Fortify needs to internally resolve helper program sandbox config. They are considered trusted and runs under the privileged UID so ldd output is used to determine libraries they need inside the sandbox environment.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Bubblewrap apparently requires --unshare-user even when --unshare-all is set to apply --disable-userns. This behaviour is not clearly documented.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Tests internal to the helper package sets crash-test-dummy as the command whenever a launch is expected to go through, and the hardcoded args are only valid for internal tests, so this characteristic is used here to exclude external tests that pass real program names and custom bwrap configurations.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Upcoming bwrap helper implementation requires two sets of pipes to be managed, fd will also no longer be constant.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
The stub child process simulates reading from the argument fd and copies the entire payload unmodified to stdout. If status pipe is enabled it will simulate sync fd behaviour as well.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
The previous code was poorly documented and made little sense in some parts. This is a generalised and cleaned up implementation in the helper package making use of the Args interface.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This method of passing arguments is used in bubblewrap as well as other tools, this commit separates the argument builder/writer to the helper package and generalise it as an interface.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value.
In anticipation of the client/server split also made changes:
- Console messages are cleaned up to be consistent
- State tracking is fully rewritten to be cleaner and usable for multiple process and client/server
- Encapsulate errors to easier identify type of action causing the error as well as additional info
- System-level setup operations is grouped in a way that can be collectively committed/reverted
and gracefully handles errors returned by each operation
- Resource sharing is made more fine-grained with PID-scoped resources whenever possible,
a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available
- Application setup takes a JSON-friendly config struct and deterministically generates system setup operations
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Define exported type alias for C.acl_perm_t and accept that for UpdatePerm. This makes representing its function signature significantly less cumbersome.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Exit cleanup state information is now stored in a dedicated struct and built up using methods of that struct.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This project started as a Go implementation of https://github.com/intgr/ego. That is clearly no longer what it is anymore and the tagged releases no longer made sense, so we're going back to v0.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Ophestra Umiker