handleOpen handles the open(2) and openat(2) syscalls. We do this in order to inject the ephemeral CA certificate into the system root CA store so that we can intercept outgoing TLS requests later.
(n *seccomp.Notif, dirfd int, pathAddr uintptr, flags int, mode int)
| 108 | // to inject the ephemeral CA certificate into the system root CA store so that |
| 109 | // we can intercept outgoing TLS requests later. |
| 110 | func (p *Process) handleOpen(n *seccomp.Notif, dirfd int, pathAddr uintptr, flags int, mode int) error { |
| 111 | if flags&unix.O_WRONLY != 0 { |
| 112 | return n.Skip() |
| 113 | } |
| 114 | |
| 115 | path, errno, err := p.resolvePath(n, dirfd, pathAddr) |
| 116 | if err != nil { |
| 117 | return fmt.Errorf("resolve path: %w", err) |
| 118 | } |
| 119 | if errno != 0 { |
| 120 | return n.Return(0, errno) |
| 121 | } |
| 122 | if !tls.Enabled || !tls.IsKnownPath(path) { |
| 123 | return n.Skip() |
| 124 | } |
| 125 | |
| 126 | slog.Debug("handling TLS CA cert file open", "path", path) |
| 127 | |
| 128 | ephemeralPEM := tls.GetEphemeralCAPEM() |
| 129 | |
| 130 | orig, err := os.ReadFile(path) |
| 131 | if err != nil { |
| 132 | return n.Skip() |
| 133 | } |
| 134 | |
| 135 | ret, err := unix.MemfdCreate("subtrace_override:"+path, unix.FD_CLOEXEC) |
| 136 | if err != nil { |
| 137 | return fmt.Errorf("inject ephemeral CA: memfd_create: %w", err) |
| 138 | } |
| 139 | |
| 140 | memfd := fd.NewFD(ret) |
| 141 | defer memfd.DecRef() |
| 142 | defer unix.Close(memfd.FD()) |
| 143 | |
| 144 | if _, err := unix.Write(memfd.FD(), append(orig, ephemeralPEM...)); err != nil { |
| 145 | return fmt.Errorf("inject ephemeral CA: write: %w", err) |
| 146 | } |
| 147 | if _, _, errno := unix.Syscall(unix.SYS_LSEEK, uintptr(memfd.FD()), 0, 0); errno != 0 { |
| 148 | return fmt.Errorf("inject ephemeral CA: lseek: %w", err) |
| 149 | } |
| 150 | |
| 151 | if _, err := n.AddFD(memfd, flags&unix.O_CLOEXEC); err != nil { // we don't care about the fd value |
| 152 | return fmt.Errorf("addfd: %w", err) |
| 153 | } |
| 154 | return nil |
| 155 | } |
| 156 | |
| 157 | func fdcwd() uintptr { |
| 158 | x := unix.AT_FDCWD |
no test coverage detected