Tentative: Adding seccomp default blacklist to xpra/xorg server and client

master
xSmurf 9 years ago
parent f9214ee18f
commit a7e891f4fc

@ -406,12 +406,14 @@ func (sbox *Sandbox) startXpraClient() {
&sbox.profile.XServer, &sbox.profile.XServer,
uint64(sbox.display), uint64(sbox.display),
sbox.cred, sbox.cred,
path.Join(sbox.daemon.config.PrefixPath, "bin", "oz-seccomp"),
xpraPath, xpraPath,
sbox.profile.Name, sbox.profile.Name,
sbox.daemon.log) sbox.daemon.log)
sbox.xpra.Process.Env = append(sbox.rawEnv, sbox.xpra.Process.Env...) sbox.xpra.Process.Env = append(sbox.rawEnv, sbox.xpra.Process.Env...)
//sbox.daemon.log.Debug("%s %s", strings.Join(sbox.xpra.Process.Env, " "), strings.Join(sbox.xpra.Process.Args, " "))
if sbox.daemon.config.LogXpra { if sbox.daemon.config.LogXpra {
sbox.setupXpraLogging() sbox.setupXpraLogging()
} }

@ -243,7 +243,7 @@ func (st *initState) getDbusSession() error {
} }
dcmd := exec.Command("/usr/bin/dbus-launch", args...) dcmd := exec.Command("/usr/bin/dbus-launch", args...)
dcmd.Env = append([]string{}, st.launchEnv...) dcmd.Env = append([]string{}, st.launchEnv...)
st.log.Debug("%s /usr/bin/dbus-launch %s", strings.Join(dcmd.Env, " "), strings.Join(args, " ")) //st.log.Debug("%s /usr/bin/dbus-launch %s", strings.Join(dcmd.Env, " "), strings.Join(args, " "))
dcmd.SysProcAttr = &syscall.SysProcAttr{} dcmd.SysProcAttr = &syscall.SysProcAttr{}
dcmd.SysProcAttr.Credential = &syscall.Credential{ dcmd.SysProcAttr.Credential = &syscall.Credential{
Uid: st.uid, Uid: st.uid,
@ -281,10 +281,16 @@ func (st *initState) startXpraServer() {
} }
workdir := path.Join(st.user.HomeDir, ".Xoz", st.profile.Name) workdir := path.Join(st.user.HomeDir, ".Xoz", st.profile.Name)
st.log.Info("xpra work dir is %s", workdir) st.log.Info("xpra work dir is %s", workdir)
xpra := xpra.NewServer(&st.profile.XServer, uint64(st.display), workdir) spath := path.Join(st.config.PrefixPath, "bin", "oz-seccomp")
xpra := xpra.NewServer(&st.profile.XServer, uint64(st.display), spath, workdir)
//st.log.Debug("%s %s", strings.Join(xpra.Process.Env, " "), strings.Join(xpra.Process.Args, " "))
if xpra == nil {
st.log.Error("Error creating xpra server command")
os.Exit(1)
}
p, err := xpra.Process.StderrPipe() p, err := xpra.Process.StderrPipe()
if err != nil { if err != nil {
st.log.Warning("Error creating stderr pipe for xpra output: %v", err) st.log.Error("Error creating stderr pipe for xpra output: %v", err)
os.Exit(1) os.Exit(1)
} }
go st.readXpraOutput(p) go st.readXpraOutput(p)

@ -22,16 +22,15 @@ func createLogger() *logging.Logger {
return l return l
} }
func Main() { var log *logging.Logger
log := createLogger()
if len(os.Args) < 3 { func init() {
log.Error("seccomp-wrapper: Not enough arguments.") log = createLogger()
os.Exit(1)
} }
if os.Getppid() != 1 { func Main() {
log.Error("oz-seccomp wrapper must be called from oz-init!") if len(os.Args) < 3 {
log.Error("seccomp-wrapper: Not enough arguments.")
os.Exit(1) os.Exit(1)
} }
@ -54,14 +53,7 @@ func Main() {
log.Error("unable to decode profile data: %v", err) log.Error("unable to decode profile data: %v", err)
os.Exit(1) os.Exit(1)
} }
/*
p, err := loadProfile(config.ProfileDir, pname)
if err != nil {
log.Error("Could not load profile %s: %v", pname, err)
os.Exit(1)
}
*/
switch os.Args[1] { switch os.Args[1] {
case "-w": case "-w":
if p.Seccomp.Seccomp_Whitelist == "" { if p.Seccomp.Seccomp_Whitelist == "" {

