ldd: run ldd with read-only filesystem and unshared net
This is only called on trusted programs, however extra hardening is never a bad idea. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
57c1b3eda6
commit
73a698c7cb
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
31
ldd/exec.go
31
ldd/exec.go
|
|
@ -5,14 +5,37 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"git.ophivana.moe/cat/fortify/helper"
|
||||||
|
"git.ophivana.moe/cat/fortify/helper/bwrap"
|
||||||
)
|
)
|
||||||
|
|
||||||
func Exec(p string) ([]*Entry, error) {
|
func Exec(p string) ([]*Entry, error) {
|
||||||
t := exec.Command("ldd", p)
|
var (
|
||||||
t.Stdout, t.Stderr = new(strings.Builder), os.Stderr
|
h helper.Helper
|
||||||
if err := t.Run(); err != nil {
|
cmd *exec.Cmd
|
||||||
|
)
|
||||||
|
|
||||||
|
if b, err := helper.NewBwrap((&bwrap.Config{
|
||||||
|
Hostname: "fortify-ldd",
|
||||||
|
Chdir: "/",
|
||||||
|
NewSession: true,
|
||||||
|
DieWithParent: true,
|
||||||
|
}).Bind("/", "/").DevTmpfs("/dev"),
|
||||||
|
nil, "ldd", func(_, _ int) []string { return []string{p} }); err != nil {
|
||||||
|
return nil, err
|
||||||
|
} else {
|
||||||
|
cmd = b.Unwrap()
|
||||||
|
h = b
|
||||||
|
}
|
||||||
|
|
||||||
|
cmd.Stdout, cmd.Stderr = new(strings.Builder), os.Stderr
|
||||||
|
if err := h.Start(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if err := h.Wait(); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return Parse(t.Stdout.(fmt.Stringer))
|
return Parse(cmd.Stdout.(fmt.Stringer))
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue