fortify: permissive defaults resolve home directory from os
test / test (push) Successful in 21s
Details
test / test (push) Successful in 21s
Details
When starting with the permissive defaults "run" command, attempt to resolve home directory from os by default and fall back to /var/empty. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
748a0ae2c8
commit
c026a4b5dc
20
main.go
20
main.go
|
@ -5,6 +5,8 @@ import (
|
|||
"encoding/json"
|
||||
"flag"
|
||||
"fmt"
|
||||
"os/user"
|
||||
"strconv"
|
||||
"strings"
|
||||
"text/tabwriter"
|
||||
|
||||
|
@ -165,7 +167,7 @@ func main() {
|
|||
|
||||
set.IntVar(&aid, "a", 0, "Fortify application ID")
|
||||
set.Var(&groups, "g", "Groups inherited by the app process")
|
||||
set.StringVar(&homeDir, "d", "/var/empty", "Application home directory")
|
||||
set.StringVar(&homeDir, "d", "os", "Application home directory")
|
||||
set.StringVar(&userName, "u", "chronos", "Passwd name within sandbox")
|
||||
set.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket")
|
||||
set.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection")
|
||||
|
@ -186,6 +188,22 @@ func main() {
|
|||
panic("unreachable")
|
||||
}
|
||||
|
||||
// resolve home directory from os when flag is unset
|
||||
if homeDir == "os" {
|
||||
var us string
|
||||
if uid, err := os.Uid(aid); err != nil {
|
||||
fmsg.Fatalf("cannot obtain uid from fsu: %v", err)
|
||||
} else {
|
||||
us = strconv.Itoa(uid)
|
||||
}
|
||||
if u, err := user.LookupId(us); err != nil {
|
||||
fmsg.VPrintf("cannot look up uid %s", us)
|
||||
homeDir = "/var/empty"
|
||||
} else {
|
||||
homeDir = u.HomeDir
|
||||
}
|
||||
}
|
||||
|
||||
config.Confinement.AppID = aid
|
||||
config.Confinement.Groups = groups
|
||||
config.Confinement.Outer = homeDir
|
||||
|
|
Loading…
Reference in New Issue