master
xSmurf 10 years ago
parent 046bc48d51
commit 6df101331f

@ -0,0 +1,9 @@
package main
import (
ozseccomp "github.com/subgraph/oz/oz-seccomp"
)
func main() {
ozseccomp.Main()
}

@ -209,11 +209,6 @@ func (st *initState) runInit() {
st.launchEnv = append(st.launchEnv, "HOME="+st.user.HomeDir)
}
pname := os.Getenv("INIT_PROFILE")
if (pname != "") {
st.launchEnv = append(st.launchEnv, "INIT_PROFILE="+pname)
}
if st.profile.Networking.Nettype != network.TYPE_HOST {
err := network.NetSetup(st.network)
if err != nil {
@ -307,23 +302,17 @@ func (st *initState) readXpraOutput(r io.ReadCloser) {
}
func (st *initState) launchApplication(cpath, pwd string, cmdArgs []string) (*exec.Cmd, error) {
suffix := ""
if st.config.DivertSuffix != "" {
suffix = "." + st.config.DivertSuffix
}
if cpath == "" {
cpath = st.profile.Path
}
if st.config.DivertSuffix != "" {
cpath += "." + st.config.DivertSuffix
}
cpath = cpath + suffix
if st.profile.Seccomp.Mode == "whitelist" {
st.log.Warning("cmdArgs %v", cmdArgs)
args := []string{"-w",cpath}
cmdArgs = append(args, cmdArgs...)
cpath = "/usr/bin/seccomp-wrapper"
if st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST {
st.log.Notice("Enabling seccomp whitelist for: %s", cpath)
cmdArgs = append([]string{"-w",cpath}, cmdArgs...)
cpath = path.Join(st.config.PrefixPath, "bin", "oz-seccomp")
}
cmd := exec.Command(cpath)
stdout, err := cmd.StdoutPipe()
@ -343,6 +332,10 @@ func (st *initState) launchApplication(cpath, pwd string, cmdArgs []string) (*ex
}
cmd.Env = append(cmd.Env, st.launchEnv...)
if st.profile.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST {
cmd.Env = append(cmd.Env, "_OZ_PROFILE="+st.profile.Name)
}
cmd.Args = append(cmd.Args, cmdArgs...)
if _, err := os.Stat(pwd); err == nil {

@ -1,4 +1,4 @@
package main
package seccomp
import (
"fmt"
@ -19,7 +19,7 @@ func createLogger() *logging.Logger {
return l
}
func main() {
func Main() {
log := createLogger()
if len(os.Args) < 3 {
@ -33,13 +33,14 @@ func main() {
log.Error("Error: missing required '%s' argument", name)
os.Exit(1)
}
os.Setenv(name, "")
return val
}
cmd := os.Args[2]
cmdArgs := os.Args[2:]
env := os.Environ()
pname := getvar("INIT_PROFILE")
pname := getvar("_OZ_PROFILE")
config, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil {

@ -66,8 +66,16 @@ type XServerConf struct {
AudioMode AudioMode `json:"audio_mode"`
}
type SeccompMode string
const (
PROFILE_SECCOMP_WHITELIST SeccompMode = "whitelist"
PROFILE_SECCOMP_BLACKLIST SeccompMode = "blacklist"
PROFILE_SECCOMP_DISABLED SeccompMode = "disabled"
)
type SeccompConf struct {
Mode string
Mode SeccompMode
Enforce bool
Seccomp_Whitelist string
Seccomp_Blacklist string
@ -168,8 +176,7 @@ func LoadProfiles(dir string) (Profiles, error) {
for _, f := range fs {
if !f.IsDir() {
name := path.Join(dir, f.Name())
if strings.Contains(f.Name(), ".json") {
if strings.HasSuffix(f.Name(), ".json") {
p, err := loadProfileFile(name)
if err != nil {
return nil, fmt.Errorf("error loading '%s': %v", f.Name(), err)

Loading…
Cancel
Save