From ea2cea36ba0a53a8ccc4ef1fdd7e17cbd048ccaf Mon Sep 17 00:00:00 2001 From: Ophestra Umiker Date: Sat, 9 Nov 2024 11:57:36 +0900 Subject: [PATCH] app/config: rename map_real_uid from use_real_uid This option only changes mapped uid in the user namespace. Signed-off-by: Ophestra Umiker --- internal/app/config.go | 6 +++--- nixos.nix | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/internal/app/config.go b/internal/app/config.go index 0c17317..96c51ce 100644 --- a/internal/app/config.go +++ b/internal/app/config.go @@ -55,7 +55,7 @@ type SandboxConfig struct { // do not run in new session NoNewSession bool `json:"no_new_session,omitempty"` // map target user uid to privileged user uid in the user namespace - UseRealUID bool `json:"use_real_uid"` + MapRealUID bool `json:"map_real_uid"` // mediated access to wayland socket Wayland bool `json:"wayland,omitempty"` @@ -92,7 +92,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) { } var uid int - if !s.UseRealUID { + if !s.MapRealUID { uid = 65534 } else { uid = os.Geteuid() @@ -185,7 +185,7 @@ func Template() *Config { UserNS: true, Net: true, NoNewSession: true, - UseRealUID: true, + MapRealUID: true, Dev: true, Wayland: false, // example API credentials pulled from Google Chrome diff --git a/nixos.nix b/nixos.nix index b6d72d7..4757dab 100644 --- a/nixos.nix +++ b/nixos.nix @@ -130,7 +130,7 @@ in Whether to allow userns within sandbox. ''; - useRealUid = mkEnableOption '' + mapRealUid = mkEnableOption '' Whether to map to fortify's real UID within the sandbox. ''; @@ -330,7 +330,7 @@ in dev env ; - use_real_uid = launcher.useRealUid; + map_real_uid = launcher.mapRealUid; filesystem = [ { src = "/bin"; }