security
/
fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 14 Wiki Activity

system: move enablements from state package 

This removes the unnecessary import of the state package.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra Umiker 2024-10-16 14:38:57 +09:00
parent 084cd84f36
commit c21168a741
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
17 changed files with 63 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
config.go
View File

@ -9,7 +9,7 @@ import (
"git.ophivana.moe/cat/fortify/dbus" "git.ophivana.moe/cat/fortify/dbus"
"git.ophivana.moe/cat/fortify/internal" "git.ophivana.moe/cat/fortify/internal"
"git.ophivana.moe/cat/fortify/internal/app" "git.ophivana.moe/cat/fortify/internal/app"
"git.ophivana.moe/cat/fortify/internal/state" "git.ophivana.moe/cat/fortify/internal/system"
) )
var ( var (
@ -24,7 +24,7 @@ var (
dbusVerbose bool dbusVerbose bool
userName string userName string
enablements [state.EnableLength]bool enablements [system.ELen]bool
launchMethodText string launchMethodText string
) )
@ -42,10 +42,10 @@ func init() {
flag.BoolVar(&dbusVerbose, "dbus-log", false, "Force logging in the D-Bus proxy") flag.BoolVar(&dbusVerbose, "dbus-log", false, "Force logging in the D-Bus proxy")
flag.StringVar(&userName, "u", "chronos", "Passwd name of user to run as") flag.StringVar(&userName, "u", "chronos", "Passwd name of user to run as")
flag.BoolVar(&enablements[state.EnableWayland], "wayland", false, "Share Wayland socket") flag.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket")
flag.BoolVar(&enablements[state.EnableX], "X", false, "Share X11 socket and allow connection") flag.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection")
flag.BoolVar(&enablements[state.EnableDBus], "dbus", false, "Proxy D-Bus connection") flag.BoolVar(&enablements[system.EDBus], "dbus", false, "Proxy D-Bus connection")
flag.BoolVar(&enablements[state.EnablePulse], "pulse", false, "Share PulseAudio socket and cookie") flag.BoolVar(&enablements[system.EPulse], "pulse", false, "Share PulseAudio socket and cookie")
} }
func init() { func init() {
@ -98,14 +98,14 @@ func configFromFlags() (config *app.Config) {
} }
// enablements from flags // enablements from flags
for i := state.Enablement(0); i < state.EnableLength; i++ { for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
if enablements[i] { if enablements[i] {
config.Confinement.Enablements.Set(i) config.Confinement.Enablements.Set(i)
} }
} }
// parse D-Bus config file from flags if applicable // parse D-Bus config file from flags if applicable
if enablements[state.EnableDBus] { if enablements[system.EDBus] {
if dbusConfigSession == "builtin" { if dbusConfigSession == "builtin" {
config.Confinement.SessionBus = dbus.NewConfig(dbusID, true, mpris) config.Confinement.SessionBus = dbus.NewConfig(dbusID, true, mpris)
} else { } else {

6
internal/app/config.go
View File

@ -6,7 +6,7 @@ import (
"git.ophivana.moe/cat/fortify/dbus" "git.ophivana.moe/cat/fortify/dbus"
"git.ophivana.moe/cat/fortify/helper/bwrap" "git.ophivana.moe/cat/fortify/helper/bwrap"
"git.ophivana.moe/cat/fortify/internal/state" "git.ophivana.moe/cat/fortify/internal/system"
) )
func init() { func init() {
@ -41,7 +41,7 @@ type ConfinementConfig struct {
SessionBus *dbus.Config `json:"session_bus,omitempty"` SessionBus *dbus.Config `json:"session_bus,omitempty"`
// child capability enablements // child capability enablements
Enablements state.Enablements `json:"enablements"` Enablements system.Enablements `json:"enablements"`
} }
// SandboxConfig describes resources made available to the sandbox. // SandboxConfig describes resources made available to the sandbox.
@ -171,7 +171,7 @@ func Template() *Config {
Log: false, Log: false,
Filter: true, Filter: true,
}, },
Enablements: state.EnableWayland.Mask() | state.EnableDBus.Mask() | state.EnablePulse.Mask(), Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
}, },
} }
} }

