diff --git a/internal/app/config.go b/internal/app/config.go index 0c17317..96c51ce 100644 --- a/internal/app/config.go +++ b/internal/app/config.go @@ -55,7 +55,7 @@ type SandboxConfig struct { // do not run in new session NoNewSession bool `json:"no_new_session,omitempty"` // map target user uid to privileged user uid in the user namespace - UseRealUID bool `json:"use_real_uid"` + MapRealUID bool `json:"map_real_uid"` // mediated access to wayland socket Wayland bool `json:"wayland,omitempty"` @@ -92,7 +92,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) { } var uid int - if !s.UseRealUID { + if !s.MapRealUID { uid = 65534 } else { uid = os.Geteuid() @@ -185,7 +185,7 @@ func Template() *Config { UserNS: true, Net: true, NoNewSession: true, - UseRealUID: true, + MapRealUID: true, Dev: true, Wayland: false, // example API credentials pulled from Google Chrome diff --git a/internal/app/seal.go b/internal/app/seal.go index 0b60920..0846a7f 100644 --- a/internal/app/seal.go +++ b/internal/app/seal.go @@ -130,7 +130,7 @@ func (a *app) Seal(config *Config) error { seal.sys = new(appSealSys) // mapped uid - if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.UseRealUID { + if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.MapRealUID { seal.sys.mappedID = a.os.Geteuid() } else { seal.sys.mappedID = 65534 diff --git a/nixos.nix b/nixos.nix index b6d72d7..4757dab 100644 --- a/nixos.nix +++ b/nixos.nix @@ -130,7 +130,7 @@ in Whether to allow userns within sandbox. ''; - useRealUid = mkEnableOption '' + mapRealUid = mkEnableOption '' Whether to map to fortify's real UID within the sandbox. ''; @@ -330,7 +330,7 @@ in dev env ; - use_real_uid = launcher.useRealUid; + map_real_uid = launcher.mapRealUid; filesystem = [ { src = "/bin"; }