fortify: permissive defaults resolve home directory from os
test / test (push) Successful in 21s Details

When starting with the permissive defaults "run" command, attempt to resolve home directory from os by default and fall back to /var/empty.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra Umiker 2024-11-18 13:01:07 +09:00
parent 748a0ae2c8
commit c026a4b5dc
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
1 changed files with 19 additions and 1 deletions

20
main.go
View File

@ -5,6 +5,8 @@ import (
"encoding/json"
"flag"
"fmt"
"os/user"
"strconv"
"strings"
"text/tabwriter"
@ -165,7 +167,7 @@ func main() {
set.IntVar(&aid, "a", 0, "Fortify application ID")
set.Var(&groups, "g", "Groups inherited by the app process")
set.StringVar(&homeDir, "d", "/var/empty", "Application home directory")
set.StringVar(&homeDir, "d", "os", "Application home directory")
set.StringVar(&userName, "u", "chronos", "Passwd name within sandbox")
set.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket")
set.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection")
@ -186,6 +188,22 @@ func main() {
panic("unreachable")
}
// resolve home directory from os when flag is unset
if homeDir == "os" {
var us string
if uid, err := os.Uid(aid); err != nil {
fmsg.Fatalf("cannot obtain uid from fsu: %v", err)
} else {
us = strconv.Itoa(uid)
}
if u, err := user.LookupId(us); err != nil {
fmsg.VPrintf("cannot look up uid %s", us)
homeDir = "/var/empty"
} else {
homeDir = u.HomeDir
}
}
config.Confinement.AppID = aid
config.Confinement.Groups = groups
config.Confinement.Outer = homeDir