fortify/cmd/fpkg/start.go

package main

import (
	"flag"
	"path"

	"git.gensokyo.uk/security/fortify/fst"
	"git.gensokyo.uk/security/fortify/helper/bwrap"
	"git.gensokyo.uk/security/fortify/internal/fmsg"
)

func actionStart(args []string) {
	set := flag.NewFlagSet("start", flag.ExitOnError)
	var (
		dropShell      bool
		dropShellNixGL bool
		autoDrivers    bool
	)
	set.BoolVar(&dropShell, "s", false, "Drop to a shell")
	set.BoolVar(&dropShellNixGL, "sg", false, "Drop to a shell on nixGL build")
	set.BoolVar(&autoDrivers, "autodrivers", false, "Attempt automatic opengl driver detection")

	// Ignore errors; set is set for ExitOnError.
	_ = set.Parse(args)

	args = set.Args()

	if len(args) < 1 {
		fmsg.Fatal("invalid argument")
	}

	/*
		Parse app metadata.
	*/

	id := args[0]
	pathSet := pathSetByApp(id)
	app := loadBundleInfo(pathSet.metaPath, func() {})
	if app.ID != id {
		fmsg.Fatalf("app %q claims to have identifier %q", id, app.ID)
	}

	/*
		Prepare nixGL.
	*/

	if app.GPU && autoDrivers {
		withNixDaemon("nix-gl", []string{
			"mkdir -p /nix/.nixGL/auto",
			"rm -rf /nix/.nixGL/auto",
			"export NIXPKGS_ALLOW_UNFREE=1",
			"nix build --impure " +
				"--out-link /nix/.nixGL/auto/opengl " +
				"--override-input nixpkgs path:/etc/nixpkgs " +
				"path:" + app.NixGL,
			"nix build --impure " +
				"--out-link /nix/.nixGL/auto/vulkan " +
				"--override-input nixpkgs path:/etc/nixpkgs " +
				"path:" + app.NixGL + "#nixVulkanNvidia",
		}, true, func(config *fst.Config) *fst.Config {
			config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
				{Src: "/etc/resolv.conf"},
				{Src: "/sys/block"},
				{Src: "/sys/bus"},
				{Src: "/sys/class"},
				{Src: "/sys/dev"},
				{Src: "/sys/devices"},
			}...)
			appendGPUFilesystem(config)
			return config
		}, app, pathSet, dropShellNixGL, func() {})
	}

	/*
		Create app configuration.
	*/

	command := make([]string, 1, len(args))
	if !dropShell {
		command[0] = app.Launcher
	} else {
		command[0] = shell
	}
	command = append(command, args[1:]...)

	config := &fst.Config{
		ID:      app.ID,
		Command: command,
		Confinement: fst.ConfinementConfig{
			AppID:    app.AppID,
			Groups:   app.Groups,
			Username: "fortify",
			Inner:    path.Join("/data/data", app.ID),
			Outer:    pathSet.homeDir,
			Sandbox: &fst.SandboxConfig{
				Hostname:      formatHostname(app.Name),
				UserNS:        app.UserNS,
				Net:           app.Net,
				Dev:           app.Dev,
				Syscall:       &bwrap.SyscallPolicy{DenyDevel: !app.Devel, Multiarch: app.Multiarch, Bluetooth: app.Bluetooth},
				NoNewSession:  app.NoNewSession || dropShell,
				MapRealUID:    app.MapRealUID,
				DirectWayland: app.DirectWayland,
				Filesystem: []*fst.FilesystemConfig{
					{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
					{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
					{Src: "/etc/resolv.conf"},
					{Src: "/sys/block"},
					{Src: "/sys/bus"},
					{Src: "/sys/class"},
					{Src: "/sys/dev"},
					{Src: "/sys/devices"},
				},
				Link: [][2]string{
					{app.CurrentSystem, "/run/current-system"},
					{"/run/current-system/sw/bin", "/bin"},
					{"/run/current-system/sw/bin", "/usr/bin"},
				},
				Etc:     path.Join(pathSet.cacheDir, "etc"),
				AutoEtc: true,
			},
			ExtraPerms: []*fst.ExtraPermConfig{
				{Path: dataHome, Execute: true},
				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
			},
			SystemBus:   app.SystemBus,
			SessionBus:  app.SessionBus,
			Enablements: app.Enablements,
		},
	}

	/*
		Expose GPU devices.
	*/

	if app.GPU {
		config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
			&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")})
		appendGPUFilesystem(config)
	}

