Tentative: Adding seccomp default blacklist to xpra/xorg server and client

oz-daemon/launch.go

@@ -406,12 +406,14 @@ func (sbox *Sandbox) startXpraClient() {
 		&sbox.profile.XServer,
 		uint64(sbox.display),
 		sbox.cred,
+		path.Join(sbox.daemon.config.PrefixPath, "bin", "oz-seccomp"),
 		xpraPath,
 		sbox.profile.Name,
 		sbox.daemon.log)
 
 	sbox.xpra.Process.Env = append(sbox.rawEnv, sbox.xpra.Process.Env...)
 
+	//sbox.daemon.log.Debug("%s %s", strings.Join(sbox.xpra.Process.Env, " "), strings.Join(sbox.xpra.Process.Args, " "))
 	if sbox.daemon.config.LogXpra {
 		sbox.setupXpraLogging()
 	}

oz-init/init.go

@@ -243,7 +243,7 @@ func (st *initState) getDbusSession() error {
 	}
 	dcmd := exec.Command("/usr/bin/dbus-launch", args...)
 	dcmd.Env = append([]string{}, st.launchEnv...)
-	st.log.Debug("%s /usr/bin/dbus-launch %s", strings.Join(dcmd.Env, " "), strings.Join(args, " "))
+	//st.log.Debug("%s /usr/bin/dbus-launch %s", strings.Join(dcmd.Env, " "), strings.Join(args, " "))
 	dcmd.SysProcAttr = &syscall.SysProcAttr{}
 	dcmd.SysProcAttr.Credential = &syscall.Credential{
 		Uid:    st.uid,
@@ -281,10 +281,16 @@ func (st *initState) startXpraServer() {
 	}
 	workdir := path.Join(st.user.HomeDir, ".Xoz", st.profile.Name)
 	st.log.Info("xpra work dir is %s", workdir)
-	xpra := xpra.NewServer(&st.profile.XServer, uint64(st.display), workdir)
+	spath := path.Join(st.config.PrefixPath, "bin", "oz-seccomp")
+	xpra := xpra.NewServer(&st.profile.XServer, uint64(st.display), spath, workdir)
+	//st.log.Debug("%s %s", strings.Join(xpra.Process.Env, " "), strings.Join(xpra.Process.Args, " "))
+	if xpra == nil {
+		st.log.Error("Error creating xpra server command")
+		os.Exit(1)
+	}
 	p, err := xpra.Process.StderrPipe()
 	if err != nil {
-		st.log.Warning("Error creating stderr pipe for xpra output: %v", err)
+		st.log.Error("Error creating stderr pipe for xpra output: %v", err)
 		os.Exit(1)
 	}
 	go st.readXpraOutput(p)

oz-seccomp/seccomp.go

@@ -22,19 +22,18 @@ func createLogger() *logging.Logger {
 	return l
 }
 
-func Main() {
-	log := createLogger()
+var log *logging.Logger
+
+func init() {
+	log = createLogger()
+}
 
+func Main() {
 	if len(os.Args) < 3 {
 		log.Error("seccomp-wrapper: Not enough arguments.")
 		os.Exit(1)
 	}
 
-	if os.Getppid() != 1 {
-		log.Error("oz-seccomp wrapper must be called from oz-init!")
-		os.Exit(1)
-	}
-
 	cmd := os.Args[2]
 	cmdArgs := os.Args[2:]
 
@@ -54,14 +53,7 @@ func Main() {
 		log.Error("unable to decode profile data: %v", err)
 		os.Exit(1)
 	}
-/*
-	p, err := loadProfile(config.ProfileDir, pname)
 
-	if err != nil {
-		log.Error("Could not load profile %s: %v", pname, err)
-		os.Exit(1)
-	}
-*/
 	switch os.Args[1] {
 	case "-w":
 		if p.Seccomp.Seccomp_Whitelist == "" {

xpra/client.go

@@ -21,13 +21,16 @@ var xpraClientDefaultArgs = []string{
 	"--no-keyboard-sync",
 }
 
