MCPcopy Index your code
hub / github.com/subtrace/subtrace / handleOpen

Method handleOpen

cmd/run/engine/process/handle.go:110–155  ·  view source on GitHub ↗

handleOpen handles the open(2) and openat(2) syscalls. We do this in order to inject the ephemeral CA certificate into the system root CA store so that we can intercept outgoing TLS requests later.

(n *seccomp.Notif, dirfd int, pathAddr uintptr, flags int, mode int)

Source from the content-addressed store, hash-verified

108// to inject the ephemeral CA certificate into the system root CA store so that
109// we can intercept outgoing TLS requests later.
110func (p *Process) handleOpen(n *seccomp.Notif, dirfd int, pathAddr uintptr, flags int, mode int) error {
111 if flags&unix.O_WRONLY != 0 {
112 return n.Skip()
113 }
114
115 path, errno, err := p.resolvePath(n, dirfd, pathAddr)
116 if err != nil {
117 return fmt.Errorf("resolve path: %w", err)
118 }
119 if errno != 0 {
120 return n.Return(0, errno)
121 }
122 if !tls.Enabled || !tls.IsKnownPath(path) {
123 return n.Skip()
124 }
125
126 slog.Debug("handling TLS CA cert file open", "path", path)
127
128 ephemeralPEM := tls.GetEphemeralCAPEM()
129
130 orig, err := os.ReadFile(path)
131 if err != nil {
132 return n.Skip()
133 }
134
135 ret, err := unix.MemfdCreate("subtrace_override:"+path, unix.FD_CLOEXEC)
136 if err != nil {
137 return fmt.Errorf("inject ephemeral CA: memfd_create: %w", err)
138 }
139
140 memfd := fd.NewFD(ret)
141 defer memfd.DecRef()
142 defer unix.Close(memfd.FD())
143
144 if _, err := unix.Write(memfd.FD(), append(orig, ephemeralPEM...)); err != nil {
145 return fmt.Errorf("inject ephemeral CA: write: %w", err)
146 }
147 if _, _, errno := unix.Syscall(unix.SYS_LSEEK, uintptr(memfd.FD()), 0, 0); errno != 0 {
148 return fmt.Errorf("inject ephemeral CA: lseek: %w", err)
149 }
150
151 if _, err := n.AddFD(memfd, flags&unix.O_CLOEXEC); err != nil { // we don't care about the fd value
152 return fmt.Errorf("addfd: %w", err)
153 }
154 return nil
155}
156
157func fdcwd() uintptr {
158 x := unix.AT_FDCWD

Callers 1

initFunction · 0.80

Calls 11

resolvePathMethod · 0.95
DecRefMethod · 0.95
FDMethod · 0.95
IsKnownPathFunction · 0.92
GetEphemeralCAPEMFunction · 0.92
NewFDFunction · 0.92
SkipMethod · 0.80
ReturnMethod · 0.80
WriteMethod · 0.80
AddFDMethod · 0.80
CloseMethod · 0.45

Tested by

no test coverage detected