security
/
fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 14 Wiki Activity

app/config: map bwrap tmpfs in app config 

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra Umiker 2024-10-13 02:39:27 +09:00
parent aee96b0fdf
commit 65a5f8fb08
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
internal/app/config.go
View File

@ -54,6 +54,8 @@ type SandboxConfig struct {
Env map[string]string `json:"env"` Env map[string]string `json:"env"`
// sandbox host filesystem access // sandbox host filesystem access
Filesystem []*FilesystemConfig `json:"filesystem"` Filesystem []*FilesystemConfig `json:"filesystem"`
// tmpfs mount points to mount last
Tmpfs []bwrap.TmpfsConfig `json:"tmpfs"`
} }
type FilesystemConfig struct { type FilesystemConfig struct {
@ -121,6 +123,10 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config {
} }
} }
for _, tmpfs := range s.Tmpfs {
conf.Tmpfs = append(conf.Tmpfs, bwrap.PermConfig[bwrap.TmpfsConfig]{Path: tmpfs, Last: true})
}
return conf return conf
} }
@ -157,6 +163,9 @@ func Template() *Config {
{Src: "/data/user/0", Dst: "/data/data", Write: true, Must: true}, {Src: "/data/user/0", Dst: "/data/data", Write: true, Must: true},
{Src: "/var/tmp", Write: true}, {Src: "/var/tmp", Write: true},
}, },
Tmpfs: []bwrap.TmpfsConfig{
{Size: 8 * 1024, Dir: "/var/run/nscd"},
},
}, },
SystemBus: &dbus.Config{ SystemBus: &dbus.Config{
See: nil, See: nil,