2024-07-09 15:39:40 +09:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2024-10-12 01:51:06 +09:00
|
|
|
"encoding/json"
|
2024-07-09 15:39:40 +09:00
|
|
|
"flag"
|
2024-10-12 19:46:40 +09:00
|
|
|
"fmt"
|
2024-09-13 11:49:10 +09:00
|
|
|
|
2024-10-20 19:50:13 +09:00
|
|
|
"git.ophivana.moe/security/fortify/dbus"
|
|
|
|
"git.ophivana.moe/security/fortify/internal"
|
|
|
|
"git.ophivana.moe/security/fortify/internal/app"
|
2024-10-21 20:47:02 +09:00
|
|
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
2024-10-20 19:50:13 +09:00
|
|
|
"git.ophivana.moe/security/fortify/internal/system"
|
2024-07-09 15:39:40 +09:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2024-10-12 19:46:40 +09:00
|
|
|
printTemplate bool
|
|
|
|
|
2024-09-22 00:29:36 +09:00
|
|
|
confPath string
|
2024-09-09 21:19:12 +09:00
|
|
|
|
|
|
|
dbusConfigSession string
|
|
|
|
dbusConfigSystem string
|
|
|
|
dbusID string
|
|
|
|
mpris bool
|
2024-10-12 01:51:06 +09:00
|
|
|
dbusVerbose bool
|
2024-09-08 02:24:01 +09:00
|
|
|
|
2024-10-12 01:28:22 +09:00
|
|
|
userName string
|
2024-10-16 14:38:57 +09:00
|
|
|
enablements [system.ELen]bool
|
2024-09-08 02:24:01 +09:00
|
|
|
|
2024-09-22 00:29:36 +09:00
|
|
|
launchMethodText string
|
2024-07-09 15:39:40 +09:00
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
2024-10-12 19:46:40 +09:00
|
|
|
flag.BoolVar(&printTemplate, "template", false, "Print a full config template and exit")
|
|
|
|
|
2024-10-12 01:28:22 +09:00
|
|
|
// config file, disables every other flag here
|
2024-09-22 00:29:36 +09:00
|
|
|
flag.StringVar(&confPath, "c", "nil", "Path to full app configuration, or \"nil\" to configure from flags")
|
2024-09-09 21:19:12 +09:00
|
|
|
|
|
|
|
flag.StringVar(&dbusConfigSession, "dbus-config", "builtin", "Path to D-Bus proxy config file, or \"builtin\" for defaults")
|
|
|
|
flag.StringVar(&dbusConfigSystem, "dbus-system", "nil", "Path to system D-Bus proxy config file, or \"nil\" to disable")
|
2024-09-09 03:16:54 +09:00
|
|
|
flag.StringVar(&dbusID, "dbus-id", "", "D-Bus ID of application, leave empty to disable own paths, has no effect if custom config is available")
|
|
|
|
flag.BoolVar(&mpris, "mpris", false, "Allow owning MPRIS D-Bus path, has no effect if custom config is available")
|
2024-10-12 01:51:06 +09:00
|
|
|
flag.BoolVar(&dbusVerbose, "dbus-log", false, "Force logging in the D-Bus proxy")
|
2024-09-08 02:24:01 +09:00
|
|
|
|
2024-10-12 01:28:22 +09:00
|
|
|
flag.StringVar(&userName, "u", "chronos", "Passwd name of user to run as")
|
2024-10-16 14:38:57 +09:00
|
|
|
flag.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket")
|
|
|
|
flag.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection")
|
|
|
|
flag.BoolVar(&enablements[system.EDBus], "dbus", false, "Proxy D-Bus connection")
|
|
|
|
flag.BoolVar(&enablements[system.EPulse], "pulse", false, "Share PulseAudio socket and cookie")
|
2024-07-09 15:39:40 +09:00
|
|
|
}
|
2024-09-13 11:49:10 +09:00
|
|
|
|
|
|
|
func init() {
|
2024-10-10 00:11:04 +09:00
|
|
|
methodHelpString := "Method of launching the child process, can be one of \"sudo\""
|
2024-09-17 13:48:42 +09:00
|
|
|
if internal.SdBootedV {
|
2024-09-13 11:49:10 +09:00
|
|
|
