fortify/internal/app/share.system.go

package app

import (
	"path"

	"git.ophivana.moe/security/fortify/acl"
	"git.ophivana.moe/security/fortify/internal/linux"
	"git.ophivana.moe/security/fortify/internal/system"
)

const (
	shell = "SHELL"
)

// shareSystem queues various system-related actions
func (seal *appSeal) shareSystem() {
	// ensure Share (e.g. `/tmp/fortify.%d`)
	// acl is unnecessary as this directory is world executable
	seal.sys.Ensure(seal.SharePath, 0701)

	// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
	// acl is unnecessary as this directory is world executable
	seal.share = path.Join(seal.SharePath, seal.id)
	seal.sys.Ephemeral(system.Process, seal.share, 0701)

	// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
	targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
	seal.sys.Ensure(targetTmpdirParent, 0700)
	seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)

	// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
	targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.Uid)
	seal.sys.Ensure(targetTmpdir, 01700)
	seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
	seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)

	// mount tmpfs on inner shared directory (e.g. `/tmp/fortify.%d`)
	seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024)
}

func (seal *appSeal) sharePasswd(os linux.System) {
	// look up shell
	sh := "/bin/sh"
	if s, ok := os.LookupEnv(shell); ok {
		seal.sys.bwrap.SetEnv[shell] = s
		sh = s
	}

	// generate /etc/passwd
	passwdPath := path.Join(seal.share, "passwd")
	username := "chronos"
	if seal.sys.user.Username != "" {
		username = seal.sys.user.Username
		seal.sys.bwrap.SetEnv["USER"] = seal.sys.user.Username
	}
	homeDir := "/var/empty"
	if seal.sys.user.HomeDir != "" {
		homeDir = seal.sys.user.HomeDir
		seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir
	}
	passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
	seal.sys.Write(passwdPath, passwd)

	// write /etc/group
	groupPath := path.Join(seal.share, "group")
	seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")

	// bind /etc/passwd and /etc/group
	seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
	seal.sys.bwrap.Bind(groupPath, "/etc/group")
}
app: generate and replace passwd and group files This ensures libc functions get correct user information. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-13 02:43:00 +09:00			`package app`

			`import (`
			`"path"`
helper/bwrap: ordered filesystem args The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-15 02:15:55 +09:00
migrate to git.ophivana.moe/security/fortify Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-20 19:50:13 +09:00			`"git.ophivana.moe/security/fortify/acl"`
cmd: shim and init into separate binaries This change also fixes a deadlock when shim fails to connect and complete the setup. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-02 03:03:44 +09:00			`"git.ophivana.moe/security/fortify/internal/linux"`
migrate to git.ophivana.moe/security/fortify Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-20 19:50:13 +09:00			`"git.ophivana.moe/security/fortify/internal/system"`
app: generate and replace passwd and group files This ensures libc functions get correct user information. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-13 02:43:00 +09:00			`)`

			`const (`
			`shell = "SHELL"`
			`)`

			`// shareSystem queues various system-related actions`
			`func (seal *appSeal) shareSystem() {`
app/share: fix order to ensure SharePath before any of its subdirectories shareTmpdirChild happened to request an ephemeral dir within SharePath and was called before shareRuntime which ensures that path. This commit moves SharePath initialisation to shareSystem and moves shareTmpdirChild into ShareSystem. Further cleanup and tests are desperately needed for the app package but for now this fix will have to do. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-18 01:21:58 +09:00			// ensure Share (e.g. `/tmp/fortify.%d`)
			`// acl is unnecessary as this directory is world executable`
			`seal.sys.Ensure(seal.SharePath, 0701)`

			// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
			`// acl is unnecessary as this directory is world executable`
app: move app ID to app struct App ID is inherent to App, and it makes no sense to generate it as part of the app sealing process. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-20 00:07:48 +09:00			`seal.share = path.Join(seal.SharePath, seal.id)`
app/share: fix order to ensure SharePath before any of its subdirectories shareTmpdirChild happened to request an ephemeral dir within SharePath and was called before shareRuntime which ensures that path. This commit moves SharePath initialisation to shareSystem and moves shareTmpdirChild into ShareSystem. Further cleanup and tests are desperately needed for the app package but for now this fix will have to do. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-18 01:21:58 +09:00			`seal.sys.Ephemeral(system.Process, seal.share, 0701)`

			// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
			`targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")`
			`seal.sys.Ensure(targetTmpdirParent, 0700)`
			`seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)`

			// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
			`targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.Uid)`
			`seal.sys.Ensure(targetTmpdir, 01700)`
			`seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)`
			`seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)`

			// mount tmpfs on inner shared directory (e.g. `/tmp/fortify.%d`)
			`seal.sys.bwrap.Tmpfs(seal.SharePath, 110241024)`
			`}`

cmd: shim and init into separate binaries This change also fixes a deadlock when shim fails to connect and complete the setup. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-02 03:03:44 +09:00			`func (seal *appSeal) sharePasswd(os linux.System) {`
app: generate and replace passwd and group files This ensures libc functions get correct user information. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-13 02:43:00 +09:00			`// look up shell`
			`sh := "/bin/sh"`
			`if s, ok := os.LookupEnv(shell); ok {`
app: port app to use the system package This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:38:59 +09:00			`seal.sys.bwrap.SetEnv[shell] = s`
app: generate and replace passwd and group files This ensures libc functions get correct user information. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-13 02:43:00 +09:00			`sh = s`
			`}`

			`// generate /etc/passwd`
			`passwdPath := path.Join(seal.share, "passwd")`
			`username := "chronos"`
app: port app to use the system package This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:38:59 +09:00			`if seal.sys.user.Username != "" {`
			`username = seal.sys.user.Username`
			`seal.sys.bwrap.SetEnv["USER"] = seal.sys.user.Username`
app: generate and replace passwd and group files This ensures libc functions get correct user information. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-13 02:43:00 +09:00			`}`
			`homeDir := "/var/empty"`
app: port app to use the system package This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:38:59 +09:00			`if seal.sys.user.HomeDir != "" {`
			`homeDir = seal.sys.user.HomeDir`
			`seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir`
app: generate and replace passwd and group files This ensures libc functions get correct user information. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-13 02:43:00 +09:00			`}`
app: support mapping target uid as privileged uid in sandbox Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-04 03:15:39 +09:00			`passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"`
app: port app to use the system package This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:38:59 +09:00			`seal.sys.Write(passwdPath, passwd)`
app: generate and replace passwd and group files This ensures libc functions get correct user information. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-13 02:43:00 +09:00
			`// write /etc/group`
			`groupPath := path.Join(seal.share, "group")`
app: support mapping target uid as privileged uid in sandbox Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-04 03:15:39 +09:00			`seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")`
app: generate and replace passwd and group files This ensures libc functions get correct user information. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-13 02:43:00 +09:00
			`// bind /etc/passwd and /etc/group`
helper/bwrap: ordered filesystem args The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-15 02:15:55 +09:00			`seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")`
			`seal.sys.bwrap.Bind(groupPath, "/etc/group")`
			`}`