Lint linux files
This commit is contained in:
JY Tan
@@ -421,10 +421,6 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, bridge *Lin
|
|||||||
// Get fence executable path for Landlock wrapper
|
// Get fence executable path for Landlock wrapper
|
||||||
fenceExePath, _ := os.Executable()
|
fenceExePath, _ := os.Executable()
|
||||||
useLandlockWrapper := opts.UseLandlock && features.CanUseLandlock() && fenceExePath != ""
|
useLandlockWrapper := opts.UseLandlock && features.CanUseLandlock() && fenceExePath != ""
|
||||||
if useLandlockWrapper {
|
|
||||||
// Ensure fence binary is accessible inside the sandbox (it should be via ro-bind /)
|
|
||||||
// We'll call it at the end of the script to apply Landlock before running user command
|
|
||||||
}
|
|
||||||
|
|
||||||
bwrapArgs = append(bwrapArgs, "--", shellPath, "-c")
|
bwrapArgs = append(bwrapArgs, "--", shellPath, "-c")
|
||||||
|
|
||||||
|
|||||||
@@ -85,7 +85,7 @@ func (m *EBPFMonitor) Stop() {
|
|||||||
|
|
||||||
// Clean up the script file
|
// Clean up the script file
|
||||||
if m.scriptPath != "" {
|
if m.scriptPath != "" {
|
||||||
os.Remove(m.scriptPath)
|
_ = os.Remove(m.scriptPath)
|
||||||
}
|
}
|
||||||
|
|
||||||
m.running = false
|
m.running = false
|
||||||
@@ -110,13 +110,13 @@ func (m *EBPFMonitor) tryBpftrace(ctx context.Context) error {
|
|||||||
m.scriptPath = scriptPath // Store for cleanup later
|
m.scriptPath = scriptPath // Store for cleanup later
|
||||||
|
|
||||||
if _, err := tmpFile.WriteString(script); err != nil {
|
if _, err := tmpFile.WriteString(script); err != nil {
|
||||||
tmpFile.Close()
|
_ = tmpFile.Close()
|
||||||
os.Remove(scriptPath)
|
_ = os.Remove(scriptPath)
|
||||||
return fmt.Errorf("failed to write script: %w", err)
|
return fmt.Errorf("failed to write script: %w", err)
|
||||||
}
|
}
|
||||||
tmpFile.Close()
|
_ = tmpFile.Close()
|
||||||
|
|
||||||
m.cmd = exec.CommandContext(ctx, bpftracePath, tmpFile.Name())
|
m.cmd = exec.CommandContext(ctx, bpftracePath, tmpFile.Name()) //nolint:gosec // bpftracePath from LookPath
|
||||||
stdout, err := m.cmd.StdoutPipe()
|
stdout, err := m.cmd.StdoutPipe()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to create pipe: %w", err)
|
return fmt.Errorf("failed to create pipe: %w", err)
|
||||||
@@ -252,7 +252,7 @@ func (m *EBPFMonitor) traceWithPerfEvents() {
|
|||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
defer f.Close()
|
defer func() { _ = f.Close() }()
|
||||||
|
|
||||||
// We'd need to set up tracepoints first, which requires additional setup
|
// We'd need to set up tracepoints first, which requires additional setup
|
||||||
// For now, this is a placeholder for the full implementation
|
// For now, this is a placeholder for the full implementation
|
||||||
@@ -297,7 +297,7 @@ func CheckBpftraceAvailable() bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Verify it can run (needs permissions)
|
// Verify it can run (needs permissions)
|
||||||
cmd := exec.Command(path, "--version")
|
cmd := exec.Command(path, "--version") //nolint:gosec // path from LookPath
|
||||||
return cmd.Run() == nil
|
return cmd.Run() == nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -136,7 +136,7 @@ func (f *LinuxFeatures) detectLandlock() {
|
|||||||
}
|
}
|
||||||
ret, _, err = unix.Syscall(
|
ret, _, err = unix.Syscall(
|
||||||
unix.SYS_LANDLOCK_CREATE_RULESET,
|
unix.SYS_LANDLOCK_CREATE_RULESET,
|
||||||
uintptr(unsafe.Pointer(&attr)),
|
uintptr(unsafe.Pointer(&attr)), //nolint:gosec // required for syscall
|
||||||
unsafe.Sizeof(attr),
|
unsafe.Sizeof(attr),
|
||||||
0,
|
0,
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -36,7 +36,7 @@ func ApplyLandlockFromConfig(cfg *config.Config, cwd string, socketPaths []strin
