app: alternative inner home path
test / test (push) Successful in 24s Details

Support binding home to an alternative path in the mount namespace.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra Umiker 2024-11-18 00:18:21 +09:00
parent 866270ff05
commit 05b7dbf066
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
6 changed files with 19 additions and 10 deletions

View File

@ -23,7 +23,7 @@ var testCasesNixos = []sealTestCase{
Confinement: app.ConfinementConfig{
AppID: 0,
Username: "chronos",
Home: "/home/chronos",
Outer: "/home/chronos",
},
},
app.ID{
@ -204,7 +204,7 @@ var testCasesNixos = []sealTestCase{
AppID: 9,
Groups: []string{"video"},
Username: "chronos",
Home: "/home/chronos",
Outer: "/home/chronos",
SessionBus: &dbus.Config{
Talk: []string{
"org.freedesktop.Notifications",

View File

@ -30,8 +30,10 @@ type ConfinementConfig struct {
Groups []string `json:"groups"`
// passwd username in the sandbox, defaults to chronos
Username string `json:"username,omitempty"`
// home directory in sandbox
Home string `json:"home"`
// home directory in sandbox, empty for outer
Inner string `json:"home_inner"`
// home directory in init namespace
Outer string `json:"home"`
// bwrap sandbox confinement configuration
Sandbox *SandboxConfig `json:"sandbox"`
@ -185,7 +187,8 @@ func Template() *Config {
AppID: 9,
Groups: []string{"video"},
Username: "chronos",
Home: "/var/lib/persist/home/org.chromium.Chromium",
Outer: "/var/lib/persist/home/org.chromium.Chromium",
Inner: "/var/lib/fortify",
Sandbox: &SandboxConfig{
Hostname: "localhost",
UserNS: true,

View File

@ -100,15 +100,19 @@ func (a *app) Seal(config *Config) error {
seal.sys.user = appUser{
aid: config.Confinement.AppID,
as: strconv.Itoa(config.Confinement.AppID),
home: config.Confinement.Home,
data: config.Confinement.Outer,
home: config.Confinement.Inner,
username: config.Confinement.Username,
}
if seal.sys.user.username == "" {
seal.sys.user.username = "chronos"
}
if seal.sys.user.home == "" || !path.IsAbs(seal.sys.user.home) {
if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
return fmsg.WrapError(ErrHome,
fmt.Sprintf("invalid home directory %q", seal.sys.user.home))
fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
}
if seal.sys.user.home == "" {
seal.sys.user.home = seal.sys.user.data
}
// invoke fsu for full uid

View File

@ -58,7 +58,7 @@ func (seal *appSeal) sharePasswd(os linux.System) {
}
// bind home directory
seal.sys.bwrap.Bind(homeDir, homeDir, false, true)
seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
seal.sys.bwrap.Chdir = homeDir
seal.sys.bwrap.SetEnv["USER"] = username

View File

@ -44,6 +44,8 @@ type appUser struct {
// string representation of aid
as string
// home directory host path
data string
// app user home directory
home string
// passwd database username

View File

@ -188,7 +188,7 @@ func main() {
config.Confinement.AppID = aid
config.Confinement.Groups = groups
config.Confinement.Home = homeDir
config.Confinement.Outer = homeDir
config.Confinement.Username = userName
// enablements from flags