app: set up acl on X11 socket

The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging security/hakurei#1. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-18 02:24:56 +09:00
parent 0ac6e99818
commit 83a1c75f1a
8 changed files with 111 additions and 3 deletions
--- a/test/sandbox/case/default.nix
+++ b/test/sandbox/case/default.nix
@@ -50,6 +50,9 @@ let
        useCommonPaths
        userns
        ;
+      enablements = {
+        inherit (tc) x11;
+      };
      share = testProgram;
      packages = [ ];
      path = "${testProgram}/bin/hakurei-test";
--- a/test/sandbox/case/device.nix
+++ b/test/sandbox/case/device.nix
@@ -25,6 +25,7 @@ in
  mapRealUid = false;
  useCommonPaths = true;
  userns = false;
+  x11 = true;

  # 0, PresetStrict
  expectedFilter = {
@@ -35,6 +36,7 @@ in
  want = {
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
+      "DISPLAY=unix:/tmp/.X11-unix/X0"
      "HOME=/var/lib/hakurei/u0/a4"
      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
      "SHELL=/run/current-system/sw/bin/bash"
@@ -161,7 +163,9 @@ in
        } null;
        devices = fs "800001ed" null null;
      } null;
-      tmp = fs "800001f8" { } null;
+      tmp = fs "800001f8" {
+        ".X11-unix" = fs "801001ff" { X0 = fs "10001fd" null null; } null;
+      } null;
      usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
      var = fs "800001c0" {
        lib = fs "800001c0" {
@@ -231,10 +235,15 @@ in
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
      (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
      (ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = true;
+    socket_pathname = true;
  };
 }
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@@ -34,6 +34,7 @@ in
  mapRealUid = true;
  useCommonPaths = true;
  userns = false;
+  x11 = false;

  # 0, PresetStrict
  expectedFilter = {
@@ -266,5 +267,9 @@ in
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = true;
+    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/pdlike.nix
+++ b/test/sandbox/case/pdlike.nix
@@ -34,6 +34,7 @@ in
  mapRealUid = false;
  useCommonPaths = false;
  userns = true;
+  x11 = false;

  # 0, PresetExt | PresetDenyDevel
  expectedFilter = {
@@ -261,5 +262,9 @@ in
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = true;
+    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@@ -34,6 +34,7 @@ in
  mapRealUid = false;
  useCommonPaths = false;
  userns = false;
+  x11 = false;

  # 0, PresetStrict
  expectedFilter = {
@@ -259,5 +260,9 @@ in
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = true;
+    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@@ -34,6 +34,7 @@ in
  mapRealUid = false;
  useCommonPaths = true;
  userns = false;
+  x11 = true;

  # 0, PresetExt | PresetDenyNS | PresetDenyDevel
  expectedFilter = {
@@ -44,6 +45,7 @@ in
  want = {
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
+      "DISPLAY=unix:/tmp/.X11-unix/X0"
      "HOME=/var/lib/hakurei/u0/a2"
      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
      "SHELL=/run/current-system/sw/bin/bash"
@@ -188,7 +190,9 @@ in
        } null;
        devices = fs "800001ed" null null;
      } null;
-      tmp = fs "800001f8" { } null;
+      tmp = fs "800001f8" {
+        ".X11-unix" = fs "801001ff" { X0 = fs "10001fd" null null; } null;
+      } null;
      usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
      var = fs "800001c0" {
        lib = fs "800001c0" {
@@ -263,10 +267,15 @@ in
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
      (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
      (ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = true;
+    socket_pathname = true;
  };
 }