2024-09-22 00:29:36 +09:00
|
|
|
package app
|
|
|
|
|
|
|
|
|
|
import (
|
2024-10-15 02:15:55 +09:00
|
|
|
"os"
|
|
|
|
|
|
2024-10-20 19:50:13 +09:00
|
|
|
"git.ophivana.moe/security/fortify/dbus"
|
|
|
|
|
"git.ophivana.moe/security/fortify/helper/bwrap"
|
|
|
|
|
"git.ophivana.moe/security/fortify/internal/system"
|
2024-09-22 00:29:36 +09:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Config is used to seal an *App
|
|
|
|
|
type Config struct {
|
|
|
|
|
// D-Bus application ID
|
|
|
|
|
ID string `json:"id"`
|
|
|
|
|
// username of the target user to switch to
|
|
|
|
|
User string `json:"user"`
|
|
|
|
|
// value passed through to the child process as its argv
|
|
|
|
|
Command []string `json:"command"`
|
|
|
|
|
// string representation of the child's launch method
|
|
|
|
|
Method string `json:"method"`
|
|
|
|
|
|
|
|
|
|
// child confinement configuration
|
|
|
|
|
Confinement ConfinementConfig `json:"confinement"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ConfinementConfig defines fortified child's confinement
|
|
|
|
|
type ConfinementConfig struct {
|
2024-10-11 02:01:03 +09:00
|
|
|
// bwrap sandbox confinement configuration
|
2024-10-11 04:18:15 +09:00
|
|
|
Sandbox *SandboxConfig `json:"sandbox"`
|
2024-10-11 02:01:03 +09:00
|
|
|
|
2024-09-22 00:29:36 +09:00
|
|
|
// reference to a system D-Bus proxy configuration,
|
|
|
|
|
// nil value disables system bus proxy
|
|
|
|
|
SystemBus *dbus.Config `json:"system_bus,omitempty"`
|
|
|
|
|
// reference to a session D-Bus proxy configuration,
|
|
|
|
|
// nil value makes session bus proxy assume built-in defaults
|
|
|
|
|
SessionBus *dbus.Config `json:"session_bus,omitempty"`
|
|
|
|
|
|
|
|
|
|
// child capability enablements
|
2024-10-16 14:38:57 +09:00
|
|
|
Enablements system.Enablements `json:"enablements"`
|
2024-09-22 00:29:36 +09:00
|
|
|
}
|
2024-10-11 04:18:15 +09:00
|
|
|
|
|
|
|
|
// SandboxConfig describes resources made available to the sandbox.
|
|
|
|
|
type SandboxConfig struct {
|
|
|
|
|
// unix hostname within sandbox
|
|
|
|
|
Hostname string `json:"hostname,omitempty"`
|
|
|
|
|
// userns availability within sandbox
|
|
|
|
|
UserNS bool `json:"userns,omitempty"`
|
|
|
|
|
// share net namespace
|
|
|
|
|
Net bool `json:"net,omitempty"`
|
|
|
|
|
// do not run in new session
|
|
|
|
|
NoNewSession bool `json:"no_new_session,omitempty"`
|
2024-11-04 03:15:39 +09:00
|
|
|
// map target user uid to privileged user uid in the user namespace
|
|
|
|
|
UseRealUID bool `json:"use_real_uid"`
|
2024-10-11 04:18:15 +09:00
|
|
|
// mediated access to wayland socket
|
|
|
|
|
Wayland bool `json:"wayland,omitempty"`
|
|
|
|
|
|
|
|
|
|
// final environment variables
|
|
|
|
|
Env map[string]string `json:"env"`
|
2024-10-12 22:33:04 +09:00
|
|
|
// sandbox host filesystem access
|
|
|
|
|
Filesystem []*FilesystemConfig `json:"filesystem"`
|
2024-10-25 13:29:01 +09:00
|
|
|
// symlinks created inside the sandbox
|
|
|
|
|
Link [][2]string `json:"symlink"`
|
2024-10-16 01:38:59 +09:00
|
|
|
// paths to override by mounting tmpfs over them
|
|
|
|
|
Override []string `json:"override"`
|
2024-10-12 22:33:04 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type FilesystemConfig struct {
|
|
|
|
|
// mount point in sandbox, same as src if empty
|
|
|
|
|
Dst string `json:"dst,omitempty"`
|
|
|
|
|
// host filesystem path to make available to sandbox
|
|
|
|
|
Src string `json:"src"`
|
|
|
|
|
// write access
|
|
|
|
|
Write bool `json:"write,omitempty"`
|
|
|
|
|
// device access
|
|
|
|
|
Device bool `json:"dev,omitempty"`
|
|
|
|
|
// exit if unable to share
|
|
|
|
|
Must bool `json:"require,omitempty"`
|
2024-10-11 04:18:15 +09:00
|
|
|
}
|
|
|
|
|
|
2024-10-15 02:15:55 +09:00
|
|
|
// Bwrap returns the address of the corresponding bwrap.Config to s.
|
|
|
|
|
// Note that remaining tmpfs entries must be queued by the caller prior to launch.