-func NewClient(config *oz.XServerConf, display uint64, cred *syscall.Credential, workdir string, hostname string, log *logging.Logger) *Xpra {
+func NewClient(config *oz.XServerConf, display uint64, cred *syscall.Credential, spath, workdir, hostname string, log *logging.Logger) *Xpra {
 	x := new(Xpra)
 	x.Config = config
 	x.Display = display
 	x.WorkDir = workdir
 	x.xpraArgs = prepareClientArgs(config, display, workdir, log)
-	x.Process = exec.Command("/usr/bin/xpra", x.xpraArgs...)
+
+	x.xpraArgs = append([]string{"-b", "/usr/bin/xpra"}, x.xpraArgs...)
+
+	x.Process = exec.Command(spath, x.xpraArgs...)
 	x.Process.SysProcAttr = &syscall.SysProcAttr{
 		Credential: cred,
 	}
@@ -36,6 +39,11 @@ func NewClient(config *oz.XServerConf, display uint64, cred *syscall.Credential,
 		fmt.Sprintf("TMPDIR=%s", workdir),
 		fmt.Sprintf("XPRA_SOCKET_HOSTNAME=%s", hostname),
 	}
+
+	if err := writeFakeProfile(x.Process); err != nil {
+		return nil
+	}
+
 	return x
 }
 

xpra/server.go

@@ -2,9 +2,10 @@ package xpra
 
 import (
 	"fmt"
-	"github.com/subgraph/oz"
 	"os"
 	"os/exec"
+
+	"github.com/subgraph/oz"
 )
 
 var xpraServerDefaultArgs = []string{
@@ -13,32 +14,39 @@ var xpraServerDefaultArgs = []string{
 	"--input-method=keep",
 }
 
-func NewServer(config *oz.XServerConf, display uint64, workdir string) *Xpra {
+func NewServer(config *oz.XServerConf, display uint64, spath, workdir string) *Xpra {
 	x := new(Xpra)
 	x.Config = config
 	x.Display = display
 	x.WorkDir = workdir
 	x.xpraArgs = prepareServerArgs(config, display, workdir)
-	x.Process = exec.Command("/usr/bin/xpra", x.xpraArgs...)
+
+	x.xpraArgs = append([]string{"-b", "/usr/bin/xpra"}, x.xpraArgs...)
+
+	x.Process = exec.Command(spath, x.xpraArgs...)
 	x.Process.Env = append(os.Environ(),
 		"TMPDIR="+workdir,
 	)
 
+	if err := writeFakeProfile(x.Process); err != nil {
+		return nil
+	}
+
 	return x
 }
 
 func prepareServerArgs(config *oz.XServerConf, display uint64, workdir string) []string {
 	args := getDefaultArgs(config)
 	args = append(args, xpraServerDefaultArgs...)
-	args = append(args,
-		fmt.Sprintf("--socket-dir=%s", workdir),
-		"start",
-		fmt.Sprintf(":%d", display),
-	)
 	if config.AudioMode == oz.PROFILE_AUDIO_FULL || config.AudioMode == oz.PROFILE_AUDIO_SPEAKER {
 		args = append(args, "--pulseaudio")
 	} else {
 		args = append(args, "--no-pulseaudio")
 	}
+	args = append(args,
+		fmt.Sprintf("--socket-dir=%s", workdir),
+		"start",
+		fmt.Sprintf(":%d", display),
+	)
 	return args
 }

xpra/xpra.go

@@ -1,15 +1,19 @@
 package xpra
 
 import (
+	"bytes"
+	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/subgraph/oz"
+	"io"
 	"os"
 	"os/exec"
 	"os/user"
 	"path"
 	"strconv"
 	"syscall"
+
+	"github.com/subgraph/oz"
 )
 
 type Xpra struct {
@@ -121,3 +125,21 @@ func userIds(user *user.User) (int, int, error) {
 	}
 	return uid, gid, nil
 }
+
+func writeFakeProfile(cmd *exec.Cmd) error {
+	pi, err := cmd.StdinPipe()
+	if err != nil {
+		return nil
+	}
+	emptyProfile := new(oz.Profile)
+	emptyProfile.Seccomp.Mode = "blacklist"
+	emptyProfile.Seccomp.Enforce = true
+	jdata, err := json.Marshal(emptyProfile)
+	if err != nil {
+		return err
+	}
+	io.Copy(pi, bytes.NewBuffer(jdata))
+	pi.Close()
+
+	return nil
+}