app/config: rename map_real_uid from use_real_uid

This option only changes mapped uid in the user namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
cmd/fshim: set no_new_privs flag
2024-11-09 12:01:34 +09:00 · 2024-11-09 11:50:56 +09:00
4 changed files with 11 additions and 6 deletions
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@ -15,6 +15,8 @@ const (
 	fsuConfFile = "/etc/fsurc"
 	envShim     = "FORTIFY_SHIM"
 	envAID      = "FORTIFY_APP_ID"
+
+	PR_SET_NO_NEW_PRIVS = 0x26
 )

 var Fmain = compPoison
@ -86,6 +88,9 @@ func main() {
 	if err := syscall.Setresuid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set uid: %v", err)
 	}
+	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
+		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
+	}
 	if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}
--- a/internal/app/config.go
+++ b/internal/app/config.go
@ -55,7 +55,7 @@ type SandboxConfig struct {
 	// do not run in new session
 	NoNewSession bool `json:"no_new_session,omitempty"`
 	// map target user uid to privileged user uid in the user namespace
-	UseRealUID bool `json:"use_real_uid"`
+	MapRealUID bool `json:"map_real_uid"`
 	// mediated access to wayland socket
 	Wayland bool `json:"wayland,omitempty"`

@ -92,7 +92,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 	}

 	var uid int
-	if !s.UseRealUID {
+	if !s.MapRealUID {
 		uid = 65534
 	} else {
 		uid = os.Geteuid()
@ -185,7 +185,7 @@ func Template() *Config {
 				UserNS:       true,
 				Net:          true,
 				NoNewSession: true,
-				UseRealUID:   true,
+				MapRealUID:   true,
 				Dev:          true,
 				Wayland:      false,
 				// example API credentials pulled from Google Chrome
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -130,7 +130,7 @@ func (a *app) Seal(config *Config) error {
 	seal.sys = new(appSealSys)

 	// mapped uid
-	if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.UseRealUID {
+	if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.MapRealUID {
 		seal.sys.mappedID = a.os.Geteuid()
 	} else {
 		seal.sys.mappedID = 65534
--- a/nixos.nix
+++ b/nixos.nix
@ -130,7 +130,7 @@ in
                      Whether to allow userns within sandbox.
                    '';

-                    useRealUid = mkEnableOption ''
+                    mapRealUid = mkEnableOption ''
                      Whether to map to fortify's real UID within the sandbox.
                    '';

@ -330,7 +330,7 @@ in
                          dev
                          env
                          ;
-                        use_real_uid = launcher.useRealUid;
+                        map_real_uid = launcher.mapRealUid;
                        filesystem =
                          [
                            { src = "/bin"; }
Author	SHA1	Message	Date
Ophestra Umiker	9a13b311ac	app/config: rename map_real_uid from use_real_uid test / test (push) Successful in 19s Details This option only changes mapped uid in the user namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-09 12:01:34 +09:00
Ophestra Umiker	45fead18c3	cmd/fshim: set no_new_privs flag Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-09 11:50:56 +09:00