|
2024-11-04 03:15:39 +09:00
|
|
|
func (s *SandboxConfig) Bwrap(uid int) *bwrap.Config {
|
2024-10-11 04:18:15 +09:00
|
|
|
if s == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-04 03:15:39 +09:00
|
|
|
if !s.UseRealUID {
|
|
|
|
|
uid = 65534
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-15 02:15:55 +09:00
|
|
|
conf := (&bwrap.Config{
|
2024-10-11 04:18:15 +09:00
|
|
|
Net: s.Net,
|
|
|
|
|
UserNS: s.UserNS,
|
|
|
|
|
Hostname: s.Hostname,
|
|
|
|
|
Clearenv: true,
|
|
|
|
|
SetEnv: s.Env,
|
|
|
|
|
NewSession: !s.NoNewSession,
|
|
|
|
|
DieWithParent: true,
|
2024-10-14 02:27:02 +09:00
|
|
|
AsInit: true,
|
2024-10-15 02:15:55 +09:00
|
|
|
|
|
|
|
|
// initialise map
|
|
|
|
|
Chmod: make(map[string]os.FileMode),
|
|
|
|
|
}).
|
2024-11-04 03:15:39 +09:00
|
|
|
SetUID(uid).SetGID(uid).
|
2024-10-25 13:29:01 +09:00
|
|
|
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
|
|
|
|
Tmpfs("/dev/fortify", 4*1024)
|
2024-10-11 04:18:15 +09:00
|
|
|
|
2024-10-12 22:33:04 +09:00
|
|
|
for _, c := range s.Filesystem {
|
|
|
|
|
if c == nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
2024-10-15 02:15:55 +09:00
|
|
|
src := c.Src
|
|
|
|
|
dest := c.Dst
|
2024-10-12 22:33:04 +09:00
|
|
|
if c.Dst == "" {
|
2024-10-15 02:15:55 +09:00
|
|
|
dest = c.Src
|
2024-10-12 22:33:04 +09:00
|
|
|
}
|
2024-10-15 02:15:55 +09:00
|
|
|
conf.Bind(src, dest, !c.Must, c.Write, c.Device)
|
2024-10-13 02:39:27 +09:00
|
|
|
}
|
|
|
|
|
|
2024-10-25 13:29:01 +09:00
|
|
|
for _, l := range s.Link {
|
|
|
|
|
conf.Symlink(l[0], l[1])
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-11 04:18:15 +09:00
|
|
|
return conf
|
|
|
|
|
}
|
2024-10-12 19:46:07 +09:00
|
|
|
|
|
|
|
|
// Template returns a fully populated instance of Config.
|
|
|
|
|
func Template() *Config {
|
|
|
|
|
return &Config{
|
|
|
|
|
ID: "org.chromium.Chromium",
|
|
|
|
|
User: "chronos",
|
|
|
|
|
Command: []string{
|
|
|
|
|
"chromium",
|
|
|
|
|
"--ignore-gpu-blocklist",
|
|
|
|
|
"--disable-smooth-scrolling",
|
|
|
|
|
"--enable-features=UseOzonePlatform",
|
|
|
|
|
"--ozone-platform=wayland",
|
|
|
|
|
},
|
|
|
|
|
Method: "sudo",
|
|
|
|
|
Confinement: ConfinementConfig{
|
|
|
|
|
Sandbox: &SandboxConfig{
|
|
|
|
|
Hostname: "localhost",
|
|
|
|
|
UserNS: true,
|
|
|
|
|
Net: true,
|
|
|
|
|
NoNewSession: true,
|
|
|
|
|
Wayland: false,
|
|
|
|
|
// example API credentials pulled from Google Chrome
|
|
|
|
|
// DO NOT USE THESE IN A REAL BROWSER
|
|
|
|
|
Env: map[string]string{
|
|
|
|
|
"GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
|
|
|
|
|
"GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
|
|
|
|
|
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
|
|
|
|
|
},
|
2024-10-12 22:33:04 +09:00
|
|
|
Filesystem: []*FilesystemConfig{
|
|
|
|
|
{Src: "/nix"},
|
|
|
|
|
{Src: "/storage/emulated/0", Write: true, Must: true},
|
|
|
|
|
{Src: "/data/user/0", Dst: "/data/data", Write: true, Must: true},
|
|
|
|
|
{Src: "/var/tmp", Write: true},
|
|
|
|
|
},
|
2024-10-25 13:29:01 +09:00
|
|
|
Link: [][2]string{{"/dev/fortify/etc", "/etc"}},
|
2024-10-16 01:38:59 +09:00
|
|
|
Override: []string{"/var/run/nscd"},
|
2024-10-12 19:46:07 +09:00
|
|
|
},
|
|
|
|
|
SystemBus: &dbus.Config{
|
|
|
|
|
See: nil,
|
|
|
|
|
Talk: []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
|
|
|
|
|
Own: nil,
|
|
|
|
|
Call: nil,
|
|
|
|
|
Broadcast: nil,
|
|
|
|
|
Log: false,
|
|
|
|
|
Filter: true,
|
|
|
|
|
},
|
|
|
|
|
SessionBus: &dbus.Config{
|
|
|
|
|
See: nil,
|
|
|
|
|
Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver",
|
|
|
|
|
"org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"},
|
|
|
|
|
Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
|
|
|
|
"org.mpris.MediaPlayer2.chromium.*"},
|
|
|
|
|
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
|
|
|
|
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
|
|
|
|
Log: false,
|
|
|
|
|
Filter: true,
|
|
|
|
|
},
|
2024-10-16 14:38:57 +09:00
|
|
|
Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
|
2024-10-12 19:46:07 +09:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
