app: format mapped uid instead of real uid
test / test (push) Successful in 19s
Details
test / test (push) Successful in 19s
Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
bfcce3ff75
commit
7962681f4a
|
@ -47,7 +47,7 @@ var testCasesNixos = []sealTestCase{
|
||||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||||
"TERM": "xterm-256color",
|
"TERM": "xterm-256color",
|
||||||
"USER": "chronos",
|
"USER": "chronos",
|
||||||
"XDG_RUNTIME_DIR": "/run/user/150",
|
"XDG_RUNTIME_DIR": "/run/user/65534",
|
||||||
"XDG_SESSION_CLASS": "user",
|
"XDG_SESSION_CLASS": "user",
|
||||||
"XDG_SESSION_TYPE": "tty"},
|
"XDG_SESSION_TYPE": "tty"},
|
||||||
Chmod: make(bwrap.ChmodConfig),
|
Chmod: make(bwrap.ChmodConfig),
|
||||||
|
@ -183,7 +183,7 @@ var testCasesNixos = []sealTestCase{
|
||||||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||||
Tmpfs("/run/user", 1048576).
|
Tmpfs("/run/user", 1048576).
|
||||||
Tmpfs("/run/user/150", 8388608).
|
Tmpfs("/run/user/65534", 8388608).
|
||||||
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
|
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
|
||||||
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
|
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
|
||||||
Tmpfs("/var/run/nscd", 8192),
|
Tmpfs("/var/run/nscd", 8192),
|
||||||
|
@ -287,16 +287,16 @@ var testCasesNixos = []sealTestCase{
|
||||||
UserNS: true,
|
UserNS: true,
|
||||||
Clearenv: true,
|
Clearenv: true,
|
||||||
SetEnv: map[string]string{
|
SetEnv: map[string]string{
|
||||||
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/150/bus",
|
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
|
||||||
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
||||||
"HOME": "/home/chronos",
|
"HOME": "/home/chronos",
|
||||||
"PULSE_COOKIE": "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
|
"PULSE_COOKIE": "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
|
||||||
"PULSE_SERVER": "unix:/run/user/150/pulse/native",
|
"PULSE_SERVER": "unix:/run/user/65534/pulse/native",
|
||||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||||
"TERM": "xterm-256color",
|
"TERM": "xterm-256color",
|
||||||
"USER": "chronos",
|
"USER": "chronos",
|
||||||
"WAYLAND_DISPLAY": "/run/user/150/wayland-0",
|
"WAYLAND_DISPLAY": "/run/user/65534/wayland-0",
|
||||||
"XDG_RUNTIME_DIR": "/run/user/150",
|
"XDG_RUNTIME_DIR": "/run/user/65534",
|
||||||
"XDG_SESSION_CLASS": "user",
|
"XDG_SESSION_CLASS": "user",
|
||||||
"XDG_SESSION_TYPE": "tty",
|
"XDG_SESSION_TYPE": "tty",
|
||||||
},
|
},
|
||||||
|
@ -434,13 +434,13 @@ var testCasesNixos = []sealTestCase{
|
||||||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||||
Tmpfs("/run/user", 1048576).
|
Tmpfs("/run/user", 1048576).
|
||||||
Tmpfs("/run/user/150", 8388608).
|
Tmpfs("/run/user/65534", 8388608).
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
|
||||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/150/wayland-0").
|
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0").
|
||||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/150/pulse/native").
|
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/150/bus").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
|
||||||
Tmpfs("/var/run/nscd", 8192),
|
Tmpfs("/var/run/nscd", 8192),
|
||||||
},
|
},
|
||||||
|
|
|
@ -8,6 +8,11 @@ import (
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
mappedID = 65534
|
||||||
|
mappedIDString = "65534"
|
||||||
|
)
|
||||||
|
|
||||||
// Config is used to seal an *App
|
// Config is used to seal an *App
|
||||||
type Config struct {
|
type Config struct {
|
||||||
// D-Bus application ID
|
// D-Bus application ID
|
||||||
|
@ -95,7 +100,7 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config {
|
||||||
// initialise map
|
// initialise map
|
||||||
Chmod: make(map[string]os.FileMode),
|
Chmod: make(map[string]os.FileMode),
|
||||||
}).
|
}).
|
||||||
SetUID(65534).SetGID(65534).
|
SetUID(mappedID).SetGID(mappedID).
|
||||||
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||||
Tmpfs("/dev/fortify", 4*1024)
|
Tmpfs("/dev/fortify", 4*1024)
|
||||||
|
|
||||||
|
|
|
@ -139,7 +139,7 @@ func (a *app) Seal(config *Config) error {
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
seal.sys.user = u
|
seal.sys.user = u
|
||||||
seal.sys.runtime = path.Join("/run/user", u.Uid)
|
seal.sys.runtime = path.Join("/run/user", mappedIDString)
|
||||||
}
|
}
|
||||||
|
|
||||||
// map sandbox config to bwrap
|
// map sandbox config to bwrap
|
||||||
|
|
|
@ -58,12 +58,12 @@ func (seal *appSeal) sharePasswd(os linux.System) {
|
||||||
homeDir = seal.sys.user.HomeDir
|
homeDir = seal.sys.user.HomeDir
|
||||||
seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir
|
seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir
|
||||||
}
|
}
|
||||||
passwd := username + ":x:65534:65534:Fortify:" + homeDir + ":" + sh + "\n"
|
passwd := username + ":x:" + mappedIDString + ":" + mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
|
||||||
seal.sys.Write(passwdPath, passwd)
|
seal.sys.Write(passwdPath, passwd)
|
||||||
|
|
||||||
// write /etc/group
|
// write /etc/group
|
||||||
groupPath := path.Join(seal.share, "group")
|
groupPath := path.Join(seal.share, "group")
|
||||||
seal.sys.Write(groupPath, "fortify:x:65534:\n")
|
seal.sys.Write(groupPath, "fortify:x:"+mappedIDString+":\n")
|
||||||
|
|
||||||
// bind /etc/passwd and /etc/group
|
// bind /etc/passwd and /etc/group
|
||||||
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
||||||
|
|
Loading…
Reference in New Issue