283 lines
7.2 KiB
Go
283 lines
7.2 KiB
Go
package app
|
|
|
|
import (
|
|
"errors"
|
|
"io/fs"
|
|
"os/user"
|
|
"path"
|
|
"strconv"
|
|
|
|
shim "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
|
|
"git.ophivana.moe/security/fortify/dbus"
|
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
|
"git.ophivana.moe/security/fortify/internal/linux"
|
|
"git.ophivana.moe/security/fortify/internal/state"
|
|
"git.ophivana.moe/security/fortify/internal/system"
|
|
)
|
|
|
|
const (
|
|
LaunchMethodSudo uint8 = iota
|
|
LaunchMethodMachineCtl
|
|
)
|
|
|
|
var method = [...]string{
|
|
LaunchMethodSudo: "sudo",
|
|
LaunchMethodMachineCtl: "systemd",
|
|
}
|
|
|
|
var (
|
|
ErrConfig = errors.New("no configuration to seal")
|
|
ErrUser = errors.New("unknown user")
|
|
ErrLaunch = errors.New("invalid launch method")
|
|
|
|
ErrSudo = errors.New("sudo not available")
|
|
ErrSystemd = errors.New("systemd not available")
|
|
ErrMachineCtl = errors.New("machinectl not available")
|
|
)
|
|
|
|
// appSeal seals the application with child-related information
|
|
type appSeal struct {
|
|
// app unique ID string representation
|
|
id string
|
|
// wayland mediation, disabled if nil
|
|
wl *shim.Wayland
|
|
// dbus proxy message buffer retriever
|
|
dbusMsg func(f func(msgbuf []string))
|
|
|
|
// freedesktop application ID
|
|
fid string
|
|
// argv to start process with in the final confined environment
|
|
command []string
|
|
// persistent process state store
|
|
store state.Store
|
|
|
|
// uint8 representation of launch method sealed from config
|
|
launchOption uint8
|
|
// process-specific share directory path
|
|
share string
|
|
// process-specific share directory path local to XDG_RUNTIME_DIR
|
|
shareLocal string
|
|
|
|
// path to launcher program
|
|
toolPath string
|
|
// pass-through enablement tracking from config
|
|
et system.Enablements
|
|
|
|
// prevents sharing from happening twice
|
|
shared bool
|
|
// seal system-level component
|
|
sys *appSealSys
|
|
|
|
linux.Paths
|
|
|
|
// protected by upstream mutex
|
|
}
|
|
|
|
// Seal seals the app launch context
|
|
func (a *app) Seal(config *Config) error {
|
|
a.lock.Lock()
|
|
defer a.lock.Unlock()
|
|
|
|
if a.seal != nil {
|
|
panic("app sealed twice")
|
|
}
|
|
|
|
if config == nil {
|
|
return fmsg.WrapError(ErrConfig,
|
|
"attempted to seal app with nil config")
|
|
}
|
|
|
|
// create seal
|
|
seal := new(appSeal)
|
|
|
|
// fetch system constants
|
|
seal.Paths = a.os.Paths()
|
|
|
|
// pass through config values
|
|
seal.id = a.id.String()
|
|
seal.fid = config.ID
|
|
seal.command = config.Command
|
|
|
|
// parses launch method text and looks up tool path
|
|
switch config.Method {
|
|
case method[LaunchMethodSudo]:
|
|
seal.launchOption = LaunchMethodSudo
|
|
if sudoPath, err := a.os.LookPath("sudo"); err != nil {
|
|
return fmsg.WrapError(ErrSudo,
|
|
"sudo not found")
|
|
} else {
|
|
seal.toolPath = sudoPath
|
|
}
|
|
case method[LaunchMethodMachineCtl]:
|
|
seal.launchOption = LaunchMethodMachineCtl
|
|
if !a.os.SdBooted() {
|
|
return fmsg.WrapError(ErrSystemd,
|
|
"system has not been booted with systemd as init system")
|
|
}
|
|
|
|
if machineCtlPath, err := a.os.LookPath("machinectl"); err != nil {
|
|
return fmsg.WrapError(ErrMachineCtl,
|
|
"machinectl not found")
|
|
} else {
|
|
seal.toolPath = machineCtlPath
|
|
}
|
|
default:
|
|
return fmsg.WrapError(ErrLaunch,
|
|
"invalid launch method")
|
|
}
|
|
|
|
// create seal system component
|
|
seal.sys = new(appSealSys)
|
|
|
|
// mapped uid
|
|
if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.UseRealUID {
|
|
seal.sys.mappedID = a.os.Geteuid()
|
|
} else {
|
|
seal.sys.mappedID = 65534
|
|
}
|
|
seal.sys.mappedIDString = strconv.Itoa(seal.sys.mappedID)
|
|
seal.sys.runtime = path.Join("/run/user", seal.sys.mappedIDString)
|
|
|
|
// look up user from system
|
|
if u, err := a.os.Lookup(config.User); err != nil {
|
|
if errors.As(err, new(user.UnknownUserError)) {
|
|
return fmsg.WrapError(ErrUser, "unknown user", config.User)
|
|
} else {
|
|
// unreachable
|
|
panic(err)
|
|
}
|
|
} else {
|
|
seal.sys.user = u
|
|
}
|
|
|
|
// map sandbox config to bwrap
|
|
if config.Confinement.Sandbox == nil {
|
|
fmsg.VPrintln("sandbox configuration not supplied, PROCEED WITH CAUTION")
|
|
|
|
// permissive defaults
|
|
conf := &SandboxConfig{
|
|
UserNS: true,
|
|
Net: true,
|
|
NoNewSession: true,
|
|
}
|
|
// bind entries in /
|
|
if d, err := a.os.ReadDir("/"); err != nil {
|
|
return err
|
|
} else {
|
|
b := make([]*FilesystemConfig, 0, len(d))
|
|
for _, ent := range d {
|
|
p := "/" + ent.Name()
|
|
switch p {
|
|
case "/proc":
|
|
case "/dev":
|
|
case "/run":
|
|
case "/tmp":
|
|
case "/mnt":
|
|
|
|
case "/etc":
|
|
b = append(b, &FilesystemConfig{Src: p, Dst: "/dev/fortify/etc", Write: false, Must: true})
|
|
default:
|
|
b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
|
|
}
|
|
}
|
|
conf.Filesystem = append(conf.Filesystem, b...)
