Compare commits
2 Commits
431aa32291
...
9a13b311ac
| Author | SHA1 | Date |
|---|---|---|
 Ophestra Umiker
|
9a13b311ac
|
|
|
Ophestra Umiker
|
45fead18c3
|
|
|
@ -15,6 +15,8 @@ const (
|
||||||
fsuConfFile = "/etc/fsurc"
|
fsuConfFile = "/etc/fsurc"
|
||||||
envShim = "FORTIFY_SHIM"
|
envShim = "FORTIFY_SHIM"
|
||||||
envAID = "FORTIFY_APP_ID"
|
envAID = "FORTIFY_APP_ID"
|
||||||
|
|
||||||
|
PR_SET_NO_NEW_PRIVS = 0x26
|
||||||
)
|
)
|
||||||
|
|
||||||
var Fmain = compPoison
|
var Fmain = compPoison
|
||||||
|
|
@ -86,6 +88,9 @@ func main() {
|
||||||
if err := syscall.Setresuid(uid, uid, uid); err != nil {
|
if err := syscall.Setresuid(uid, uid, uid); err != nil {
|
||||||
log.Fatalf("cannot set uid: %v", err)
|
log.Fatalf("cannot set uid: %v", err)
|
||||||
}
|
}
|
||||||
|
if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
|
||||||
|
log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
|
||||||
|
}
|
||||||
if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
|
if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
|
||||||
log.Fatalf("cannot start shim: %v", err)
|
log.Fatalf("cannot start shim: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -55,7 +55,7 @@ type SandboxConfig struct {
|
||||||
// do not run in new session
|
// do not run in new session
|
||||||
NoNewSession bool `json:"no_new_session,omitempty"`
|
NoNewSession bool `json:"no_new_session,omitempty"`
|
||||||
// map target user uid to privileged user uid in the user namespace
|
// map target user uid to privileged user uid in the user namespace
|
||||||
UseRealUID bool `json:"use_real_uid"`
|
MapRealUID bool `json:"map_real_uid"`
|
||||||
// mediated access to wayland socket
|
// mediated access to wayland socket
|
||||||
Wayland bool `json:"wayland,omitempty"`
|
Wayland bool `json:"wayland,omitempty"`
|
||||||
|
|
||||||
|
|
@ -92,7 +92,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
var uid int
|
var uid int
|
||||||
if !s.UseRealUID {
|
if !s.MapRealUID {
|
||||||
uid = 65534
|
uid = 65534
|
||||||
} else {
|
} else {
|
||||||
uid = os.Geteuid()
|
uid = os.Geteuid()
|
||||||
|
|
@ -185,7 +185,7 @@ func Template() *Config {
|
||||||
UserNS: true,
|
UserNS: true,
|
||||||
Net: true,
|
Net: true,
|
||||||
NoNewSession: true,
|
NoNewSession: true,
|
||||||
UseRealUID: true,
|
MapRealUID: true,
|
||||||
Dev: true,
|
Dev: true,
|
||||||
Wayland: false,
|
Wayland: false,
|
||||||
// example API credentials pulled from Google Chrome
|
// example API credentials pulled from Google Chrome
|
||||||
|
|
|
||||||
|
|
@ -130,7 +130,7 @@ func (a *app) Seal(config *Config) error {
|
||||||
seal.sys = new(appSealSys)
|
seal.sys = new(appSealSys)
|
||||||
|
|
||||||
// mapped uid
|
// mapped uid
|
||||||
if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.UseRealUID {
|
if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.MapRealUID {
|
||||||
seal.sys.mappedID = a.os.Geteuid()
|
seal.sys.mappedID = a.os.Geteuid()
|
||||||
} else {
|
} else {
|
||||||
seal.sys.mappedID = 65534
|
seal.sys.mappedID = 65534
|
||||||
|
|
|
||||||
|
|
@ -130,7 +130,7 @@ in
|
||||||
Whether to allow userns within sandbox.
|
Whether to allow userns within sandbox.
|
||||||
'';
|
'';
|
||||||
|
|
||||||
useRealUid = mkEnableOption ''
|
mapRealUid = mkEnableOption ''
|
||||||
Whether to map to fortify's real UID within the sandbox.
|
Whether to map to fortify's real UID within the sandbox.
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|
@ -330,7 +330,7 @@ in
|
||||||
dev
|
dev
|
||||||
env
|
env
|
||||||
;
|
;
|
||||||
use_real_uid = launcher.useRealUid;
|
map_real_uid = launcher.mapRealUid;
|
||||||
filesystem =
|
filesystem =
|
||||||
[
|
[
|
||||||
{ src = "/bin"; }
|
{ src = "/bin"; }
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue