Tentative: Adding seccomp default blacklist to xpra/xorg server and client

master
xSmurf 10 years ago
parent f9214ee18f
commit a7e891f4fc

@ -406,12 +406,14 @@ func (sbox *Sandbox) startXpraClient() {
&sbox.profile.XServer,
uint64(sbox.display),
sbox.cred,
path.Join(sbox.daemon.config.PrefixPath, "bin", "oz-seccomp"),
xpraPath,
sbox.profile.Name,
sbox.daemon.log)
sbox.xpra.Process.Env = append(sbox.rawEnv, sbox.xpra.Process.Env...)
//sbox.daemon.log.Debug("%s %s", strings.Join(sbox.xpra.Process.Env, " "), strings.Join(sbox.xpra.Process.Args, " "))
if sbox.daemon.config.LogXpra {
sbox.setupXpraLogging()
}

@ -243,7 +243,7 @@ func (st *initState) getDbusSession() error {
}
dcmd := exec.Command("/usr/bin/dbus-launch", args...)
dcmd.Env = append([]string{}, st.launchEnv...)
st.log.Debug("%s /usr/bin/dbus-launch %s", strings.Join(dcmd.Env, " "), strings.Join(args, " "))
//st.log.Debug("%s /usr/bin/dbus-launch %s", strings.Join(dcmd.Env, " "), strings.Join(args, " "))
dcmd.SysProcAttr = &syscall.SysProcAttr{}
dcmd.SysProcAttr.Credential = &syscall.Credential{
Uid: st.uid,
@ -281,10 +281,16 @@ func (st *initState) startXpraServer() {
}
workdir := path.Join(st.user.HomeDir, ".Xoz", st.profile.Name)
st.log.Info("xpra work dir is %s", workdir)
xpra := xpra.NewServer(&st.profile.XServer, uint64(st.display), workdir)
spath := path.Join(st.config.PrefixPath, "bin", "oz-seccomp")
xpra := xpra.NewServer(&st.profile.XServer, uint64(st.display), spath, workdir)
//st.log.Debug("%s %s", strings.Join(xpra.Process.Env, " "), strings.Join(xpra.Process.Args, " "))
if xpra == nil {
st.log.Error("Error creating xpra server command")
os.Exit(1)
}
p, err := xpra.Process.StderrPipe()
if err != nil {
st.log.Warning("Error creating stderr pipe for xpra output: %v", err)
st.log.Error("Error creating stderr pipe for xpra output: %v", err)
os.Exit(1)
}
go st.readXpraOutput(p)

@ -22,19 +22,18 @@ func createLogger() *logging.Logger {
return l
}
func Main() {
log := createLogger()
var log *logging.Logger
func init() {
log = createLogger()
}
func Main() {
if len(os.Args) < 3 {
log.Error("seccomp-wrapper: Not enough arguments.")
os.Exit(1)
}
if os.Getppid() != 1 {
log.Error("oz-seccomp wrapper must be called from oz-init!")
os.Exit(1)
}
cmd := os.Args[2]
cmdArgs := os.Args[2:]
@ -54,14 +53,7 @@ func Main() {
log.Error("unable to decode profile data: %v", err)
os.Exit(1)
}
/*
p, err := loadProfile(config.ProfileDir, pname)
if err != nil {
log.Error("Could not load profile %s: %v", pname, err)
os.Exit(1)
}
*/
switch os.Args[1] {
case "-w":
if p.Seccomp.Seccomp_Whitelist == "" {

@ -21,13 +21,16 @@ var xpraClientDefaultArgs = []string{
"--no-keyboard-sync",
}
func NewClient(config *oz.XServerConf, display uint64, cred *syscall.Credential, workdir string, hostname string, log *logging.Logger) *Xpra {
func NewClient(config *oz.XServerConf, display uint64, cred *syscall.Credential, spath, workdir, hostname string, log *logging.Logger) *Xpra {
x := new(Xpra)
x.Config = config
x.Display = display
x.WorkDir = workdir
x.xpraArgs = prepareClientArgs(config, display, workdir, log)
x.Process = exec.Command("/usr/bin/xpra", x.xpraArgs...)
x.xpraArgs = append([]string{"-b", "/usr/bin/xpra"}, x.xpraArgs...)
x.Process = exec.Command(spath, x.xpraArgs...)
x.Process.SysProcAttr = &syscall.SysProcAttr{
Credential: cred,
}
@ -36,6 +39,11 @@ func NewClient(config *oz.XServerConf, display uint64, cred *syscall.Credential,
fmt.Sprintf("TMPDIR=%s", workdir),
fmt.Sprintf("XPRA_SOCKET_HOSTNAME=%s", hostname),
}
if err := writeFakeProfile(x.Process); err != nil {
return nil
}
return x
}

@ -2,9 +2,10 @@ package xpra
import (
"fmt"
"github.com/subgraph/oz"
"os"
"os/exec"
"github.com/subgraph/oz"
)
var xpraServerDefaultArgs = []string{
@ -13,32 +14,39 @@ var xpraServerDefaultArgs = []string{
"--input-method=keep",
}
func NewServer(config *oz.XServerConf, display uint64, workdir string) *Xpra {
func NewServer(config *oz.XServerConf, display uint64, spath, workdir string) *Xpra {
x := new(Xpra)
x.Config = config
x.Display = display
x.WorkDir = workdir
x.xpraArgs = prepareServerArgs(config, display, workdir)
x.Process = exec.Command("/usr/bin/xpra", x.xpraArgs...)
x.xpraArgs = append([]string{"-b", "/usr/bin/xpra"}, x.xpraArgs...)
x.Process = exec.Command(spath, x.xpraArgs...)
x.Process.Env = append(os.Environ(),
"TMPDIR="+workdir,
)
if err := writeFakeProfile(x.Process); err != nil {
return nil
}
return x
}
func prepareServerArgs(config *oz.XServerConf, display uint64, workdir string) []string {
args := getDefaultArgs(config)
args = append(args, xpraServerDefaultArgs...)
args = append(args,
fmt.Sprintf("--socket-dir=%s", workdir),
"start",
fmt.Sprintf(":%d", display),
)
if config.AudioMode == oz.PROFILE_AUDIO_FULL || config.AudioMode == oz.PROFILE_AUDIO_SPEAKER {
args = append(args, "--pulseaudio")
} else {
args = append(args, "--no-pulseaudio")
}
args = append(args,
fmt.Sprintf("--socket-dir=%s", workdir),
"start",
fmt.Sprintf(":%d", display),
)
return args
}

@ -1,15 +1,19 @@
package xpra
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"github.com/subgraph/oz"
"io"
"os"
"os/exec"
"os/user"
"path"
"strconv"
"syscall"
"github.com/subgraph/oz"
)
type Xpra struct {
@ -121,3 +125,21 @@ func userIds(user *user.User) (int, int, error) {
}
return uid, gid, nil
}
func writeFakeProfile(cmd *exec.Cmd) error {
pi, err := cmd.StdinPipe()
if err != nil {
return nil
}
emptyProfile := new(oz.Profile)
emptyProfile.Seccomp.Mode = "blacklist"
emptyProfile.Seccomp.Enforce = true
jdata, err := json.Marshal(emptyProfile)
if err != nil {
return err
}
io.Copy(pi, bytes.NewBuffer(jdata))
pi.Close()
return nil
}

Loading…
Cancel
Save