From b127ea2832a7cf00d8a6766302034a06a44cdc61 Mon Sep 17 00:00:00 2001 From: pitboss Date: Fri, 15 May 2026 09:50:22 -0500 Subject: [PATCH] [pitboss] sweep after phase 17: 1 deferred items resolved --- src/dynamic/sandbox/seccomp/mod.rs | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/src/dynamic/sandbox/seccomp/mod.rs b/src/dynamic/sandbox/seccomp/mod.rs index 00e6f8b9..d30695e9 100644 --- a/src/dynamic/sandbox/seccomp/mod.rs +++ b/src/dynamic/sandbox/seccomp/mod.rs @@ -1,10 +1,14 @@ //! Phase 17 (Track E.1) — seccomp-bpf default-deny filter. //! -//! [`apply_for_caps`] composes the cap-tagged allowlist baked from -//! `seccomp_policy.toml` (via `build.rs`) into a BPF program and installs -//! it via `prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program)`. The -//! filter is per-thread and inherited across `execve`, so the harness +//! [`install_compiled_filter`] installs a pre-compiled BPF program (built +//! from the cap-tagged allowlist baked from `seccomp_policy.toml` via +//! `build.rs`) via `prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program)`. +//! The filter is per-thread and inherited across `execve`, so the harness //! runs under it from the very first instruction of its image. +//! The hardening pre_exec callback pre-compiles the program in the parent +//! and hands a borrowed slice to [`install_compiled_filter`] from inside +//! the child (allocator-free path; the post-fork allocator ban precludes +//! compiling from the child). //! //! Layout //! ------ @@ -29,7 +33,7 @@ pub mod syscalls; use std::collections::BTreeSet; -use crate::dynamic::sandbox::seccomp::bpf::{compile, SockFilter, SockFprog}; +use crate::dynamic::sandbox::seccomp::bpf::{SockFilter, SockFprog}; use crate::dynamic::sandbox::seccomp::syscalls::{syscall_number, AUDIT_ARCH}; include!(concat!(env!("OUT_DIR"), "/seccomp_policy.rs")); @@ -109,18 +113,6 @@ pub fn install_compiled_filter(program: &[SockFilter]) -> std::io::Result<()> { } } -/// Convenience wrapper: compose the cap-aware allowlist via -/// [`allowed_syscall_numbers`], compile a BPF program, and install it. -/// Used by direct callers that don't pre-compile in the parent. -pub fn apply_for_caps(caps: u32) -> std::io::Result<()> { - if AUDIT_ARCH == 0 { - return Ok(()); - } - let nrs = allowed_syscall_numbers(caps); - let program: Vec = compile(&nrs, AUDIT_ARCH); - install_compiled_filter(&program) -} - // ── Tests ──────────────────────────────────────────────────────────────────── #[cfg(test)]