internal/app/seal.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"io/fs"
 	"path"
-	"regexp"
 	"strconv"
 
 	shim "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
@@ -20,11 +19,8 @@ var (
 	ErrConfig = errors.New("no configuration to seal")
 	ErrUser   = errors.New("invalid aid")
 	ErrHome   = errors.New("invalid home directory")
-	ErrName   = errors.New("invalid username")
 )
 
-var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z0-9_-]{0,30}\\$)$")
-
 // appSeal seals the application with child-related information
 type appSeal struct {
 	// app unique ID string representation
@@ -110,9 +106,6 @@ func (a *app) Seal(config *Config) error {
 		}
 		if seal.sys.user.username == "" {
 			seal.sys.user.username = "chronos"
-		} else if !posixUsername.MatchString(seal.sys.user.username) {
-			return fmsg.WrapError(ErrName,
-				fmt.Sprintf("invalid user name %q", seal.sys.user.username))
 		}
 		if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
 			return fmsg.WrapError(ErrHome,

main.go

@@ -8,7 +8,6 @@ import (
 	"os/user"
 	"strconv"
 	"strings"
-	"sync"
 	"text/tabwriter"
 
 	"git.ophivana.moe/security/fortify/dbus"
@@ -189,41 +188,20 @@ func main() {
 			panic("unreachable")
 		}
 
-		// resolve home/username from os when flag is unset
+		// resolve home directory from os when flag is unset
-		var (
-			passwd     *user.User
-			passwdOnce sync.Once
-			passwdFunc = func() {
-				var us string
-				if uid, err := os.Uid(aid); err != nil {
-					fmsg.Fatalf("cannot obtain uid from fsu: %v", err)
-				} else {
-					us = strconv.Itoa(uid)
-				}
-
-				if u, err := user.LookupId(us); err != nil {
-					fmsg.VPrintf("cannot look up uid %s", us)
-					passwd = &user.User{
-						Uid:      us,
-						Gid:      us,
-						Username: "chronos",
-						Name:     "Fortify",
-						HomeDir:  "/var/empty",
-					}
-				} else {
-					passwd = u
-				}
-			}
-		)
-
 		if homeDir == "os" {
-			passwdOnce.Do(passwdFunc)
+			var us string
-			homeDir = passwd.HomeDir
+			if uid, err := os.Uid(aid); err != nil {
-		}
+				fmsg.Fatalf("cannot obtain uid from fsu: %v", err)
-
+			} else {
-		if userName == "chronos" {
+				us = strconv.Itoa(uid)
-			passwdOnce.Do(passwdFunc)
+			}
-			userName = passwd.Username
+			if u, err := user.LookupId(us); err != nil {
+				fmsg.VPrintf("cannot look up uid %s", us)
+				homeDir = "/var/empty"
+			} else {
+				homeDir = u.HomeDir
+			}
 		}
 
 		config.Confinement.AppID = aid

package.nix

@@ -10,7 +10,7 @@
 
 buildGoModule rec {
   pname = "fortify";
-  version = "0.2.1";
+  version = "0.2.0";
 
   src = ./.;
   vendorHash = null;