maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

fipc: export config struct

Browse Source 
Also store full config as part of state.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra
2024-12-18 13:45:55 +09:00
parent 5d00805a7c
commit b752ec4468
11 changed files with 100 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/app/seal.go
View File

@@ -9,6 +9,7 @@ import (
"strconv"
"git.ophivana.moe/security/fortify/dbus"
"git.ophivana.moe/security/fortify/fipc"
"git.ophivana.moe/security/fortify/internal/fmsg"
"git.ophivana.moe/security/fortify/internal/linux"
"git.ophivana.moe/security/fortify/internal/state"
@@ -59,7 +60,7 @@ type appSeal struct {
}
// Seal seals the app launch context
func (a *app) Seal(config *Config) error {
func (a *app) Seal(config *fipc.Config) error {
a.lock.Lock()
defer a.lock.Unlock()
@@ -147,7 +148,7 @@ func (a *app) Seal(config *Config) error {
fmsg.VPrintln("sandbox configuration not supplied, PROCEED WITH CAUTION")
// permissive defaults
conf := &SandboxConfig{
conf := &fipc.SandboxConfig{
UserNS: true,
Net: true,
NoNewSession: true,
@@ -157,7 +158,7 @@ func (a *app) Seal(config *Config) error {
if d, err := a.os.ReadDir("/"); err != nil {
return err
} else {
b := make([]*FilesystemConfig, 0, len(d))
b := make([]*fipc.FilesystemConfig, 0, len(d))
for _, ent := range d {
p := "/" + ent.Name()
switch p {
@@ -169,7 +170,7 @@ func (a *app) Seal(config *Config) error {
case "/etc":
default:
b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
b = append(b, &fipc.FilesystemConfig{Src: p, Write: true, Must: true})
}
}
conf.Filesystem = append(conf.Filesystem, b...)
@@ -178,7 +179,7 @@ func (a *app) Seal(config *Config) error {
if d, err := a.os.ReadDir("/run"); err != nil {
return err
} else {
b := make([]*FilesystemConfig, 0, len(d))
b := make([]*fipc.FilesystemConfig, 0, len(d))
for _, ent := range d {
name := ent.Name()
switch name {
@@ -186,7 +187,7 @@ func (a *app) Seal(config *Config) error {
case "dbus":
default:
p := "/run/" + name
b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
b = append(b, &fipc.FilesystemConfig{Src: p, Write: true, Must: true})
}
}
conf.Filesystem = append(conf.Filesystem, b...)
@@ -198,7 +199,7 @@ func (a *app) Seal(config *Config) error {
}
// bind GPU stuff
if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
conf.Filesystem = append(conf.Filesystem, &FilesystemConfig{Src: "/dev/dri", Device: true})
conf.Filesystem = append(conf.Filesystem, &fipc.FilesystemConfig{Src: "/dev/dri", Device: true})
}
config.Confinement.Sandbox = conf
@@ -236,5 +237,6 @@ func (a *app) Seal(config *Config) error {
// seal app and release lock
a.seal = seal
a.ct = newAppCt(config)
return nil
}