2
internal/app/seal.go
View File

@ -167,7 +167,7 @@ func (a *app) Seal(config *Config) error {
conf.Override = append(conf.Override, nscd) conf.Override = append(conf.Override, nscd)
} }
// bind GPU stuff // bind GPU stuff
if config.Confinement.Enablements.Has(state.EnableX) || config.Confinement.Enablements.Has(state.EnableWayland) { if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
conf.Filesystem = append(conf.Filesystem, &FilesystemConfig{Src: "/dev/dri", Device: true}) conf.Filesystem = append(conf.Filesystem, &FilesystemConfig{Src: "/dev/dri", Device: true})
} }
config.Confinement.Sandbox = conf config.Confinement.Sandbox = conf

4
internal/app/share.dbus.go
View File

@ -5,7 +5,7 @@ import (
"git.ophivana.moe/cat/fortify/acl" "git.ophivana.moe/cat/fortify/acl"
"git.ophivana.moe/cat/fortify/dbus" "git.ophivana.moe/cat/fortify/dbus"
"git.ophivana.moe/cat/fortify/internal/state" "git.ophivana.moe/cat/fortify/internal/system"
) )
const ( const (
@ -14,7 +14,7 @@ const (
) )
func (seal *appSeal) shareDBus(config [2]*dbus.Config) error { func (seal *appSeal) shareDBus(config [2]*dbus.Config) error {
if !seal.et.Has(state.EnableDBus) { if !seal.et.Has(system.EDBus) {
return nil return nil
} }

8
internal/app/share.display.go
View File

@ -7,7 +7,7 @@ import (
"git.ophivana.moe/cat/fortify/acl" "git.ophivana.moe/cat/fortify/acl"
"git.ophivana.moe/cat/fortify/internal/fmsg" "git.ophivana.moe/cat/fortify/internal/fmsg"
"git.ophivana.moe/cat/fortify/internal/state" "git.ophivana.moe/cat/fortify/internal/system"
) )
const ( const (
@ -30,7 +30,7 @@ func (seal *appSeal) shareDisplay() error {
} }
// set up wayland // set up wayland
if seal.et.Has(state.EnableWayland) { if seal.et.Has(system.EWayland) {
if wd, ok := os.LookupEnv(waylandDisplay); !ok { if wd, ok := os.LookupEnv(waylandDisplay); !ok {
return fmsg.WrapError(ErrWayland, return fmsg.WrapError(ErrWayland,
"WAYLAND_DISPLAY is not set") "WAYLAND_DISPLAY is not set")
@ -44,7 +44,7 @@ func (seal *appSeal) shareDisplay() error {
seal.sys.bwrap.Bind(wpi, w) seal.sys.bwrap.Bind(wpi, w)
// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`) // ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
seal.sys.UpdatePermType(state.EnableWayland, wp, acl.Read, acl.Write, acl.Execute) seal.sys.UpdatePermType(system.EWayland, wp, acl.Read, acl.Write, acl.Execute)
} else { } else {
// set wayland socket path (e.g. `/run/user/%d/wayland-%d`) // set wayland socket path (e.g. `/run/user/%d/wayland-%d`)
seal.wl = path.Join(seal.RuntimePath, wd) seal.wl = path.Join(seal.RuntimePath, wd)
@ -52,7 +52,7 @@ func (seal *appSeal) shareDisplay() error {
} }
// set up X11 // set up X11
if seal.et.Has(state.EnableX) { if seal.et.Has(system.EX11) {
// discover X11 and grant user permission via the `ChangeHosts` command // discover X11 and grant user permission via the `ChangeHosts` command
if d, ok := os.LookupEnv(display); !ok { if d, ok := os.LookupEnv(display); !ok {
return fmsg.WrapError(ErrXDisplay, return fmsg.WrapError(ErrXDisplay,

4
internal/app/share.pulse.go
View File

@ -8,7 +8,7 @@ import (
"path" "path"
"git.ophivana.moe/cat/fortify/internal/fmsg" "git.ophivana.moe/cat/fortify/internal/fmsg"
"git.ophivana.moe/cat/fortify/internal/state" "git.ophivana.moe/cat/fortify/internal/system"
) )
const ( const (
@ -26,7 +26,7 @@ var (
) )
func (seal *appSeal) sharePulse() error { func (seal *appSeal) sharePulse() error {
if !seal.et.Has(state.EnablePulse) { if !seal.et.Has(system.EPulse) {
return nil return nil
} }

