2024-09-22 00:29:36 +09:00
|
|
|
package app
|
|
|
|
|
|
|
|
import (
|
2024-10-20 19:50:13 +09:00
|
|
|
"git.ophivana.moe/security/fortify/dbus"
|
|
|
|
"git.ophivana.moe/security/fortify/helper/bwrap"
|
2024-11-02 03:03:44 +09:00
|
|
|
"git.ophivana.moe/security/fortify/internal/linux"
|
2024-10-20 19:50:13 +09:00
|
|
|
"git.ophivana.moe/security/fortify/internal/system"
|
2024-09-22 00:29:36 +09:00
|
|
|
)
|
|
|
|
|
2024-10-16 01:38:59 +09:00
|
|
|
// appSealSys encapsulates app seal behaviour with OS interactions
|
|
|
|
type appSealSys struct {
|
2024-10-11 04:18:15 +09:00
|
|
|
bwrap *bwrap.Config
|
2024-10-16 01:38:59 +09:00
|
|
|
// paths to override by mounting tmpfs over them
|
|
|
|
override []string
|
2024-09-22 00:29:36 +09:00
|
|
|
|
2024-10-11 04:18:15 +09:00
|
|
|
// default formatted XDG_RUNTIME_DIR of User
|
|
|
|
runtime string
|
2024-09-22 00:29:36 +09:00
|
|
|
// target user sealed from config
|
2024-11-16 21:19:45 +09:00
|
|
|
user appUser
|
2024-09-22 00:29:36 +09:00
|
|
|
|
2024-11-04 03:15:39 +09:00
|
|
|
// mapped uid and gid in user namespace
|
|
|
|
mappedID int
|
|
|
|
// string representation of mappedID
|
|
|
|
mappedIDString string
|
|
|
|
|
2024-10-27 00:46:15 +09:00
|
|
|
needRevert bool
|
|
|
|
saveState bool
|
2024-10-16 01:38:59 +09:00
|
|
|
*system.I
|
2024-09-22 00:29:36 +09:00
|
|
|
|
|
|
|
// protected by upstream mutex
|
|
|
|
}
|
|
|
|
|
2024-11-16 21:19:45 +09:00
|
|
|
type appUser struct {
|
|
|
|
// full uid resolved by fsu
|
|
|
|
uid int
|
|
|
|
// string representation of uid
|
|
|
|
us string
|
|
|
|
|
|
|
|
// supplementary group ids
|
|
|
|
supp []string
|
|
|
|
|
|
|
|
// application id
|
|
|
|
aid int
|
|
|
|
// string representation of aid
|
|
|
|
as string
|
|
|
|
|
2024-11-18 00:18:21 +09:00
|
|
|
// home directory host path
|
|
|
|
data string
|
2024-11-16 21:19:45 +09:00
|
|
|
// app user home directory
|
|
|
|
home string
|
|
|
|
// passwd database username
|
|
|
|
username string
|
|
|
|
}
|
|
|
|
|
2024-09-22 00:29:36 +09:00
|
|
|
// shareAll calls all share methods in sequence
|
2024-11-02 03:03:44 +09:00
|
|
|
func (seal *appSeal) shareAll(bus [2]*dbus.Config, os linux.System) error {
|
2024-09-22 00:29:36 +09:00
|
|
|
if seal.shared {
|
|
|
|
panic("seal shared twice")
|
|
|
|
}
|
|
|
|
seal.shared = true
|
|
|
|
|
2024-10-13 02:43:00 +09:00
|
|
|
seal.shareSystem()
|
2024-10-18 01:21:58 +09:00
|
|
|
seal.shareRuntime()
|
2024-10-23 21:46:21 +09:00
|
|
|
seal.sharePasswd(os)
|
|
|
|
if err := seal.shareDisplay(os); err != nil {
|
2024-09-22 00:29:36 +09:00
|
|
|
return err
|
|
|
|
}
|
2024-10-23 21:46:21 +09:00
|
|
|
if err := seal.sharePulse(os); err != nil {
|
2024-09-22 00:29:36 +09:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// ensure dbus session bus defaults
|
|
|
|
if bus[0] == nil {
|
|
|
|
bus[0] = dbus.NewConfig(seal.fid, true, true)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := seal.shareDBus(bus); err != nil {
|
|
|
|
return err
|
2024-10-16 01:38:59 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
|
|
|
|
for _, dest := range seal.sys.override {
|
|
|
|
seal.sys.bwrap.Tmpfs(dest, 8*1024)
|
2024-09-22 00:29:36 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|