forked from Mirrors/flatpak-builder
run: Allow perf and ptrace in debug and build mode.
Without this you can't e.g. run a debugger or profiler in the sandbox.tingping/wmclass
parent
645c433960
commit
5065e431a2
|
@ -134,7 +134,7 @@ xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
|
|||
argv_array = g_ptr_array_new_with_free_func (g_free);
|
||||
g_ptr_array_add (argv_array, g_strdup (HELPER));
|
||||
|
||||
g_ptr_array_add (argv_array, g_strdup ("-wr"));
|
||||
g_ptr_array_add (argv_array, g_strdup ("-wrc"));
|
||||
|
||||
app_context = xdg_app_context_new ();
|
||||
if (!xdg_app_context_load_metadata (app_context, runtime_metakey, error))
|
||||
|
|
|
@ -338,6 +338,9 @@ xdg_app_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
|
|||
g_ptr_array_add (argv_array, g_strdup ("-b"));
|
||||
g_ptr_array_add (argv_array, g_strdup_printf ("/run/host/fonts=%s", SYSTEM_FONTS_DIR));
|
||||
|
||||
if (opt_devel)
|
||||
g_ptr_array_add (argv_array, g_strdup ("-c"));
|
||||
|
||||
home = g_file_new_for_path (g_get_home_dir ());
|
||||
user_font1 = g_file_resolve_relative_path (home, ".local/share/fonts");
|
||||
user_font2 = g_file_resolve_relative_path (home, ".fonts");
|
||||
|
|
|
@ -291,7 +291,7 @@ static inline int raw_clone(unsigned long flags, void *child_stack) {
|
|||
}
|
||||
|
||||
static void
|
||||
setup_seccomp (void)
|
||||
setup_seccomp (bool devel)
|
||||
{
|
||||
scmp_filter_ctx seccomp;
|
||||
/**** BEGIN NOTE ON CODE SHARING
|
||||
|
@ -353,7 +353,12 @@ setup_seccomp (void)
|
|||
{SCMP_SYS(mount)},
|
||||
{SCMP_SYS(pivot_root)},
|
||||
{SCMP_SYS(clone), &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
|
||||
};
|
||||
|
||||
struct {
|
||||
int scall;
|
||||
struct scmp_arg_cmp *arg;
|
||||
} syscall_nondevel_blacklist[] = {
|
||||
/* Profiling operations; we expect these to be done by tools from outside
|
||||
* the sandbox. In particular perf has been the source of many CVEs.
|
||||
*/
|
||||
|
@ -415,6 +420,20 @@ setup_seccomp (void)
|
|||
die_with_error ("Failed to block syscall %d", scall);
|
||||
}
|
||||
|
||||
if (!devel)
|
||||
{
|
||||
for (i = 0; i < N_ELEMENTS (syscall_nondevel_blacklist); i++)
|
||||
{
|
||||
int scall = syscall_nondevel_blacklist[i].scall;
|
||||
if (syscall_nondevel_blacklist[i].arg)
|
||||
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *syscall_nondevel_blacklist[i].arg);
|
||||
else
|
||||
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
|
||||
if (r < 0 && r == -EFAULT /* unknown syscall */)
|
||||
die_with_error ("Failed to block syscall %d", scall);
|
||||
}
|
||||
}
|
||||
|
||||
/* Socket filtering doesn't work on x86 */
|
||||
if (uname (&uts) == 0 && strcmp (uts.machine, "i686") != 0)
|
||||
{
|
||||
|
@ -1856,6 +1875,7 @@ main (int argc,
|
|||
char **args;
|
||||
char *tmp;
|
||||
int n_args;
|
||||
bool devel = FALSE;
|
||||
bool share_shm = FALSE;
|
||||
bool network = FALSE;
|
||||
bool ipc = FALSE;
|
||||
|
@ -1884,7 +1904,7 @@ main (int argc,
|
|||
|
||||
clean_argv (argc, argv);
|
||||
|
||||
while ((c = getopt (argc, argv, "+inWweEsfFHra:m:M:b:B:p:x:ly:d:D:v:I:gS:")) >= 0)
|
||||
while ((c = getopt (argc, argv, "+inWwceEsfFHra:m:M:b:B:p:x:ly:d:D:v:I:gS:")) >= 0)
|
||||
{
|
||||
switch (c)
|
||||
{
|
||||
|
@ -1892,6 +1912,10 @@ main (int argc,
|
|||
app_path = optarg;
|
||||
break;
|
||||
|
||||
case 'c':
|
||||
devel = TRUE;
|
||||
break;
|
||||
|
||||
case 'M':
|
||||
/* Same, but remove source */
|
||||
goto extra_file;
|
||||
|
@ -2396,7 +2420,7 @@ main (int argc,
|
|||
#endif
|
||||
|
||||
__debug__(("setting up seccomp\n"));
|
||||
setup_seccomp ();
|
||||
setup_seccomp (devel);
|
||||
|
||||
__debug__(("forking for child\n"));
|
||||
|
||||
|
|
Loading…
Reference in New Issue