From 7962681f4a9ea0614fe788ca2cda2c697cfff162 Mon Sep 17 00:00:00 2001
From: Ophestra Umiker <cat@ophivana.moe>
Date: Mon, 4 Nov 2024 00:49:32 +0900
Subject: [PATCH] app: format mapped uid instead of real uid

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
---
 internal/app/app_nixos_test.go | 20 ++++++++++----------
 internal/app/config.go         |  7 ++++++-
 internal/app/seal.go           |  2 +-
 internal/app/share.system.go   |  4 ++--
 4 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/internal/app/app_nixos_test.go b/internal/app/app_nixos_test.go
index f7eb4c0..68cb5fc 100644
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@@ -47,7 +47,7 @@ var testCasesNixos = []sealTestCase{
 				"SHELL":             "/run/current-system/sw/bin/zsh",
 				"TERM":              "xterm-256color",
 				"USER":              "chronos",
-				"XDG_RUNTIME_DIR":   "/run/user/150",
+				"XDG_RUNTIME_DIR":   "/run/user/65534",
 				"XDG_SESSION_CLASS": "user",
 				"XDG_SESSION_TYPE":  "tty"},
 			Chmod:         make(bwrap.ChmodConfig),
@@ -183,7 +183,7 @@ var testCasesNixos = []sealTestCase{
 			Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
 			Tmpfs("/tmp/fortify.1971", 1048576).
 			Tmpfs("/run/user", 1048576).
-			Tmpfs("/run/user/150", 8388608).
+			Tmpfs("/run/user/65534", 8388608).
 			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
 			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
 			Tmpfs("/var/run/nscd", 8192),
@@ -287,16 +287,16 @@ var testCasesNixos = []sealTestCase{
 			UserNS:   true,
 			Clearenv: true,
 			SetEnv: map[string]string{
-				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/150/bus",
+				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS":  "unix:path=/run/dbus/system_bus_socket",
 				"HOME":                     "/home/chronos",
 				"PULSE_COOKIE":             "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
-				"PULSE_SERVER":             "unix:/run/user/150/pulse/native",
+				"PULSE_SERVER":             "unix:/run/user/65534/pulse/native",
 				"SHELL":                    "/run/current-system/sw/bin/zsh",
 				"TERM":                     "xterm-256color",
 				"USER":                     "chronos",
-				"WAYLAND_DISPLAY":          "/run/user/150/wayland-0",
-				"XDG_RUNTIME_DIR":          "/run/user/150",
+				"WAYLAND_DISPLAY":          "/run/user/65534/wayland-0",
+				"XDG_RUNTIME_DIR":          "/run/user/65534",
 				"XDG_SESSION_CLASS":        "user",
 				"XDG_SESSION_TYPE":         "tty",
 			},
@@ -434,13 +434,13 @@ var testCasesNixos = []sealTestCase{
 			Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
 			Tmpfs("/tmp/fortify.1971", 1048576).
 			Tmpfs("/run/user", 1048576).
-			Tmpfs("/run/user/150", 8388608).
+			Tmpfs("/run/user/65534", 8388608).
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
-			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/150/wayland-0").
-			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/150/pulse/native").
+			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0").
+			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/150/bus").
+			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
 			Tmpfs("/var/run/nscd", 8192),
 	},
diff --git a/internal/app/config.go b/internal/app/config.go
index 4946525..eccb592 100644
--- a/internal/app/config.go
+++ b/internal/app/config.go
@@ -8,6 +8,11 @@ import (
 	"git.ophivana.moe/security/fortify/internal/system"
 )
 
+const (
+	mappedID       = 65534
+	mappedIDString = "65534"
+)
+
 // Config is used to seal an *App
 type Config struct {
 	// D-Bus application ID
@@ -95,7 +100,7 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config {
 		// initialise map
 		Chmod: make(map[string]os.FileMode),
 	}).
-		SetUID(65534).SetGID(65534).
+		SetUID(mappedID).SetGID(mappedID).
 		Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
 		Tmpfs("/dev/fortify", 4*1024)
 
diff --git a/internal/app/seal.go b/internal/app/seal.go
index ca7048b..6852ddc 100644
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@@ -139,7 +139,7 @@ func (a *app) Seal(config *Config) error {
 		}
 	} else {
 		seal.sys.user = u
-		seal.sys.runtime = path.Join("/run/user", u.Uid)
+		seal.sys.runtime = path.Join("/run/user", mappedIDString)
 	}
 
 	// map sandbox config to bwrap
diff --git a/internal/app/share.system.go b/internal/app/share.system.go
index cf2df94..26e9b56 100644
--- a/internal/app/share.system.go
+++ b/internal/app/share.system.go
@@ -58,12 +58,12 @@ func (seal *appSeal) sharePasswd(os linux.System) {
 		homeDir = seal.sys.user.HomeDir
 		seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir
 	}
-	passwd := username + ":x:65534:65534:Fortify:" + homeDir + ":" + sh + "\n"
+	passwd := username + ":x:" + mappedIDString + ":" + mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
 	seal.sys.Write(passwdPath, passwd)
 
 	// write /etc/group
 	groupPath := path.Join(seal.share, "group")
-	seal.sys.Write(groupPath, "fortify:x:65534:\n")
+	seal.sys.Write(groupPath, "fortify:x:"+mappedIDString+":\n")
 
 	// bind /etc/passwd and /etc/group
 	seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")