@ -21,13 +21,16 @@ var xpraClientDefaultArgs = []string{
"--no-keyboard-sync", "--no-keyboard-sync",
} }
func NewClient(config *oz.XServerConf, display uint64, cred *syscall.Credential, workdir string, hostname string, log *logging.Logger) *Xpra { func NewClient(config *oz.XServerConf, display uint64, cred *syscall.Credential, spath, workdir, hostname string, log *logging.Logger) *Xpra {
x := new(Xpra) x := new(Xpra)
x.Config = config x.Config = config
x.Display = display x.Display = display
x.WorkDir = workdir x.WorkDir = workdir
x.xpraArgs = prepareClientArgs(config, display, workdir, log) x.xpraArgs = prepareClientArgs(config, display, workdir, log)
x.Process = exec.Command("/usr/bin/xpra", x.xpraArgs...)
x.xpraArgs = append([]string{"-b", "/usr/bin/xpra"}, x.xpraArgs...)
x.Process = exec.Command(spath, x.xpraArgs...)
x.Process.SysProcAttr = &syscall.SysProcAttr{ x.Process.SysProcAttr = &syscall.SysProcAttr{
Credential: cred, Credential: cred,
} }
@ -36,6 +39,11 @@ func NewClient(config *oz.XServerConf, display uint64, cred *syscall.Credential,
fmt.Sprintf("TMPDIR=%s", workdir), fmt.Sprintf("TMPDIR=%s", workdir),
fmt.Sprintf("XPRA_SOCKET_HOSTNAME=%s", hostname), fmt.Sprintf("XPRA_SOCKET_HOSTNAME=%s", hostname),
} }
if err := writeFakeProfile(x.Process); err != nil {
return nil
}
return x return x
} }

@ -2,9 +2,10 @@ package xpra
import ( import (
"fmt" "fmt"
"github.com/subgraph/oz"
"os" "os"
"os/exec" "os/exec"
"github.com/subgraph/oz"
) )
var xpraServerDefaultArgs = []string{ var xpraServerDefaultArgs = []string{
@ -13,32 +14,39 @@ var xpraServerDefaultArgs = []string{
"--input-method=keep", "--input-method=keep",
} }
func NewServer(config *oz.XServerConf, display uint64, workdir string) *Xpra { func NewServer(config *oz.XServerConf, display uint64, spath, workdir string) *Xpra {
x := new(Xpra) x := new(Xpra)
x.Config = config x.Config = config
x.Display = display x.Display = display
x.WorkDir = workdir x.WorkDir = workdir
x.xpraArgs = prepareServerArgs(config, display, workdir) x.xpraArgs = prepareServerArgs(config, display, workdir)
x.Process = exec.Command("/usr/bin/xpra", x.xpraArgs...)
x.xpraArgs = append([]string{"-b", "/usr/bin/xpra"}, x.xpraArgs...)
x.Process = exec.Command(spath, x.xpraArgs...)
x.Process.Env = append(os.Environ(), x.Process.Env = append(os.Environ(),
"TMPDIR="+workdir, "TMPDIR="+workdir,
) )
if err := writeFakeProfile(x.Process); err != nil {
return nil
}
return x return x
} }
func prepareServerArgs(config *oz.XServerConf, display uint64, workdir string) []string { func prepareServerArgs(config *oz.XServerConf, display uint64, workdir string) []string {
args := getDefaultArgs(config) args := getDefaultArgs(config)
args = append(args, xpraServerDefaultArgs...) args = append(args, xpraServerDefaultArgs...)
args = append(args,
fmt.Sprintf("--socket-dir=%s", workdir),
"start",
fmt.Sprintf(":%d", display),
)
if config.AudioMode == oz.PROFILE_AUDIO_FULL || config.AudioMode == oz.PROFILE_AUDIO_SPEAKER { if config.AudioMode == oz.PROFILE_AUDIO_FULL || config.AudioMode == oz.PROFILE_AUDIO_SPEAKER {
args = append(args, "--pulseaudio") args = append(args, "--pulseaudio")
} else { } else {
args = append(args, "--no-pulseaudio") args = append(args, "--no-pulseaudio")
} }
args = append(args,
fmt.Sprintf("--socket-dir=%s", workdir),
"start",
fmt.Sprintf(":%d", display),
)
return args return args
} }

@ -1,15 +1,19 @@
package xpra package xpra
import ( import (
"bytes"
"encoding/json"
"errors" "errors"
"fmt" "fmt"
"github.com/subgraph/oz" "io"
"os" "os"
"os/exec" "os/exec"
"os/user" "os/user"
"path" "path"
"strconv" "strconv"
"syscall" "syscall"
"github.com/subgraph/oz"
) )
type Xpra struct { type Xpra struct {
@ -121,3 +125,21 @@ func userIds(user *user.User) (int, int, error) {
} }
return uid, gid, nil return uid, gid, nil
} }
func writeFakeProfile(cmd *exec.Cmd) error {
pi, err := cmd.StdinPipe()
if err != nil {
return nil
}
emptyProfile := new(oz.Profile)
emptyProfile.Seccomp.Mode = "blacklist"
emptyProfile.Seccomp.Enforce = true
jdata, err := json.Marshal(emptyProfile)
if err != nil {
return err
}
io.Copy(pi, bytes.NewBuffer(jdata))
pi.Close()
return nil
}

Loading…
Cancel
Save