methodHelpString += ", \"systemd\""
|
|
|
|
}
|
|
|
|
|
2024-09-22 00:29:36 +09:00
|
|
|
flag.StringVar(&launchMethodText, "method", "sudo", methodHelpString)
|
2024-09-13 11:49:10 +09:00
|
|
|
}
|
2024-10-12 01:51:06 +09:00
|
|
|
|
2024-10-12 19:46:40 +09:00
|
|
|
func tryTemplate() {
|
|
|
|
if printTemplate {
|
|
|
|
if s, err := json.MarshalIndent(app.Template(), "", " "); err != nil {
|
2024-10-21 20:47:02 +09:00
|
|
|
fmsg.Fatalf("cannot generate template: %v", err)
|
2024-10-12 19:46:40 +09:00
|
|
|
panic("unreachable")
|
|
|
|
} else {
|
|
|
|
fmt.Println(string(s))
|
|
|
|
}
|
2024-10-26 23:09:32 +09:00
|
|
|
fmsg.Exit(0)
|
2024-10-12 19:46:40 +09:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-10-12 01:51:06 +09:00
|
|
|
func loadConfig() *app.Config {
|
|
|
|
if confPath == "nil" {
|
|
|
|
// config from flags
|
|
|
|
return configFromFlags()
|
|
|
|
} else {
|
|
|
|
// config from file
|
|
|
|
c := new(app.Config)
|
|
|
|
if f, err := os.Open(confPath); err != nil {
|
2024-10-21 20:47:02 +09:00
|
|
|
fmsg.Fatalf("cannot access config file %q: %s", confPath, err)
|
2024-10-12 01:51:06 +09:00
|
|
|
panic("unreachable")
|
|
|
|
} else if err = json.NewDecoder(f).Decode(&c); err != nil {
|
2024-10-21 20:47:02 +09:00
|
|
|
fmsg.Fatalf("cannot parse config file %q: %s", confPath, err)
|
2024-10-12 01:51:06 +09:00
|
|
|
panic("unreachable")
|
|
|
|
} else {
|
|
|
|
return c
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func configFromFlags() (config *app.Config) {
|
|
|
|
// initialise config from flags
|
|
|
|
config = &app.Config{
|
|
|
|
ID: dbusID,
|
|
|
|
User: userName,
|
|
|
|
Command: flag.Args(),
|
|
|
|
Method: launchMethodText,
|
|
|
|
}
|
|
|
|
|
|
|
|
// enablements from flags
|
2024-10-16 14:38:57 +09:00
|
|
|
for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
|
2024-10-12 01:51:06 +09:00
|
|
|
if enablements[i] {
|
|
|
|
config.Confinement.Enablements.Set(i)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// parse D-Bus config file from flags if applicable
|
2024-10-16 14:38:57 +09:00
|
|
|
if enablements[system.EDBus] {
|
2024-10-12 01:51:06 +09:00
|
|
|
if dbusConfigSession == "builtin" {
|
|
|
|
config.Confinement.SessionBus = dbus.NewConfig(dbusID, true, mpris)
|
|
|
|
} else {
|
|
|
|
if c, err := dbus.NewConfigFromFile(dbusConfigSession); err != nil {
|
2024-10-21 20:47:02 +09:00
|
|
|
fmsg.Fatalf("cannot load session bus proxy config from %q: %s", dbusConfigSession, err)
|
2024-10-12 01:51:06 +09:00
|
|
|
} else {
|
|
|
|
config.Confinement.SessionBus = c
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// system bus proxy is optional
|
|
|
|
if dbusConfigSystem != "nil" {
|
|
|
|
if c, err := dbus.NewConfigFromFile(dbusConfigSystem); err != nil {
|
2024-10-21 20:47:02 +09:00
|
|
|
fmsg.Fatalf("cannot load system bus proxy config from %q: %s", dbusConfigSystem, err)
|
2024-10-12 01:51:06 +09:00
|
|
|
} else {
|
|
|
|
config.Confinement.SystemBus = c
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// override log from configuration
|
|
|
|
if dbusVerbose {
|
|
|
|
config.Confinement.SessionBus.Log = true
|
|
|
|
config.Confinement.SystemBus.Log = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|