From 05b7dbf066cb74d2901ff9acb3a42662a2af722e Mon Sep 17 00:00:00 2001 From: Ophestra Umiker Date: Mon, 18 Nov 2024 00:18:21 +0900 Subject: [PATCH] app: alternative inner home path Support binding home to an alternative path in the mount namespace. Signed-off-by: Ophestra Umiker --- internal/app/app_nixos_test.go | 4 ++-- internal/app/config.go | 9 ++++++--- internal/app/seal.go | 10 +++++++--- internal/app/share.system.go | 2 +- internal/app/system.go | 2 ++ main.go | 2 +- 6 files changed, 19 insertions(+), 10 deletions(-) diff --git a/internal/app/app_nixos_test.go b/internal/app/app_nixos_test.go index 4a350ca..41b03ea 100644 --- a/internal/app/app_nixos_test.go +++ b/internal/app/app_nixos_test.go @@ -23,7 +23,7 @@ var testCasesNixos = []sealTestCase{ Confinement: app.ConfinementConfig{ AppID: 0, Username: "chronos", - Home: "/home/chronos", + Outer: "/home/chronos", }, }, app.ID{ @@ -204,7 +204,7 @@ var testCasesNixos = []sealTestCase{ AppID: 9, Groups: []string{"video"}, Username: "chronos", - Home: "/home/chronos", + Outer: "/home/chronos", SessionBus: &dbus.Config{ Talk: []string{ "org.freedesktop.Notifications", diff --git a/internal/app/config.go b/internal/app/config.go index dd45b02..298925d 100644 --- a/internal/app/config.go +++ b/internal/app/config.go @@ -30,8 +30,10 @@ type ConfinementConfig struct { Groups []string `json:"groups"` // passwd username in the sandbox, defaults to chronos Username string `json:"username,omitempty"` - // home directory in sandbox - Home string `json:"home"` + // home directory in sandbox, empty for outer + Inner string `json:"home_inner"` + // home directory in init namespace + Outer string `json:"home"` // bwrap sandbox confinement configuration Sandbox *SandboxConfig `json:"sandbox"` @@ -185,7 +187,8 @@ func Template() *Config { AppID: 9, Groups: []string{"video"}, Username: "chronos", - Home: "/var/lib/persist/home/org.chromium.Chromium", + Outer: "/var/lib/persist/home/org.chromium.Chromium", + Inner: "/var/lib/fortify", Sandbox: &SandboxConfig{ Hostname: "localhost", UserNS: true, diff --git a/internal/app/seal.go b/internal/app/seal.go index f01061a..5ad588d 100644 --- a/internal/app/seal.go +++ b/internal/app/seal.go @@ -100,15 +100,19 @@ func (a *app) Seal(config *Config) error { seal.sys.user = appUser{ aid: config.Confinement.AppID, as: strconv.Itoa(config.Confinement.AppID), - home: config.Confinement.Home, + data: config.Confinement.Outer, + home: config.Confinement.Inner, username: config.Confinement.Username, } if seal.sys.user.username == "" { seal.sys.user.username = "chronos" } - if seal.sys.user.home == "" || !path.IsAbs(seal.sys.user.home) { + if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) { return fmsg.WrapError(ErrHome, - fmt.Sprintf("invalid home directory %q", seal.sys.user.home)) + fmt.Sprintf("invalid home directory %q", seal.sys.user.data)) + } + if seal.sys.user.home == "" { + seal.sys.user.home = seal.sys.user.data } // invoke fsu for full uid diff --git a/internal/app/share.system.go b/internal/app/share.system.go index 7c97c48..e1e66de 100644 --- a/internal/app/share.system.go +++ b/internal/app/share.system.go @@ -58,7 +58,7 @@ func (seal *appSeal) sharePasswd(os linux.System) { } // bind home directory - seal.sys.bwrap.Bind(homeDir, homeDir, false, true) + seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true) seal.sys.bwrap.Chdir = homeDir seal.sys.bwrap.SetEnv["USER"] = username diff --git a/internal/app/system.go b/internal/app/system.go index 6a03b92..c776c50 100644 --- a/internal/app/system.go +++ b/internal/app/system.go @@ -44,6 +44,8 @@ type appUser struct { // string representation of aid as string + // home directory host path + data string // app user home directory home string // passwd database username diff --git a/main.go b/main.go index 75dfcb0..249fd15 100644 --- a/main.go +++ b/main.go @@ -188,7 +188,7 @@ func main() { config.Confinement.AppID = aid config.Confinement.Groups = groups - config.Confinement.Home = homeDir + config.Confinement.Outer = homeDir config.Confinement.Username = userName // enablements from flags