app/config: support creating symlinks within sandbox

This is already supported by the underlying bwrap helper. This change exposes access to it in Config.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>

internal/app/config.go

@@ -1,7 +1,6 @@
 package app
 
 import (
-	"encoding/gob"
 	"os"
 
 	"git.ophivana.moe/security/fortify/dbus"
@@ -9,10 +8,6 @@ import (
 	"git.ophivana.moe/security/fortify/internal/system"
 )
 
-func init() {
-	gob.Register(new(bwrap.PermConfig[*bwrap.TmpfsConfig]))
-}
-
 // Config is used to seal an *App
 type Config struct {
 	// D-Bus application ID
@@ -61,6 +56,8 @@ type SandboxConfig struct {
 	Env map[string]string `json:"env"`
 	// sandbox host filesystem access
 	Filesystem []*FilesystemConfig `json:"filesystem"`
+	// symlinks created inside the sandbox
+	Link [][2]string `json:"symlink"`
 	// paths to override by mounting tmpfs over them
 	Override []string `json:"override"`
 }
@@ -99,7 +96,8 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config {
 		Chmod: make(map[string]os.FileMode),
 	}).
 		SetUID(65534).SetGID(65534).
-		Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue")
+		Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
+		Tmpfs("/dev/fortify", 4*1024)
 
 	for _, c := range s.Filesystem {
 		if c == nil {
@@ -113,6 +111,10 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config {
 		conf.Bind(src, dest, !c.Must, c.Write, c.Device)
 	}
 
+	for _, l := range s.Link {
+		conf.Symlink(l[0], l[1])
+	}
+
 	return conf
 }
 
@@ -149,6 +151,7 @@ func Template() *Config {
 					{Src: "/data/user/0", Dst: "/data/data", Write: true, Must: true},
 					{Src: "/var/tmp", Write: true},
 				},
+				Link:     [][2]string{{"/dev/fortify/etc", "/etc"}},
 				Override: []string{"/var/run/nscd"},
 			},
 			SystemBus: &dbus.Config{