|
|
}
|
|
// bind entries in /run
|
|
if d, err := a.os.ReadDir("/run"); err != nil {
|
|
return err
|
|
} else {
|
|
b := make([]*FilesystemConfig, 0, len(d))
|
|
for _, ent := range d {
|
|
name := ent.Name()
|
|
switch name {
|
|
case "user":
|
|
case "dbus":
|
|
default:
|
|
p := "/run/" + name
|
|
b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
|
|
}
|
|
}
|
|
conf.Filesystem = append(conf.Filesystem, b...)
|
|
}
|
|
// hide nscd from sandbox if present
|
|
nscd := "/var/run/nscd"
|
|
if _, err := a.os.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
|
|
conf.Override = append(conf.Override, nscd)
|
|
}
|
|
// bind GPU stuff
|
|
if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
|
|
conf.Filesystem = append(conf.Filesystem, &FilesystemConfig{Src: "/dev/dri", Device: true})
|
|
}
|
|
// link host /etc to prevent passwd/group from being overwritten
|
|
if d, err := a.os.ReadDir("/etc"); err != nil {
|
|
return err
|
|
} else {
|
|
b := make([][2]string, 0, len(d))
|
|
for _, ent := range d {
|
|
name := ent.Name()
|
|
switch name {
|
|
case "passwd":
|
|
case "group":
|
|
|
|
case "mtab":
|
|
b = append(b, [2]string{
|
|
"/proc/mounts",
|
|
"/etc/" + name,
|
|
})
|
|
default:
|
|
b = append(b, [2]string{
|
|
"/dev/fortify/etc/" + name,
|
|
"/etc/" + name,
|
|
})
|
|
}
|
|
}
|
|
conf.Link = append(conf.Link, b...)
|
|
}
|
|
|
|
config.Confinement.Sandbox = conf
|
|
}
|
|
seal.sys.bwrap = config.Confinement.Sandbox.Bwrap(a.os.Geteuid())
|
|
seal.sys.override = config.Confinement.Sandbox.Override
|
|
if seal.sys.bwrap.SetEnv == nil {
|
|
seal.sys.bwrap.SetEnv = make(map[string]string)
|
|
}
|
|
|
|
// create wayland struct and client wait channel if mediated wayland is enabled
|
|
// this field being set enables mediated wayland setup later on
|
|
if config.Confinement.Sandbox.Wayland {
|
|
seal.wl = shim.NewWayland()
|
|
}
|
|
|
|
// open process state store
|
|
// the simple store only starts holding an open file after first action
|
|
// store activity begins after Start is called and must end before Wait
|
|
seal.store = state.NewSimple(seal.RunDirPath, seal.sys.user.Uid)
|
|
|
|
// parse string UID
|
|
if u, err := strconv.Atoi(seal.sys.user.Uid); err != nil {
|
|
// unreachable unless kernel bug
|
|
panic("uid parse")
|
|
} else {
|
|
seal.sys.I = system.New(u)
|
|
}
|
|
|
|
// pass through enablements
|
|
seal.et = config.Confinement.Enablements
|
|
|
|
// this method calls all share methods in sequence
|
|
if err := seal.shareAll([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
|
|
return err
|
|
}
|
|
|
|
// verbose log seal information
|
|
fmsg.VPrintln("created application seal as user",
|
|
seal.sys.user.Username, "("+seal.sys.user.Uid+"),",
|
|
"method:", config.Method+",",
|
|
"launcher:", seal.toolPath+",",
|
|
"command:", config.Command)
|
|
|
|
// seal app and release lock
|
|
a.seal = seal
|
|
return nil
|
|
}
|