app: format mapped uid instead of real uid
test / test (push) Successful in 19s
Details
test / test (push) Successful in 19s
Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
bfcce3ff75
commit
7962681f4a
|
@ -47,7 +47,7 @@ var testCasesNixos = []sealTestCase{
|
|||
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||
"TERM": "xterm-256color",
|
||||
"USER": "chronos",
|
||||
"XDG_RUNTIME_DIR": "/run/user/150",
|
||||
"XDG_RUNTIME_DIR": "/run/user/65534",
|
||||
"XDG_SESSION_CLASS": "user",
|
||||
"XDG_SESSION_TYPE": "tty"},
|
||||
Chmod: make(bwrap.ChmodConfig),
|
||||
|
@ -183,7 +183,7 @@ var testCasesNixos = []sealTestCase{
|
|||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||
Tmpfs("/run/user", 1048576).
|
||||
Tmpfs("/run/user/150", 8388608).
|
||||
Tmpfs("/run/user/65534", 8388608).
|
||||
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
|
||||
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
|
||||
Tmpfs("/var/run/nscd", 8192),
|
||||
|
@ -287,16 +287,16 @@ var testCasesNixos = []sealTestCase{
|
|||
UserNS: true,
|
||||
Clearenv: true,
|
||||
SetEnv: map[string]string{
|
||||
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/150/bus",
|
||||
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
|
||||
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
||||
"HOME": "/home/chronos",
|
||||
"PULSE_COOKIE": "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
|
||||
"PULSE_SERVER": "unix:/run/user/150/pulse/native",
|
||||
"PULSE_SERVER": "unix:/run/user/65534/pulse/native",
|
||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||
"TERM": "xterm-256color",
|
||||
"USER": "chronos",
|
||||
"WAYLAND_DISPLAY": "/run/user/150/wayland-0",
|
||||
"XDG_RUNTIME_DIR": "/run/user/150",
|
||||
"WAYLAND_DISPLAY": "/run/user/65534/wayland-0",
|
||||
"XDG_RUNTIME_DIR": "/run/user/65534",
|
||||
"XDG_SESSION_CLASS": "user",
|
||||
"XDG_SESSION_TYPE": "tty",
|
||||
},
|
||||
|
@ -434,13 +434,13 @@ var testCasesNixos = []sealTestCase{
|
|||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||
Tmpfs("/run/user", 1048576).
|
||||
Tmpfs("/run/user/150", 8388608).
|
||||
Tmpfs("/run/user/65534", 8388608).
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
|
||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/150/wayland-0").
|
||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/150/pulse/native").
|
||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0").
|
||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/150/bus").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
|
||||
Tmpfs("/var/run/nscd", 8192),
|
||||
},
|
||||
|
|
|
@ -8,6 +8,11 @@ import (
|
|||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
mappedID = 65534
|
||||
mappedIDString = "65534"
|
||||
)
|
||||
|
||||
// Config is used to seal an *App
|
||||
type Config struct {
|
||||
// D-Bus application ID
|
||||
|
@ -95,7 +100,7 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config {
|
|||
// initialise map
|
||||
Chmod: make(map[string]os.FileMode),
|
||||
}).
|
||||
SetUID(65534).SetGID(65534).
|
||||
SetUID(mappedID).SetGID(mappedID).
|
||||
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||
Tmpfs("/dev/fortify", 4*1024)
|
||||
|
||||
|
|
|
@ -139,7 +139,7 @@ func (a *app) Seal(config *Config) error {
|
|||
}
|
||||
} else {
|
||||
seal.sys.user = u
|
||||
seal.sys.runtime = path.Join("/run/user", u.Uid)
|
||||
seal.sys.runtime = path.Join("/run/user", mappedIDString)
|
||||
}
|
||||
|
||||
// map sandbox config to bwrap
|
||||
|
|
|
@ -58,12 +58,12 @@ func (seal *appSeal) sharePasswd(os linux.System) {
|
|||
homeDir = seal.sys.user.HomeDir
|
||||
seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir
|
||||
}
|
||||
passwd := username + ":x:65534:65534:Fortify:" + homeDir + ":" + sh + "\n"
|
||||
passwd := username + ":x:" + mappedIDString + ":" + mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
|
||||
seal.sys.Write(passwdPath, passwd)
|
||||
|
||||
// write /etc/group
|
||||
groupPath := path.Join(seal.share, "group")
|
||||
seal.sys.Write(groupPath, "fortify:x:65534:\n")
|
||||
seal.sys.Write(groupPath, "fortify:x:"+mappedIDString+":\n")
|
||||
|
||||
// bind /etc/passwd and /etc/group
|
||||
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
||||
|
|
Loading…
Reference in New Issue