Compare commits

..

No commits in common. "master" and "v0.2.0" have entirely different histories.

3 changed files with 14 additions and 43 deletions

View File

@ -5,7 +5,6 @@ import (
"fmt" "fmt"
"io/fs" "io/fs"
"path" "path"
"regexp"
"strconv" "strconv"
shim "git.ophivana.moe/security/fortify/cmd/fshim/ipc" shim "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
@ -20,11 +19,8 @@ var (
ErrConfig = errors.New("no configuration to seal") ErrConfig = errors.New("no configuration to seal")
ErrUser = errors.New("invalid aid") ErrUser = errors.New("invalid aid")
ErrHome = errors.New("invalid home directory") ErrHome = errors.New("invalid home directory")
ErrName = errors.New("invalid username")
) )
var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z0-9_-]{0,30}\\$)$")
// appSeal seals the application with child-related information // appSeal seals the application with child-related information
type appSeal struct { type appSeal struct {
// app unique ID string representation // app unique ID string representation
@ -110,9 +106,6 @@ func (a *app) Seal(config *Config) error {
} }
if seal.sys.user.username == "" { if seal.sys.user.username == "" {
seal.sys.user.username = "chronos" seal.sys.user.username = "chronos"
} else if !posixUsername.MatchString(seal.sys.user.username) {
return fmsg.WrapError(ErrName,
fmt.Sprintf("invalid user name %q", seal.sys.user.username))
} }
if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) { if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
return fmsg.WrapError(ErrHome, return fmsg.WrapError(ErrHome,

30
main.go
View File

@ -8,7 +8,6 @@ import (
"os/user" "os/user"
"strconv" "strconv"
"strings" "strings"
"sync"
"text/tabwriter" "text/tabwriter"
"git.ophivana.moe/security/fortify/dbus" "git.ophivana.moe/security/fortify/dbus"
@ -189,42 +188,21 @@ func main() {
panic("unreachable") panic("unreachable")
} }
// resolve home/username from os when flag is unset // resolve home directory from os when flag is unset
var ( if homeDir == "os" {
passwd *user.User
passwdOnce sync.Once
passwdFunc = func() {
var us string var us string
if uid, err := os.Uid(aid); err != nil { if uid, err := os.Uid(aid); err != nil {
fmsg.Fatalf("cannot obtain uid from fsu: %v", err) fmsg.Fatalf("cannot obtain uid from fsu: %v", err)
} else { } else {
us = strconv.Itoa(uid) us = strconv.Itoa(uid)
} }
if u, err := user.LookupId(us); err != nil { if u, err := user.LookupId(us); err != nil {
fmsg.VPrintf("cannot look up uid %s", us) fmsg.VPrintf("cannot look up uid %s", us)
passwd = &user.User{ homeDir = "/var/empty"
Uid: us,
Gid: us,
Username: "chronos",
Name: "Fortify",
HomeDir: "/var/empty",
}
} else { } else {
passwd = u homeDir = u.HomeDir
} }
} }
)
if homeDir == "os" {
passwdOnce.Do(passwdFunc)
homeDir = passwd.HomeDir
}
if userName == "chronos" {
passwdOnce.Do(passwdFunc)
userName = passwd.Username
}
config.Confinement.AppID = aid config.Confinement.AppID = aid
config.Confinement.Groups = groups config.Confinement.Groups = groups

View File

@ -10,7 +10,7 @@
buildGoModule rec { buildGoModule rec {
pname = "fortify"; pname = "fortify";
version = "0.2.1"; version = "0.2.0";
src = ./.; src = ./.;
vendorHash = null; vendorHash = null;