|
|||||||
}
|
}
|
||||||
return nil // Graceful fallback
|
return nil // Graceful fallback
|
||||||
}
|
}
|
||||||
defer ruleset.Close()
|
defer func() { _ = ruleset.Close() }()
|
||||||
|
|
||||||
if err := ruleset.Initialize(); err != nil {
|
if err := ruleset.Initialize(); err != nil {
|
||||||
if debug {
|
if debug {
|
||||||
@@ -184,7 +184,7 @@ func (l *LandlockRuleset) Initialize() error {
|
|||||||
|
|
||||||
fd, _, err := unix.Syscall(
|
fd, _, err := unix.Syscall(
|
||||||
unix.SYS_LANDLOCK_CREATE_RULESET,
|
unix.SYS_LANDLOCK_CREATE_RULESET,
|
||||||
uintptr(unsafe.Pointer(&attr)),
|
uintptr(unsafe.Pointer(&attr)), //nolint:gosec // required for syscall
|
||||||
unsafe.Sizeof(attr),
|
unsafe.Sizeof(attr),
|
||||||
0,
|
0,
|
||||||
)
|
)
|
||||||
@@ -315,21 +315,21 @@ func (l *LandlockRuleset) addPathRule(path string, access uint64) error {
|
|||||||
}
|
}
|
||||||
return nil // Don't fail on paths we can't access
|
return nil // Don't fail on paths we can't access
|
||||||
}
|
}
|
||||||
defer unix.Close(fd)
|
defer func() { _ = unix.Close(fd) }()
|
||||||
|
|
||||||
// Intersect with handled access to avoid invalid combinations
|
// Intersect with handled access to avoid invalid combinations
|
||||||
access &= l.getHandledAccessFS()
|
access &= l.getHandledAccessFS()
|
||||||
|
|
||||||
attr := landlockPathBeneathAttr{
|
attr := landlockPathBeneathAttr{
|
||||||
allowedAccess: access,
|
allowedAccess: access,
|
||||||
parentFd: int32(fd),
|
parentFd: int32(fd), //nolint:gosec // fd from unix.Open fits in int32
|
||||||
}
|
}
|
||||||
|
|
||||||
_, _, errno := unix.Syscall(
|
_, _, errno := unix.Syscall(
|
||||||
unix.SYS_LANDLOCK_ADD_RULE,
|
unix.SYS_LANDLOCK_ADD_RULE,
|
||||||
uintptr(l.rulesetFd),
|
uintptr(l.rulesetFd),
|
||||||
LANDLOCK_RULE_PATH_BENEATH,
|
LANDLOCK_RULE_PATH_BENEATH,
|
||||||
uintptr(unsafe.Pointer(&attr)),
|
uintptr(unsafe.Pointer(&attr)), //nolint:gosec // required for syscall
|
||||||
)
|
)
|
||||||
if errno != 0 {
|
if errno != 0 {
|
||||||
return fmt.Errorf("failed to add Landlock rule for %s: %w", absPath, errno)
|
return fmt.Errorf("failed to add Landlock rule for %s: %w", absPath, errno)
|
||||||
|
|||||||
@@ -133,9 +133,9 @@ func (s *SeccompFilter) writeBPFProgram(path string) error {
|
|||||||
// BPF_JMP | BPF_JEQ | BPF_K: if A == K, jump jt else jump jf
|
// BPF_JMP | BPF_JEQ | BPF_K: if A == K, jump jt else jump jf
|
||||||
program = append(program, bpfInstruction{
|
program = append(program, bpfInstruction{
|
||||||
code: BPF_JMP | BPF_JEQ | BPF_K,
|
code: BPF_JMP | BPF_JEQ | BPF_K,
|
||||||
jt: 0, // if match, go to next instruction (block)
|
jt: 0, // if match, go to next instruction (block)
|
||||||
jf: 1, // if not match, skip the block instruction
|
jf: 1, // if not match, skip the block instruction
|
||||||
k: uint32(num),
|
k: uint32(num), //nolint:gosec // syscall numbers fit in uint32
|
||||||
})
|
})
|
||||||
|
|
||||||
// Return action (block with EPERM)
|
// Return action (block with EPERM)
|
||||||
@@ -152,11 +152,11 @@ func (s *SeccompFilter) writeBPFProgram(path string) error {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// Write the program to file
|
// Write the program to file
|
||||||
f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
|
f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) //nolint:gosec // path is controlled
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer f.Close()
|
defer func() { _ = f.Close() }()
|
||||||
|
|
||||||
for _, inst := range program {
|
for _, inst := range program {
|
||||||
if err := inst.writeTo(f); err != nil {
|
if err := inst.writeTo(f); err != nil {
|
||||||
|
|||||||
Reference in New Issue
Block a user