shim: use bwrap config as it is
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
713872a5cd
commit
3ddfd76cdf
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
|
|
@ -7,11 +7,9 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
"git.ophivana.moe/cat/fortify/helper"
|
"git.ophivana.moe/cat/fortify/helper"
|
||||||
"git.ophivana.moe/cat/fortify/helper/bwrap"
|
|
||||||
"git.ophivana.moe/cat/fortify/internal/verbose"
|
"git.ophivana.moe/cat/fortify/internal/verbose"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -41,6 +39,11 @@ func shim(socket string) {
|
||||||
verbose.Set(payload.Verbose)
|
verbose.Set(payload.Verbose)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if payload.Bwrap == nil {
|
||||||
|
fmt.Println("fortify-shim: bwrap config not supplied")
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
|
||||||
// receive wayland fd over socket
|
// receive wayland fd over socket
|
||||||
wfd := -1
|
wfd := -1
|
||||||
if payload.WL {
|
if payload.WL {
|
||||||
|
|
@ -80,50 +83,9 @@ func shim(socket string) {
|
||||||
_ = conn.Close()
|
_ = conn.Close()
|
||||||
|
|
||||||
conf := payload.Bwrap
|
conf := payload.Bwrap
|
||||||
if conf == nil {
|
|
||||||
verbose.Println("sandbox configuration not supplied, PROCEED WITH CAUTION")
|
|
||||||
conf = &bwrap.Config{
|
|
||||||
Net: true,
|
|
||||||
UserNS: true,
|
|
||||||
Clearenv: true,
|
|
||||||
Procfs: []string{"/proc"},
|
|
||||||
DevTmpfs: []string{"/dev"},
|
|
||||||
Mqueue: []string{"/dev/mqueue"},
|
|
||||||
DieWithParent: true,
|
|
||||||
}
|
|
||||||
|
|
||||||
if d, err := os.ReadDir("/"); err != nil {
|
|
||||||
fmt.Println("fortify-shim: cannot readdir '/':", err)
|
|
||||||
} else {
|
|
||||||
conf.Bind = make([][2]string, 0, len(d))
|
|
||||||
for _, ent := range d {
|
|
||||||
name := ent.Name()
|
|
||||||
switch name {
|
|
||||||
case "proc":
|
|
||||||
case "dev":
|
|
||||||
default:
|
|
||||||
p := "/" + name
|
|
||||||
conf.Bind = append(conf.Bind, [2]string{p, p})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if conf.SetEnv == nil {
|
|
||||||
conf.SetEnv = make(map[string]string, len(payload.Env))
|
|
||||||
}
|
|
||||||
|
|
||||||
var extraFiles []*os.File
|
var extraFiles []*os.File
|
||||||
|
|
||||||
// set environment passed by parent
|
|
||||||
for _, s := range payload.Env {
|
|
||||||
kv := strings.SplitN(s, "=", 2)
|
|
||||||
if len(kv) != 2 {
|
|
||||||
fmt.Println("fortify-shim: invalid environment string:", s)
|
|
||||||
} else {
|
|
||||||
conf.SetEnv[kv[0]] = kv[1]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// pass wayland fd
|
// pass wayland fd
|
||||||
if wfd != -1 {
|
if wfd != -1 {
|
||||||
if f := os.NewFile(uintptr(wfd), "wayland"); f != nil {
|
if f := os.NewFile(uintptr(wfd), "wayland"); f != nil {
|
||||||
|
|
|
||||||
|
|
@ -9,8 +9,6 @@ const EnvShim = "FORTIFY_SHIM"
|
||||||
type Payload struct {
|
type Payload struct {
|
||||||
// child full argv
|
// child full argv
|
||||||
Argv []string
|
Argv []string
|
||||||
// env variables passed through to bwrap
|
|
||||||
Env []string
|
|
||||||
// bwrap, target full exec path
|
// bwrap, target full exec path
|
||||||
Exec [2]string
|
Exec [2]string
|
||||||
// bwrap config, nil for permissive
|
// bwrap config, nil for permissive
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue