Cleanup passing profile to seccomp wrapper and generic blacklist

9 years ago · 2f7e27f121
parent 4ff81d924f
commit 2f7e27f121
3 changed files with 26 additions and 18 deletions
--- a/config.go
+++ b/config.go
@ -10,6 +10,7 @@ type Config struct {
 	ProfileDir      string   `json:"profile_dir" desc:"Directory containing the sandbox profiles"`
 	ShellPath       string   `json:"shell_path" desc:"Path of the shell used when entering a sandbox"`
 	PrefixPath      string   `json:"prefix_path" desc:"Prefix path containing the oz executables"`
 	EtcPrefix       string   `json:"etc_prefix" desc:"Prefix for configuration files"`
 	SandboxPath     string   `json:"sandbox_path" desc:"Path of the sandboxes base"`
 	BridgeMACAddr   string   `json:"bridge_mac" desc:"MAC Address of the bridge interface"`
 	DivertSuffix    string   `json:"divert_suffix" desc:"Suffix using for dpkg-divert of application executables"`
@ -29,6 +30,7 @@ func NewDefaultConfig() *Config {
 		ProfileDir:      "/var/lib/oz/cells.d",
 		ShellPath:       "/bin/bash",
 		PrefixPath:      "/usr/local",
 		EtcPrefix:       "/etc/oz",
 		SandboxPath:     "/srv/oz",
 		NMIgnoreFile:    "/etc/NetworkManager/conf.d/oz.conf",
 		BridgeMACAddr:   "6A:A8:2E:56:E8:9C",
--- a/oz-init/init.go
+++ b/oz-init/init.go
@ -380,8 +380,17 @@ func (st *initState) launchApplication(cpath, pwd string, cmdArgs []string) (*ex
 	cmd.Env = append(cmd.Env, st.launchEnv...)
 	if st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST ||
-		st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_BLACKLIST {
+	st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_BLACKLIST {
-		cmd.Env = append(cmd.Env, "_OZ_PROFILE="+st.profile.Name)
+		pi, err := cmd.StdinPipe()
 		if err != nil {
 			return nil, fmt.Errorf("error creating stdin pipe for seccomp process: %v", err)
 		}
 		jdata, err := json.Marshal(st.profile)
 		if err != nil {
 			return nil, fmt.Errorf("Unable to marshal seccomp state: %+v", err)
 		}
 		io.Copy(pi, bytes.NewBuffer(jdata))
 		pi.Close()
 	}
 	cmd.Args = append(cmd.Args, cmdArgs...)
--- a/oz-seccomp/seccomp.go
+++ b/oz-seccomp/seccomp.go
@ -1,13 +1,16 @@
 package seccomp
 import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"path"
 	"syscall"
 	"github.com/op/go-logging"
 	"github.com/subgraph/go-seccomp"
 	"github.com/subgraph/oz"
 	"github.com/op/go-logging"
 )
 func createLogger() *logging.Logger {
@ -32,19 +35,8 @@ func Main() {
 		os.Exit(1)
 	}
 	var getvar = func(name string) string {
 		val := os.Getenv(name)
 		if val == "" {
 			log.Error("Error: missing required '%s' argument", name)
 			os.Exit(1)
 		}
 		os.Setenv(name, "")
 		return val
 	}
 	cmd := os.Args[2]
 	cmdArgs := os.Args[2:]
 	pname := getvar("_OZ_PROFILE")
 	config, err := oz.LoadConfig(oz.DefaultConfigPath)
 	if err != nil {
@ -57,13 +49,19 @@ func Main() {
 		}
 	}
 	p := new(oz.Profile)
 	if err := json.NewDecoder(os.Stdin).Decode(&p); err != nil {
 		log.Error("unable to decode profile data: %v", err)
 		os.Exit(1)
 	}
 /*
 	p, err := loadProfile(config.ProfileDir, pname)
 	if err != nil {
 		log.Error("Could not load profile %s: %v", pname, err)
 		os.Exit(1)
 	}
-
+*/
 	switch os.Args[1] {
 	case "-w":
 		if p.Seccomp.Seccomp_Whitelist == "" {
@ -80,15 +78,14 @@ func Main() {
 			log.Error("Error (seccomp): %v", err)
 			os.Exit(1)
 		}
-		err = syscall.Exec(cmd, cmdArgs, oz.Environ())
+		err = syscall.Exec(cmd, cmdArgs, os.Environ())
 		if err != nil {
 			log.Error("Error (exec): %v", err)
 			os.Exit(1)
 		}
 	case "-b":
 		if p.Seccomp.Seccomp_Blacklist == "" {
-			log.Error("No seccomp blacklist policy file.")
+			p.Seccomp.Seccomp_Blacklist = path.Join(config.EtcPrefix, "blacklist-generic.seccomp")
 			os.Exit(1)
 		}
 		filter, err := seccomp.CompileBlacklist(p.Seccomp.Seccomp_Blacklist)
 		if err != nil {