92 lines
2.5 KiB
Go
92 lines
2.5 KiB
Go
package app
|
|
|
|
import (
|
|
"git.ophivana.moe/cat/fortify/dbus"
|
|
"git.ophivana.moe/cat/fortify/helper/bwrap"
|
|
"git.ophivana.moe/cat/fortify/internal/state"
|
|
)
|
|
|
|
// Config is used to seal an *App
|
|
type Config struct {
|
|
// D-Bus application ID
|
|
ID string `json:"id"`
|
|
// username of the target user to switch to
|
|
User string `json:"user"`
|
|
// value passed through to the child process as its argv
|
|
Command []string `json:"command"`
|
|
// string representation of the child's launch method
|
|
Method string `json:"method"`
|
|
|
|
// child confinement configuration
|
|
Confinement ConfinementConfig `json:"confinement"`
|
|
}
|
|
|
|
// ConfinementConfig defines fortified child's confinement
|
|
type ConfinementConfig struct {
|
|
// bwrap sandbox confinement configuration
|
|
Sandbox *SandboxConfig `json:"sandbox"`
|
|
|
|
// reference to a system D-Bus proxy configuration,
|
|
// nil value disables system bus proxy
|
|
SystemBus *dbus.Config `json:"system_bus,omitempty"`
|
|
// reference to a session D-Bus proxy configuration,
|
|
// nil value makes session bus proxy assume built-in defaults
|
|
SessionBus *dbus.Config `json:"session_bus,omitempty"`
|
|
|
|
// child capability enablements
|
|
Enablements state.Enablements `json:"enablements"`
|
|
}
|
|
|
|
// SandboxConfig describes resources made available to the sandbox.
|
|
type SandboxConfig struct {
|
|
// unix hostname within sandbox
|
|
Hostname string `json:"hostname,omitempty"`
|
|
// userns availability within sandbox
|
|
UserNS bool `json:"userns,omitempty"`
|
|
// share net namespace
|
|
Net bool `json:"net,omitempty"`
|
|
// do not run in new session
|
|
NoNewSession bool `json:"no_new_session,omitempty"`
|
|
// mediated access to wayland socket
|
|
Wayland bool `json:"wayland,omitempty"`
|
|
|
|
UID int `json:"uid,omitempty"`
|
|
GID int `json:"gid,omitempty"`
|
|
// final environment variables
|
|
Env map[string]string `json:"env"`
|
|
|
|
// paths made available within the sandbox
|
|
Bind [][2]string `json:"bind"`
|
|
// paths made available read-only within the sandbox
|
|
ROBind [][2]string `json:"ro-bind"`
|
|
}
|
|
|
|
func (s *SandboxConfig) Bwrap() *bwrap.Config {
|
|
if s == nil {
|
|
return nil
|
|
}
|
|
|
|
conf := &bwrap.Config{
|
|
Net: s.Net,
|
|
UserNS: s.UserNS,
|
|
Hostname: s.Hostname,
|
|
Clearenv: true,
|
|
SetEnv: s.Env,
|
|
Bind: s.Bind,
|
|
ROBind: s.ROBind,
|
|
Procfs: []string{"/proc"},
|
|
DevTmpfs: []string{"/dev"},
|
|
Mqueue: []string{"/dev/mqueue"},
|
|
NewSession: !s.NoNewSession,
|
|
DieWithParent: true,
|
|
}
|
|
if s.UID > 0 {
|
|
conf.UID = &s.UID
|
|
}
|
|
if s.GID > 0 {
|
|
conf.GID = &s.GID
|
|
}
|
|
|
|
return conf
|
|
}
|