From c026a4b5dc6367caa3e09c0320fa602f6e433ed6 Mon Sep 17 00:00:00 2001 From: Ophestra Umiker Date: Mon, 18 Nov 2024 13:01:07 +0900 Subject: [PATCH] fortify: permissive defaults resolve home directory from os When starting with the permissive defaults "run" command, attempt to resolve home directory from os by default and fall back to /var/empty. Signed-off-by: Ophestra Umiker --- main.go | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/main.go b/main.go index 249fd15..a4b8265 100644 --- a/main.go +++ b/main.go @@ -5,6 +5,8 @@ import ( "encoding/json" "flag" "fmt" + "os/user" + "strconv" "strings" "text/tabwriter" @@ -165,7 +167,7 @@ func main() { set.IntVar(&aid, "a", 0, "Fortify application ID") set.Var(&groups, "g", "Groups inherited by the app process") - set.StringVar(&homeDir, "d", "/var/empty", "Application home directory") + set.StringVar(&homeDir, "d", "os", "Application home directory") set.StringVar(&userName, "u", "chronos", "Passwd name within sandbox") set.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket") set.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection") @@ -186,6 +188,22 @@ func main() { panic("unreachable") } + // resolve home directory from os when flag is unset + if homeDir == "os" { + var us string + if uid, err := os.Uid(aid); err != nil { + fmsg.Fatalf("cannot obtain uid from fsu: %v", err) + } else { + us = strconv.Itoa(uid) + } + if u, err := user.LookupId(us); err != nil { + fmsg.VPrintf("cannot look up uid %s", us) + homeDir = "/var/empty" + } else { + homeDir = u.HomeDir + } + } + config.Confinement.AppID = aid config.Confinement.Groups = groups config.Confinement.Outer = homeDir