Invalid enablement is only caused by bad API usage, however panicking on the spot leaves behind messy state that has to be manually cleaned up.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Wait for 5 seconds before printing a message and exiting after picking up the initial process's wait status. This also kills any lingering processes.This behaviour is helpful for applications launched without a terminal attached.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
These values are useful during sandbox setup and exporting them makes more sense than storing them twice.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Bubblewrap as init is a bit awkward and don't support a few setup actions fortify will need, such as starting/supervising nscd.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
There is no good reason to run fortify as root and desktop environments typically do not like that either. This check prevents confusion for new users who might mistakenly run it as root or set the setuid bit.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Bwrap argument order determines the order their corresponding actions are performed. This allows generic arguments like tmpfs to the end of the stream to override bind mounts.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Error handling here is way too monstrous due to terrible design of the internal/app package. Since rewriting internal/app will take a while, error handling is moved out of main to improve readability.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This configuration is not saved anywhere, and does not need to be saved. Bwrap configuration information is already saved into p.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Both machinectl and sudo launch methods launch shim as shim is now responsible for setting up the sandbox. Various app structures are adapted to accommodate bwrap configuration and mediated wayland access.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This implementation of shim accepts configuration as a gob stream over a unix socket, with support for mediating access to wayland via WAYLAND_SOCKET fd. All configuration is now included in the payload, and child is started inside bwrap configured with supplied bwrap.Config.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Ophestra Umiker