:"divert_suffix" desc:"Suffix using for dpkg-divert of application executables"`
@ -29,6 +30,7 @@ func NewDefaultConfig() *Config {
ProfileDir: "/var/lib/oz/cells.d", ProfileDir: "/var/lib/oz/cells.d",
ShellPath: "/bin/bash", ShellPath: "/bin/bash",
PrefixPath: "/usr/local", PrefixPath: "/usr/local",
EtcPrefix: "/etc/oz",
SandboxPath: "/srv/oz", SandboxPath: "/srv/oz",
NMIgnoreFile: "/etc/NetworkManager/conf.d/oz.conf", NMIgnoreFile: "/etc/NetworkManager/conf.d/oz.conf",
BridgeMACAddr: "6A:A8:2E:56:E8:9C", BridgeMACAddr: "6A:A8:2E:56:E8:9C",

@ -381,7 +381,16 @@ func (st *initState) launchApplication(cpath, pwd string, cmdArgs []string) (*ex
if st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST || if st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST ||
st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_BLACKLIST { st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_BLACKLIST {
cmd.Env = append(cmd.Env, "_OZ_PROFILE="+st.profile.Name) pi, err := cmd.StdinPipe()
if err != nil {
return nil, fmt.Errorf("error creating stdin pipe for seccomp process: %v", err)
}
jdata, err := json.Marshal(st.profile)
if err != nil {
return nil, fmt.Errorf("Unable to marshal seccomp state: %+v", err)
}
io.Copy(pi, bytes.NewBuffer(jdata))
pi.Close()
} }
cmd.Args = append(cmd.Args, cmdArgs...) cmd.Args = append(cmd.Args, cmdArgs...)

@ -1,13 +1,16 @@
package seccomp package seccomp
import ( import (
"encoding/json"
"fmt" "fmt"
"os" "os"
"path"
"syscall" "syscall"
"github.com/op/go-logging"
"github.com/subgraph/go-seccomp" "github.com/subgraph/go-seccomp"
"github.com/subgraph/oz" "github.com/subgraph/oz"
"github.com/op/go-logging"
) )
func createLogger() *logging.Logger { func createLogger() *logging.Logger {
@ -32,19 +35,8 @@ func Main() {
os.Exit(1) os.Exit(1)
} }
var getvar = func(name string) string {
val := os.Getenv(name)
if val == "" {
log.Error("Error: missing required '%s' argument", name)
os.Exit(1)
}
os.Setenv(name, "")
return val
}
cmd := os.Args[2] cmd := os.Args[2]
cmdArgs := os.Args[2:] cmdArgs := os.Args[2:]
pname := getvar("_OZ_PROFILE")
config, err := oz.LoadConfig(oz.DefaultConfigPath) config, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil { if err != nil {
@ -57,13 +49,19 @@ func Main() {
} }
} }
p := new(oz.Profile)
if err := json.NewDecoder(os.Stdin).Decode(&p); err != nil {
log.Error("unable to decode profile data: %v", err)
os.Exit(1)
}
/*
p, err := loadProfile(config.ProfileDir, pname) p, err := loadProfile(config.ProfileDir, pname)
if err != nil { if err != nil {
log.Error("Could not load profile %s: %v", pname, err) log.Error("Could not load profile %s: %v", pname, err)
os.Exit(1) os.Exit(1)
} }
*/
switch os.Args[1] { switch os.Args[1] {
case "-w": case "-w":
if p.Seccomp.Seccomp_Whitelist == "" { if p.Seccomp.Seccomp_Whitelist == "" {
@ -80,15 +78,14 @@ func Main() {
log.Error("Error (seccomp): %v", err) log.Error("Error (seccomp): %v", err)
os.Exit(1) os.Exit(1)
} }
err = syscall.Exec(cmd, cmdArgs, oz.Environ()) err = syscall.Exec(cmd, cmdArgs, os.Environ())
if err != nil { if err != nil {
log.Error("Error (exec): %v", err) log.Error("Error (exec): %v", err)
os.Exit(1) os.Exit(1)
} }
case "-b": case "-b":
if p.Seccomp.Seccomp_Blacklist == "" { if p.Seccomp.Seccomp_Blacklist == "" {
log.Error("No seccomp blacklist policy file.") p.Seccomp.Seccomp_Blacklist = path.Join(config.EtcPrefix, "blacklist-generic.seccomp")
os.Exit(1)
} }
filter, err := seccomp.CompileBlacklist(p.Seccomp.Seccomp_Blacklist) filter, err := seccomp.CompileBlacklist(p.Seccomp.Seccomp_Blacklist)
if err != nil { if err != nil {

Loading…
Cancel
Save