shim: use bwrap config as it is
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
713872a5cd
commit
3ddfd76cdf
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
|
|
@ -7,11 +7,9 @@ import (
|
|||
"net"
|
||||
"os"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"git.ophivana.moe/cat/fortify/helper"
|
||||
"git.ophivana.moe/cat/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/cat/fortify/internal/verbose"
|
||||
)
|
||||
|
||||
|
|
@ -41,6 +39,11 @@ func shim(socket string) {
|
|||
verbose.Set(payload.Verbose)
|
||||
}
|
||||
|
||||
if payload.Bwrap == nil {
|
||||
fmt.Println("fortify-shim: bwrap config not supplied")
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
// receive wayland fd over socket
|
||||
wfd := -1
|
||||
if payload.WL {
|
||||
|
|
@ -80,50 +83,9 @@ func shim(socket string) {
|
|||
_ = conn.Close()
|
||||
|
||||
conf := payload.Bwrap
|
||||
if conf == nil {
|
||||
verbose.Println("sandbox configuration not supplied, PROCEED WITH CAUTION")
|
||||
conf = &bwrap.Config{
|
||||
Net: true,
|
||||
UserNS: true,
|
||||
Clearenv: true,
|
||||
Procfs: []string{"/proc"},
|
||||
DevTmpfs: []string{"/dev"},
|
||||
Mqueue: []string{"/dev/mqueue"},
|
||||
DieWithParent: true,
|
||||
}
|
||||
|
||||
if d, err := os.ReadDir("/"); err != nil {
|
||||
fmt.Println("fortify-shim: cannot readdir '/':", err)
|
||||
} else {
|
||||
conf.Bind = make([][2]string, 0, len(d))
|
||||
for _, ent := range d {
|
||||
name := ent.Name()
|
||||
switch name {
|
||||
case "proc":
|
||||
case "dev":
|
||||
default:
|
||||
p := "/" + name
|
||||
conf.Bind = append(conf.Bind, [2]string{p, p})
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if conf.SetEnv == nil {
|
||||
conf.SetEnv = make(map[string]string, len(payload.Env))
|
||||
}
|
||||
|
||||
var extraFiles []*os.File
|
||||
|
||||
// set environment passed by parent
|
||||
for _, s := range payload.Env {
|
||||
kv := strings.SplitN(s, "=", 2)
|
||||
if len(kv) != 2 {
|
||||
fmt.Println("fortify-shim: invalid environment string:", s)
|
||||
} else {
|
||||
conf.SetEnv[kv[0]] = kv[1]
|
||||
}
|
||||
}
|
||||
|
||||
// pass wayland fd
|
||||
if wfd != -1 {
|
||||
if f := os.NewFile(uintptr(wfd), "wayland"); f != nil {
|
||||
|
|
|
|||
|
|
@ -9,8 +9,6 @@ const EnvShim = "FORTIFY_SHIM"
|
|||
type Payload struct {
|
||||
// child full argv
|
||||
Argv []string
|
||||
// env variables passed through to bwrap
|
||||
Env []string
|
||||
// bwrap, target full exec path
|
||||
Exec [2]string
|
||||
// bwrap config, nil for permissive
|
||||
|
|
|
|||
Loading…
Reference in New Issue