Compare commits

...

2 Commits

Author SHA1 Message Date
Ophestra Umiker ea2cea36ba
app/config: rename map_real_uid from use_real_uid
test / test (push) Failing after 28s Details
This option only changes mapped uid in the user namespace.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-09 11:57:36 +09:00
Ophestra Umiker 45fead18c3
cmd/fshim: set no_new_privs flag
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-09 11:50:56 +09:00
3 changed files with 10 additions and 5 deletions

View File

@ -15,6 +15,8 @@ const (
fsuConfFile = "/etc/fsurc"
envShim = "FORTIFY_SHIM"
envAID = "FORTIFY_APP_ID"
PR_SET_NO_NEW_PRIVS = 0x26
)
var Fmain = compPoison
@ -86,6 +88,9 @@ func main() {
if err := syscall.Setresuid(uid, uid, uid); err != nil {
log.Fatalf("cannot set uid: %v", err)
}
if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
}
if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
log.Fatalf("cannot start shim: %v", err)
}

View File

@ -55,7 +55,7 @@ type SandboxConfig struct {
// do not run in new session
NoNewSession bool `json:"no_new_session,omitempty"`
// map target user uid to privileged user uid in the user namespace
UseRealUID bool `json:"use_real_uid"`
MapRealUID bool `json:"map_real_uid"`
// mediated access to wayland socket
Wayland bool `json:"wayland,omitempty"`
@ -92,7 +92,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
}
var uid int
if !s.UseRealUID {
if !s.MapRealUID {
uid = 65534
} else {
uid = os.Geteuid()
@ -185,7 +185,7 @@ func Template() *Config {
UserNS: true,
Net: true,
NoNewSession: true,
UseRealUID: true,
MapRealUID: true,
Dev: true,
Wayland: false,
// example API credentials pulled from Google Chrome

View File

@ -130,7 +130,7 @@ in
Whether to allow userns within sandbox.
'';
useRealUid = mkEnableOption ''
mapRealUid = mkEnableOption ''
Whether to map to fortify's real UID within the sandbox.
'';
@ -330,7 +330,7 @@ in
dev
env
;
use_real_uid = launcher.useRealUid;
map_real_uid = launcher.mapRealUid;
filesystem =
[
{ src = "/bin"; }