2024-09-22 00:29:36 +09:00
|
|
|
package app
|
|
|
|
|
|
|
|
import (
|
2024-10-11 02:01:03 +09:00
|
|
|
"os"
|
2024-09-22 00:29:36 +09:00
|
|
|
"path"
|
|
|
|
|
|
|
|
"git.ophivana.moe/cat/fortify/acl"
|
2024-10-11 04:18:15 +09:00
|
|
|
"git.ophivana.moe/cat/fortify/helper/bwrap"
|
2024-10-10 14:33:58 +09:00
|
|
|
"git.ophivana.moe/cat/fortify/internal/state"
|
2024-09-22 00:29:36 +09:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
|
|
|
xdgSessionClass = "XDG_SESSION_CLASS"
|
|
|
|
xdgSessionType = "XDG_SESSION_TYPE"
|
2024-10-11 02:01:03 +09:00
|
|
|
|
|
|
|
shell = "SHELL"
|
2024-09-22 00:29:36 +09:00
|
|
|
)
|
|
|
|
|
|
|
|
// shareRuntime queues actions for sharing/ensuring the runtime and share directories
|
|
|
|
func (seal *appSeal) shareRuntime() {
|
2024-10-11 02:01:03 +09:00
|
|
|
// look up shell
|
|
|
|
if s, ok := os.LookupEnv(shell); ok {
|
2024-10-11 04:18:15 +09:00
|
|
|
seal.sys.setEnv(shell, s)
|
2024-10-11 02:01:03 +09:00
|
|
|
}
|
|
|
|
|
2024-10-11 04:18:15 +09:00
|
|
|
// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
|
|
|
|
seal.sys.bwrap.Tmpfs = append(seal.sys.bwrap.Tmpfs,
|
|
|
|
bwrap.PermConfig[bwrap.TmpfsConfig]{
|
|
|
|
Path: bwrap.TmpfsConfig{
|
|
|
|
Size: 1 * 1024 * 1024,
|
|
|
|
Dir: "/run/user",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
bwrap.PermConfig[bwrap.TmpfsConfig]{
|
|
|
|
Path: bwrap.TmpfsConfig{
|
|
|
|
Size: 8 * 1024 * 1024,
|
|
|
|
Dir: seal.sys.runtime,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
2024-09-22 00:29:36 +09:00
|
|
|
// ensure RunDir (e.g. `/run/user/%d/fortify`)
|
|
|
|
seal.sys.ensure(seal.RunDirPath, 0700)
|
2024-10-10 14:33:58 +09:00
|
|
|
seal.sys.updatePermTag(state.EnableLength, seal.RunDirPath, acl.Execute)
|
2024-09-22 00:29:36 +09:00
|
|
|
|
|
|
|
// ensure runtime directory ACL (e.g. `/run/user/%d`)
|
2024-10-10 14:33:58 +09:00
|
|
|
seal.sys.updatePermTag(state.EnableLength, seal.RuntimePath, acl.Execute)
|
2024-09-22 00:29:36 +09:00
|
|
|
|
|
|
|
// ensure Share (e.g. `/tmp/fortify.%d`)
|
|
|
|
// acl is unnecessary as this directory is world executable
|
|
|
|
seal.sys.ensure(seal.SharePath, 0701)
|
|
|
|
|
|
|
|
// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
|
|
|
|
// acl is unnecessary as this directory is world executable
|
|
|
|
seal.share = path.Join(seal.SharePath, seal.id.String())
|
|
|
|
seal.sys.ensureEphemeral(seal.share, 0701)
|
2024-10-10 12:44:08 +09:00
|
|
|
|
|
|
|
// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
|
|
|
|
seal.shareLocal = path.Join(seal.RunDirPath, seal.id.String())
|
|
|
|
seal.sys.ensureEphemeral(seal.shareLocal, 0700)
|
|
|
|
seal.sys.updatePerm(seal.shareLocal, acl.Execute)
|
2024-09-22 00:29:36 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
func (seal *appSeal) shareRuntimeChild() string {
|
|
|
|
// ensure child runtime parent directory (e.g. `/tmp/fortify.%d/runtime`)
|
|
|
|
targetRuntimeParent := path.Join(seal.SharePath, "runtime")
|
|
|
|
seal.sys.ensure(targetRuntimeParent, 0700)
|
2024-10-10 14:33:58 +09:00
|
|
|
seal.sys.updatePermTag(state.EnableLength, targetRuntimeParent, acl.Execute)
|
2024-09-22 00:29:36 +09:00
|
|
|
|
|
|
|
// ensure child runtime directory (e.g. `/tmp/fortify.%d/runtime/%d`)
|
|
|
|
targetRuntime := path.Join(targetRuntimeParent, seal.sys.Uid)
|
|
|
|
seal.sys.ensure(targetRuntime, 0700)
|
2024-10-10 14:33:58 +09:00
|
|
|
seal.sys.updatePermTag(state.EnableLength, targetRuntime, acl.Read, acl.Write, acl.Execute)
|
2024-09-22 00:29:36 +09:00
|
|
|
|
|
|
|
// point to ensured runtime path
|
2024-10-11 04:18:15 +09:00
|
|
|
seal.sys.setEnv(xdgRuntimeDir, targetRuntime)
|
|
|
|
seal.sys.setEnv(xdgSessionClass, "user")
|
|
|
|
seal.sys.setEnv(xdgSessionType, "tty")
|
2024-09-22 00:29:36 +09:00
|
|
|
|
|
|
|
return targetRuntime
|
|
|
|
}
|