When starting with the permissive defaults "run" command, attempt to resolve home directory from os by default and fall back to /var/empty.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This implements lazy loading of the systemd marker (they are not accessed in init and shim) and ensures consistent behaviour when running with a stub.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This change moves all user switcher and shim management to the shim package and withholds output while shim is alive. This also eliminated all exit scenarios where revert is skipped.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This change helps tests stub out and simulate OS behaviour during the sealing process. This also removes dependency on XDG_RUNTIME_DIR as the internal.System implementation provided to App provides a compat directory inside the tmpdir-based share when XDG_RUNTIME_DIR is unavailable.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
The behaviour of print functions from package fmt is not thread safe. Functions provided by fmsg wrap around Logger methods. This makes prefix much cleaner and makes it easy to deal with future changes to logging.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Bubblewrap as init is a bit awkward and don't support a few setup actions fortify will need, such as starting/supervising nscd.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
There is no good reason to run fortify as root and desktop environments typically do not like that either. This check prevents confusion for new users who might mistakenly run it as root or set the setuid bit.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Error handling here is way too monstrous due to terrible design of the internal/app package. Since rewriting internal/app will take a while, error handling is moved out of main to improve readability.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Both machinectl and sudo launch methods launch shim as shim is now responsible for setting up the sandbox. Various app structures are adapted to accommodate bwrap configuration and mediated wayland access.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value.
In anticipation of the client/server split also made changes:
- Console messages are cleaned up to be consistent
- State tracking is fully rewritten to be cleaner and usable for multiple process and client/server
- Encapsulate errors to easier identify type of action causing the error as well as additional info
- System-level setup operations is grouped in a way that can be collectively committed/reverted
and gracefully handles errors returned by each operation
- Resource sharing is made more fine-grained with PID-scoped resources whenever possible,
a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available
- Application setup takes a JSON-friendly config struct and deterministically generates system setup operations
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Exit cleanup state information is now stored in a dedicated struct and built up using methods of that struct.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
State query command has been moved to main where it belongs, "system" information are now fetched in app.New and stored in *App with accessors for relevant values. Exit (cleanup-related) functions are separated into its dedicated "final" package.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit adds code that starts and registers the D-Bus proxy, as well as cleanup code that tracks and closes the daemon once our child exits. A few more flags were added to pass D-Bus config to xdg-dbus-proxy.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
In the past Wayland, X and PulseAudio are shared unconditionally. This can unnecessarily increase attack surface as some of these resources might not be needed at all. This commit moves all environment preparation code to the internal app package and selectively call them based on flags.
An "enablements" bitfield is introduced tracking all enabled shares. This value is registered after successful child process launch and stored in launcher states.
Code responsible for running the child process is isolated to its own app/run file and cleaned up. Launch method selection is also extensively cleaned up.
The internal state/track readLaunchers function now takes uid as an argument. Launcher state is now printed using text/tabwriter and argv is only emitted when verbose.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
X11 hosts and ACL rules are no longer necessary after all launcher processes exit. This reverts all changes to the system made during setup when no launchers remain. State information is also saved in runDir which can be tracked externally.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Copy all flags from upstream. The machinectl flag is dropped as it does nothing. the flag package is used to reduce complexity since we do not care about compatibility with upstream.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>