10
internal/app/start.go
View File

@ -202,8 +202,8 @@ func (a *app) Wait() (int, error) {
} }
// enablements of remaining launchers // enablements of remaining launchers
rt, ec := new(state.Enablements), new(system.Criteria) rt, ec := new(system.Enablements), new(system.Criteria)
ec.Enablements = new(state.Enablements) ec.Enablements = new(system.Enablements)
ec.Set(system.Process) ec.Set(system.Process)
if states, err := b.Load(); err != nil { if states, err := b.Load(); err != nil {
return err return err
@ -222,14 +222,14 @@ func (a *app) Wait() (int, error) {
} }
} }
// invert accumulated enablements for cleanup // invert accumulated enablements for cleanup
for i := state.Enablement(0); i < state.EnableLength; i++ { for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
if !rt.Has(i) { if !rt.Has(i) {
ec.Set(i) ec.Set(i)
} }
} }
if verbose.Get() { if verbose.Get() {
labels := make([]string, 0, state.EnableLength+1) labels := make([]string, 0, system.ELen+1)
for i := state.Enablement(0); i < state.EnableLength+2; i++ { for i := system.Enablement(0); i < system.Enablement(system.ELen+2); i++ {
if ec.Has(i) { if ec.Has(i) {
labels = append(labels, system.TypeString(i)) labels = append(labels, system.TypeString(i))
} }

2
internal/app/system.go
View File

@ -38,7 +38,7 @@ type appSeal struct {
// path to launcher program // path to launcher program
toolPath string toolPath string
// pass-through enablement tracking from config // pass-through enablement tracking from config
et state.Enablements et system.Enablements
// prevents sharing from happening twice // prevents sharing from happening twice
shared bool shared bool

3
internal/state/print.go
View File

@ -10,6 +10,7 @@ import (
"text/tabwriter" "text/tabwriter"
"time" "time"
"git.ophivana.moe/cat/fortify/internal/system"
"git.ophivana.moe/cat/fortify/internal/verbose" "git.ophivana.moe/cat/fortify/internal/verbose"
) )
@ -85,7 +86,7 @@ func (s *simpleStore) mustPrintLauncherState(w **tabwriter.Writer, now time.Time
// build enablements string // build enablements string
ets := strings.Builder{} ets := strings.Builder{}
// append enablement strings in order // append enablement strings in order
for i := Enablement(0); i < EnableLength; i++ { for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
if state.Capability.Has(i) { if state.Capability.Has(i) {
ets.WriteString(", " + i.String()) ets.WriteString(", " + i.String())
} }

4
internal/state/state.go
View File

@ -2,6 +2,8 @@ package state
import ( import (
"time" "time"
"git.ophivana.moe/cat/fortify/internal/system"
) )
type Store interface { type Store interface {
@ -29,7 +31,7 @@ type State struct {
// command used to seal the app // command used to seal the app
Command []string Command []string
// capability enablements applied to child // capability enablements applied to child
Capability Enablements Capability system.Enablements
// resolved launcher path // resolved launcher path
Launcher string Launcher string

7
internal/system/acl.go
View File

@ -6,7 +6,6 @@ import (
"git.ophivana.moe/cat/fortify/acl" "git.ophivana.moe/cat/fortify/acl"
"git.ophivana.moe/cat/fortify/internal/fmsg" "git.ophivana.moe/cat/fortify/internal/fmsg"
"git.ophivana.moe/cat/fortify/internal/state"
"git.ophivana.moe/cat/fortify/internal/verbose" "git.ophivana.moe/cat/fortify/internal/verbose"
) )
@ -16,7 +15,7 @@ func (sys *I) UpdatePerm(path string, perms ...acl.Perm) {
} }
// UpdatePermType appends an acl update Op. // UpdatePermType appends an acl update Op.
func (sys *I) UpdatePermType(et state.Enablement, path string, perms ...acl.Perm) { func (sys *I) UpdatePermType(et Enablement, path string, perms ...acl.Perm) {
sys.lock.Lock() sys.lock.Lock()
defer sys.lock.Unlock() defer sys.lock.Unlock()
@ -24,12 +23,12 @@ func (sys *I) UpdatePermType(et state.Enablement, path string, perms ...acl.Perm
} }
type ACL struct { type ACL struct {
et state.Enablement et Enablement
path string path string
perms []acl.Perm perms []acl.Perm
} }
func (a *ACL) Type() state.Enablement { func (a *ACL) Type() Enablement {
return a.et return a.et
} }

