app: alternative inner home path

Support binding home to an alternative path in the mount namespace.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>

internal/app/app_nixos_test.go

@@ -23,7 +23,7 @@ var testCasesNixos = []sealTestCase{
 			Confinement: app.ConfinementConfig{
 				AppID:    0,
 				Username: "chronos",
-				Home:     "/home/chronos",
+				Outer:    "/home/chronos",
 			},
 		},
 		app.ID{
@@ -204,7 +204,7 @@ var testCasesNixos = []sealTestCase{
 				AppID:    9,
 				Groups:   []string{"video"},
 				Username: "chronos",
-				Home:     "/home/chronos",
+				Outer:    "/home/chronos",
 				SessionBus: &dbus.Config{
 					Talk: []string{
 						"org.freedesktop.Notifications",

internal/app/config.go

@@ -30,8 +30,10 @@ type ConfinementConfig struct {
 	Groups []string `json:"groups"`
 	// passwd username in the sandbox, defaults to chronos
 	Username string `json:"username,omitempty"`
-	// home directory in sandbox
+	// home directory in sandbox, empty for outer
-	Home string `json:"home"`
+	Inner string `json:"home_inner"`
+	// home directory in init namespace
+	Outer string `json:"home"`
 	// bwrap sandbox confinement configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
 
@@ -185,7 +187,8 @@ func Template() *Config {
 			AppID:    9,
 			Groups:   []string{"video"},
 			Username: "chronos",
-			Home:     "/var/lib/persist/home/org.chromium.Chromium",
+			Outer:    "/var/lib/persist/home/org.chromium.Chromium",
+			Inner:    "/var/lib/fortify",
 			Sandbox: &SandboxConfig{
 				Hostname:     "localhost",
 				UserNS:       true,

internal/app/seal.go

@@ -100,15 +100,19 @@ func (a *app) Seal(config *Config) error {
 		seal.sys.user = appUser{
 			aid:      config.Confinement.AppID,
 			as:       strconv.Itoa(config.Confinement.AppID),
-			home:     config.Confinement.Home,
+			data:     config.Confinement.Outer,
+			home:     config.Confinement.Inner,
 			username: config.Confinement.Username,
 		}
 		if seal.sys.user.username == "" {
 			seal.sys.user.username = "chronos"
 		}
-		if seal.sys.user.home == "" || !path.IsAbs(seal.sys.user.home) {
+		if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
 			return fmsg.WrapError(ErrHome,
-				fmt.Sprintf("invalid home directory %q", seal.sys.user.home))
+				fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
+		}
+		if seal.sys.user.home == "" {
+			seal.sys.user.home = seal.sys.user.data
 		}
 
 		// invoke fsu for full uid

internal/app/share.system.go

@@ -58,7 +58,7 @@ func (seal *appSeal) sharePasswd(os linux.System) {
 	}
 
 	// bind home directory
-	seal.sys.bwrap.Bind(homeDir, homeDir, false, true)
+	seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
 	seal.sys.bwrap.Chdir = homeDir
 
 	seal.sys.bwrap.SetEnv["USER"] = username

internal/app/system.go

@@ -44,6 +44,8 @@ type appUser struct {
 	// string representation of aid
 	as string
 
+	// home directory host path
+	data string
 	// app user home directory
 	home string
 	// passwd database username

main.go

@@ -188,7 +188,7 @@ func main() {
 
 		config.Confinement.AppID = aid
 		config.Confinement.Groups = groups
-		config.Confinement.Home = homeDir
+		config.Confinement.Outer = homeDir
 		config.Confinement.Username = userName
 
 		// enablements from flags