Compare commits

..

No commits in common. "9a13b311ac9b180a9a24e0d99a0487fb1997de32" and "431aa32291996b59a5c02e293fa8d1351a7111e8" have entirely different histories.

4 changed files with 6 additions and 11 deletions

View File

@ -15,8 +15,6 @@ const (
fsuConfFile = "/etc/fsurc" fsuConfFile = "/etc/fsurc"
envShim = "FORTIFY_SHIM" envShim = "FORTIFY_SHIM"
envAID = "FORTIFY_APP_ID" envAID = "FORTIFY_APP_ID"
PR_SET_NO_NEW_PRIVS = 0x26
) )
var Fmain = compPoison var Fmain = compPoison
@ -88,9 +86,6 @@ func main() {
if err := syscall.Setresuid(uid, uid, uid); err != nil { if err := syscall.Setresuid(uid, uid, uid); err != nil {
log.Fatalf("cannot set uid: %v", err) log.Fatalf("cannot set uid: %v", err)
} }
if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
}
if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil { if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
log.Fatalf("cannot start shim: %v", err) log.Fatalf("cannot start shim: %v", err)
} }

View File

@ -55,7 +55,7 @@ type SandboxConfig struct {
// do not run in new session // do not run in new session
NoNewSession bool `json:"no_new_session,omitempty"` NoNewSession bool `json:"no_new_session,omitempty"`
// map target user uid to privileged user uid in the user namespace // map target user uid to privileged user uid in the user namespace
MapRealUID bool `json:"map_real_uid"` UseRealUID bool `json:"use_real_uid"`
// mediated access to wayland socket // mediated access to wayland socket
Wayland bool `json:"wayland,omitempty"` Wayland bool `json:"wayland,omitempty"`
@ -92,7 +92,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
} }
var uid int var uid int
if !s.MapRealUID { if !s.UseRealUID {
uid = 65534 uid = 65534
} else { } else {
uid = os.Geteuid() uid = os.Geteuid()
@ -185,7 +185,7 @@ func Template() *Config {
UserNS: true, UserNS: true,
Net: true, Net: true,
NoNewSession: true, NoNewSession: true,
MapRealUID: true, UseRealUID: true,
Dev: true, Dev: true,
Wayland: false, Wayland: false,
// example API credentials pulled from Google Chrome // example API credentials pulled from Google Chrome

View File

@ -130,7 +130,7 @@ func (a *app) Seal(config *Config) error {
seal.sys = new(appSealSys) seal.sys = new(appSealSys)
// mapped uid // mapped uid
if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.MapRealUID { if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.UseRealUID {
seal.sys.mappedID = a.os.Geteuid() seal.sys.mappedID = a.os.Geteuid()
} else { } else {
seal.sys.mappedID = 65534 seal.sys.mappedID = 65534

View File

@ -130,7 +130,7 @@ in
Whether to allow userns within sandbox. Whether to allow userns within sandbox.
''; '';
mapRealUid = mkEnableOption '' useRealUid = mkEnableOption ''
Whether to map to fortify's real UID within the sandbox. Whether to map to fortify's real UID within the sandbox.
''; '';
@ -330,7 +330,7 @@ in
dev dev
env env
; ;
map_real_uid = launcher.mapRealUid; use_real_uid = launcher.useRealUid;
filesystem = filesystem =
[ [
{ src = "/bin"; } { src = "/bin"; }