3
internal/system/dbus.go
View File

@ -7,7 +7,6 @@ import (
"git.ophivana.moe/cat/fortify/dbus" "git.ophivana.moe/cat/fortify/dbus"
"git.ophivana.moe/cat/fortify/internal/fmsg" "git.ophivana.moe/cat/fortify/internal/fmsg"
"git.ophivana.moe/cat/fortify/internal/state"
"git.ophivana.moe/cat/fortify/internal/verbose" "git.ophivana.moe/cat/fortify/internal/verbose"
) )
@ -69,7 +68,7 @@ type DBus struct {
done chan struct{} done chan struct{}
} }
func (d *DBus) Type() state.Enablement { func (d *DBus) Type() Enablement {
return Process return Process
} }

24
internal/state/enablement.go → internal/system/enablement.go
View File

@ -1,4 +1,4 @@
package state package system
type ( type (
// Enablement represents an optional system resource // Enablement represents an optional system resource
@ -8,21 +8,21 @@ type (
) )
const ( const (
EnableWayland Enablement = iota EWayland Enablement = iota
EnableX EX11
EnableDBus EDBus
EnablePulse EPulse
EnableLength
) )
var enablementString = [EnableLength]string{ var enablementString = [...]string{
"Wayland", EWayland: "Wayland",
"X11", EX11: "X11",
"D-Bus", EDBus: "D-Bus",
"PulseAudio", EPulse: "PulseAudio",
} }
const ELen = len(enablementString)
func (e Enablement) String() string { func (e Enablement) String() string {
return enablementString[e] return enablementString[e]
} }

7
internal/system/mkdir.go
View File

@ -6,7 +6,6 @@ import (
"os" "os"
"git.ophivana.moe/cat/fortify/internal/fmsg" "git.ophivana.moe/cat/fortify/internal/fmsg"
"git.ophivana.moe/cat/fortify/internal/state"
"git.ophivana.moe/cat/fortify/internal/verbose" "git.ophivana.moe/cat/fortify/internal/verbose"
) )
@ -19,7 +18,7 @@ func (sys *I) Ensure(name string, perm os.FileMode) {
} }
// Ephemeral ensures the temporary existence and mode of a directory through the life of et. // Ephemeral ensures the temporary existence and mode of a directory through the life of et.
func (sys *I) Ephemeral(et state.Enablement, name string, perm os.FileMode) { func (sys *I) Ephemeral(et Enablement, name string, perm os.FileMode) {
sys.lock.Lock() sys.lock.Lock()
defer sys.lock.Unlock() defer sys.lock.Unlock()
@ -27,13 +26,13 @@ func (sys *I) Ephemeral(et state.Enablement, name string, perm os.FileMode) {
} }
type Mkdir struct { type Mkdir struct {
et state.Enablement et Enablement
path string path string
perm os.FileMode perm os.FileMode
ephemeral bool ephemeral bool
} }
func (m *Mkdir) Type() state.Enablement { func (m *Mkdir) Type() Enablement {
return m.et return m.et
} }

