maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

app/share: fix order to ensure SharePath before any of its subdirectories

Browse Source 
shareTmpdirChild happened to request an ephemeral dir within SharePath and was called before shareRuntime which ensures that path. This commit moves SharePath initialisation to shareSystem and moves shareTmpdirChild into ShareSystem. Further cleanup and tests are desperately needed for the app package but for now this fix will have to do.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra
2024-10-18 01:21:58 +09:00
parent 4ebb98649e
commit 65bd7d18db
3 changed files with 27 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
internal/app/share.runtime.go
View File

@@ -31,15 +31,6 @@ func (seal *appSeal) shareRuntime() {
// ensure runtime directory ACL (e.g. `/run/user/%d`)
seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
// ensure Share (e.g. `/tmp/fortify.%d`)
// acl is unnecessary as this directory is world executable
seal.sys.Ensure(seal.SharePath, 0701)
// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
// acl is unnecessary as this directory is world executable
seal.share = path.Join(seal.SharePath, seal.id.String())
seal.sys.Ephemeral(system.Process, seal.share, 0701)
// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
seal.shareLocal = path.Join(seal.RunDirPath, seal.id.String())
seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)