fortify/internal/app/system.go

package app

import (
	"os"

	"git.gensokyo.uk/security/fortify/helper/bwrap"
	"git.gensokyo.uk/security/fortify/system"
)

// appSealSys encapsulates app seal behaviour with OS interactions
type appSealSys struct {
	bwrap *bwrap.Config
	// bwrap sync fd
	sp *os.File
	// paths to override by mounting tmpfs over them
	override []string

	// default formatted XDG_RUNTIME_DIR of User
	runtime string
	// target user sealed from config
	user appUser

	// mapped uid and gid in user namespace
	mapuid *stringPair[int]

	needRevert bool
	saveState  bool
	*system.I

	// protected by upstream mutex
}

type appUser struct {
	// application id
	aid *stringPair[int]
	// target uid resolved by fid:aid
	uid *stringPair[int]

	// supplementary group ids
	supp []string

	// home directory host path
	data string
	// app user home directory
	home string
	// passwd database username
	username string
}
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00			`package app`

			`import (`
system/wayland: sync file at caller specified address Storing this in sys is incredibly ugly: sys should be stateless and Ops must keep track of their state. Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 13:24:17 +09:00			`"os"`

migrate to git.gensokyo.uk/security/fortify Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-12-20 00:20:02 +09:00			`"git.gensokyo.uk/security/fortify/helper/bwrap"`
system: move out of internal Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 19:00:43 +09:00			`"git.gensokyo.uk/security/fortify/system"`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00			`)`

app: port app to use the system package This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:38:59 +09:00			`// appSealSys encapsulates app seal behaviour with OS interactions`
			`type appSealSys struct {`
app: integrate bwrap into environment setup Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-11 04:18:15 +09:00			`bwrap *bwrap.Config`
system/wayland: sync file at caller specified address Storing this in sys is incredibly ugly: sys should be stateless and Ops must keep track of their state. Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 13:24:17 +09:00			`// bwrap sync fd`
			`sp *os.File`
app: port app to use the system package This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:38:59 +09:00			`// paths to override by mounting tmpfs over them`
			`override []string`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00
app: integrate bwrap into environment setup Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-11 04:18:15 +09:00			`// default formatted XDG_RUNTIME_DIR of User`
			`runtime string`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00			`// target user sealed from config`
app: integrate fsu This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-16 21:19:45 +09:00			`user appUser`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00
app: support mapping target uid as privileged uid in sandbox Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-04 03:15:39 +09:00			`// mapped uid and gid in user namespace`
app: store values with string representation Improves code readability without changing memory layout. Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-19 00:25:00 +09:00			`mapuid *stringPair[int]`
app: support mapping target uid as privileged uid in sandbox Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-04 03:15:39 +09:00
shim: user switcher process management struct This change moves all user switcher and shim management to the shim package and withholds output while shim is alive. This also eliminated all exit scenarios where revert is skipped. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-27 00:46:15 +09:00			`needRevert bool`
			`saveState bool`
app: port app to use the system package This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:38:59 +09:00			`*system.I`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00
			`// protected by upstream mutex`
			`}`

app: integrate fsu This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-16 21:19:45 +09:00			`type appUser struct {`
app: store values with string representation Improves code readability without changing memory layout. Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-19 00:25:00 +09:00			`// application id`
			`aid *stringPair[int]`
			`// target uid resolved by fid:aid`
			`uid *stringPair[int]`
app: integrate fsu This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-16 21:19:45 +09:00
			`// supplementary group ids`
			`supp []string`

app: alternative inner home path Support binding home to an alternative path in the mount namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-18 00:18:21 +09:00			`// home directory host path`
			`data string`
app: integrate fsu This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-11-16 21:19:45 +09:00			`// app user home directory`
			`home string`
			`// passwd database username`
			`username string`
			`}`