14
internal/system/op.go
View File

@ -4,19 +4,17 @@ import (
"errors" "errors"
"fmt" "fmt"
"sync" "sync"
"git.ophivana.moe/cat/fortify/internal/state"
) )
const ( const (
// Process type is unconditionally reverted on exit.
Process = state.EnableLength + 1
// User type is reverted at final launcher exit. // User type is reverted at final launcher exit.
User = state.EnableLength User = Enablement(ELen)
// Process type is unconditionally reverted on exit.
Process = Enablement(ELen + 1)
) )
type Criteria struct { type Criteria struct {
*state.Enablements *Enablements
} }
func (ec *Criteria) hasType(o Op) bool { func (ec *Criteria) hasType(o Op) bool {
@ -31,7 +29,7 @@ func (ec *Criteria) hasType(o Op) bool {
// Op is a reversible system operation. // Op is a reversible system operation.
type Op interface { type Op interface {
// Type returns Op's enablement type. // Type returns Op's enablement type.
Type() state.Enablement Type() Enablement
// apply the Op // apply the Op
apply(sys *I) error apply(sys *I) error
@ -43,7 +41,7 @@ type Op interface {
String() string String() string
} }
func TypeString(e state.Enablement) string { func TypeString(e Enablement) string {
switch e { switch e {
case User: case User:
return "User" return "User"

11
internal/system/tmpfiles.go
View File

@ -9,7 +9,6 @@ import (
"git.ophivana.moe/cat/fortify/acl" "git.ophivana.moe/cat/fortify/acl"
"git.ophivana.moe/cat/fortify/internal/fmsg" "git.ophivana.moe/cat/fortify/internal/fmsg"
"git.ophivana.moe/cat/fortify/internal/state"
"git.ophivana.moe/cat/fortify/internal/verbose" "git.ophivana.moe/cat/fortify/internal/verbose"
) )
@ -19,7 +18,7 @@ func (sys *I) CopyFile(dst, src string) {
} }
// CopyFileType registers a file copying Op labelled with type et. // CopyFileType registers a file copying Op labelled with type et.
func (sys *I) CopyFileType(et state.Enablement, dst, src string) { func (sys *I) CopyFileType(et Enablement, dst, src string) {
sys.lock.Lock() sys.lock.Lock()
sys.ops = append(sys.ops, &Tmpfile{et, tmpfileCopy, dst, src}) sys.ops = append(sys.ops, &Tmpfile{et, tmpfileCopy, dst, src})
sys.lock.Unlock() sys.lock.Unlock()
@ -33,7 +32,7 @@ func (sys *I) Link(oldname, newname string) {
} }
// LinkFileType registers a file linking Op labelled with type et. // LinkFileType registers a file linking Op labelled with type et.
func (sys *I) LinkFileType(et state.Enablement, oldname, newname string) { func (sys *I) LinkFileType(et Enablement, oldname, newname string) {
sys.lock.Lock() sys.lock.Lock()
defer sys.lock.Unlock() defer sys.lock.Unlock()
@ -46,7 +45,7 @@ func (sys *I) Write(dst, src string) {
} }
// WriteType registers a file writing Op labelled with type et. // WriteType registers a file writing Op labelled with type et.
func (sys *I) WriteType(et state.Enablement, dst, src string) { func (sys *I) WriteType(et Enablement, dst, src string) {
sys.lock.Lock() sys.lock.Lock()
sys.ops = append(sys.ops, &Tmpfile{et, tmpfileWrite, dst, src}) sys.ops = append(sys.ops, &Tmpfile{et, tmpfileWrite, dst, src})
sys.lock.Unlock() sys.lock.Unlock()
@ -61,12 +60,12 @@ const (
) )
type Tmpfile struct { type Tmpfile struct {
et state.Enablement et Enablement
method uint8 method uint8
dst, src string dst, src string
} }
func (t *Tmpfile) Type() state.Enablement { func (t *Tmpfile) Type() Enablement {
return t.et return t.et
} }

5
internal/system/xhost.go
View File

@ -4,7 +4,6 @@ import (
"fmt" "fmt"
"git.ophivana.moe/cat/fortify/internal/fmsg" "git.ophivana.moe/cat/fortify/internal/fmsg"
"git.ophivana.moe/cat/fortify/internal/state"
"git.ophivana.moe/cat/fortify/internal/verbose" "git.ophivana.moe/cat/fortify/internal/verbose"
"git.ophivana.moe/cat/fortify/xcb" "git.ophivana.moe/cat/fortify/xcb"
) )
@ -19,8 +18,8 @@ func (sys *I) ChangeHosts(username string) {
type XHost string type XHost string
func (x XHost) Type() state.Enablement { func (x XHost) Type() Enablement {
return state.EnableX return EX11
} }
func (x XHost) apply(_ *I) error { func (x XHost) apply(_ *I) error {