From 6df101331f5d4359932b0103dc4a8febf21ca11b Mon Sep 17 00:00:00 2001 From: xSmurf Date: Sun, 12 Jul 2015 22:22:39 +0000 Subject: [PATCH] Cleanup --- cmd/oz-seccomp/main.go | 9 +++++++++ oz-init/init.go | 29 +++++++++++------------------ oz-seccomp/seccomp.go | 7 ++++--- profile.go | 13 ++++++++++--- 4 files changed, 34 insertions(+), 24 deletions(-) create mode 100644 cmd/oz-seccomp/main.go diff --git a/cmd/oz-seccomp/main.go b/cmd/oz-seccomp/main.go new file mode 100644 index 0000000..208f903 --- /dev/null +++ b/cmd/oz-seccomp/main.go @@ -0,0 +1,9 @@ +package main + +import ( + ozseccomp "github.com/subgraph/oz/oz-seccomp" +) + +func main() { + ozseccomp.Main() +} diff --git a/oz-init/init.go b/oz-init/init.go index 0d58daf..e533241 100644 --- a/oz-init/init.go +++ b/oz-init/init.go @@ -209,11 +209,6 @@ func (st *initState) runInit() { st.launchEnv = append(st.launchEnv, "HOME="+st.user.HomeDir) } - pname := os.Getenv("INIT_PROFILE") - if (pname != "") { - st.launchEnv = append(st.launchEnv, "INIT_PROFILE="+pname) - } - if st.profile.Networking.Nettype != network.TYPE_HOST { err := network.NetSetup(st.network) if err != nil { @@ -307,23 +302,17 @@ func (st *initState) readXpraOutput(r io.ReadCloser) { } func (st *initState) launchApplication(cpath, pwd string, cmdArgs []string) (*exec.Cmd, error) { - suffix := "" - if st.config.DivertSuffix != "" { - suffix = "." + st.config.DivertSuffix - } - if cpath == "" { cpath = st.profile.Path } + if st.config.DivertSuffix != "" { + cpath += "." + st.config.DivertSuffix + } - cpath = cpath + suffix - - if st.profile.Seccomp.Mode == "whitelist" { - st.log.Warning("cmdArgs %v", cmdArgs) - args := []string{"-w",cpath} - cmdArgs = append(args, cmdArgs...) - cpath = "/usr/bin/seccomp-wrapper" - + if st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST { + st.log.Notice("Enabling seccomp whitelist for: %s", cpath) + cmdArgs = append([]string{"-w",cpath}, cmdArgs...) + cpath = path.Join(st.config.PrefixPath, "bin", "oz-seccomp") } cmd := exec.Command(cpath) stdout, err := cmd.StdoutPipe() @@ -343,6 +332,10 @@ func (st *initState) launchApplication(cpath, pwd string, cmdArgs []string) (*ex } cmd.Env = append(cmd.Env, st.launchEnv...) + if st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST { + cmd.Env = append(cmd.Env, "_OZ_PROFILE="+st.profile.Name) + } + cmd.Args = append(cmd.Args, cmdArgs...) if _, err := os.Stat(pwd); err == nil { diff --git a/oz-seccomp/seccomp.go b/oz-seccomp/seccomp.go index a9b941b..24f0c36 100644 --- a/oz-seccomp/seccomp.go +++ b/oz-seccomp/seccomp.go @@ -1,4 +1,4 @@ -package main +package seccomp import ( "fmt" @@ -19,7 +19,7 @@ func createLogger() *logging.Logger { return l } -func main() { +func Main() { log := createLogger() if len(os.Args) < 3 { @@ -33,13 +33,14 @@ func main() { log.Error("Error: missing required '%s' argument", name) os.Exit(1) } + os.Setenv(name, "") return val } cmd := os.Args[2] cmdArgs := os.Args[2:] env := os.Environ() - pname := getvar("INIT_PROFILE") + pname := getvar("_OZ_PROFILE") config, err := oz.LoadConfig(oz.DefaultConfigPath) if err != nil { diff --git a/profile.go b/profile.go index c8605ce..41b82a7 100644 --- a/profile.go +++ b/profile.go @@ -66,8 +66,16 @@ type XServerConf struct { AudioMode AudioMode `json:"audio_mode"` } +type SeccompMode string + +const ( + PROFILE_SECCOMP_WHITELIST SeccompMode = "whitelist" + PROFILE_SECCOMP_BLACKLIST SeccompMode = "blacklist" + PROFILE_SECCOMP_DISABLED SeccompMode = "disabled" +) + type SeccompConf struct { - Mode string + Mode SeccompMode Enforce bool Seccomp_Whitelist string Seccomp_Blacklist string @@ -168,8 +176,7 @@ func LoadProfiles(dir string) (Profiles, error) { for _, f := range fs { if !f.IsDir() { name := path.Join(dir, f.Name()) - if strings.Contains(f.Name(), ".json") { - + if strings.HasSuffix(f.Name(), ".json") { p, err := loadProfileFile(name) if err != nil { return nil, fmt.Errorf("error loading '%s': %v", f.Name(), err)