	/*
		Spawn app.
	*/

	fortifyApp(config, func() {})
	fmsg.Exit(0)
}

func appendGPUFilesystem(config *fst.Config) {
	config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
		{Src: "/dev/dri", Device: true},
		// mali
		{Src: "/dev/mali", Device: true},
		{Src: "/dev/mali0", Device: true},
		{Src: "/dev/umplock", Device: true},
		// nvidia
		{Src: "/dev/nvidiactl", Device: true},
		{Src: "/dev/nvidia-modeset", Device: true},
		// nvidia OpenCL/CUDA
		{Src: "/dev/nvidia-uvm", Device: true},
		{Src: "/dev/nvidia-uvm-tools", Device: true},

		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
		{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
		{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
		{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
		{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
		{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
		{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
		{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
		{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
		{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
		{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
	}...)
}
cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`package main`

			`import (`
			`"flag"`
			`"path"`

			`"git.gensokyo.uk/security/fortify/fst"`
cmd/fpkg: expose syscall policy options Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-01-22 12:01:30 +09:00			`"git.gensokyo.uk/security/fortify/helper/bwrap"`
cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`"git.gensokyo.uk/security/fortify/internal/fmsg"`
			`)`

			`func actionStart(args []string) {`
			`set := flag.NewFlagSet("start", flag.ExitOnError)`
cmd/fpkg: expose nixGL wrappers Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-30 02:02:20 +09:00			`var (`
			`dropShell bool`
			`dropShellNixGL bool`
			`autoDrivers bool`
			`)`
cmd/fpkg/start: correct drop to shell wording Activation no longer happens during application startup. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-29 00:56:14 +09:00			`set.BoolVar(&dropShell, "s", false, "Drop to a shell")`
cmd/fpkg: expose nixGL wrappers Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-30 02:02:20 +09:00			`set.BoolVar(&dropShellNixGL, "sg", false, "Drop to a shell on nixGL build")`
			`set.BoolVar(&autoDrivers, "autodrivers", false, "Attempt automatic opengl driver detection")`
cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00
			`// Ignore errors; set is set for ExitOnError.`
			`_ = set.Parse(args)`

			`args = set.Args()`

			`if len(args) < 1 {`
			`fmsg.Fatal("invalid argument")`
			`}`
cmd/fpkg: expose nixGL wrappers Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-30 02:02:20 +09:00
			`/*`
			`Parse app metadata.`
			`*/`

cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`id := args[0]`
			`pathSet := pathSetByApp(id)`
			`app := loadBundleInfo(pathSet.metaPath, func() {})`
			`if app.ID != id {`
			`fmsg.Fatalf("app %q claims to have identifier %q", id, app.ID)`
			`}`

cmd/fpkg: expose nixGL wrappers Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-30 02:02:20 +09:00			`/*`
			`Prepare nixGL.`
			`*/`

			`if app.GPU && autoDrivers {`
			`withNixDaemon("nix-gl", []string{`
			`"mkdir -p /nix/.nixGL/auto",`
			`"rm -rf /nix/.nixGL/auto",`
			`"export NIXPKGS_ALLOW_UNFREE=1",`
			`"nix build --impure " +`
			`"--out-link /nix/.nixGL/auto/opengl " +`
			`"--override-input nixpkgs path:/etc/nixpkgs " +`
			`"path:" + app.NixGL,`
			`"nix build --impure " +`
			`"--out-link /nix/.nixGL/auto/vulkan " +`
			`"--override-input nixpkgs path:/etc/nixpkgs " +`
			`"path:" + app.NixGL + "#nixVulkanNvidia",`
			`}, true, func(config fst.Config) fst.Config {`
			`config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{`
			`{Src: "/etc/resolv.conf"},`
			`{Src: "/sys/block"},`
			`{Src: "/sys/bus"},`
			`{Src: "/sys/class"},`
			`{Src: "/sys/dev"},`
			`{Src: "/sys/devices"},`
			`}...)`
			`appendGPUFilesystem(config)`
			`return config`
			`}, app, pathSet, dropShellNixGL, func() {})`
			`}`

			`/*`
			`Create app configuration.`
			`*/`

cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`command := make([]string, 1, len(args))`
			`if !dropShell {`
			`command[0] = app.Launcher`
			`} else {`
			`command[0] = shell`
			`}`
			`command = append(command, args[1:]...)`

			`config := &fst.Config{`
			`ID: app.ID,`
			`Command: command,`
			`Confinement: fst.ConfinementConfig{`
			`AppID: app.AppID,`
			`Groups: app.Groups,`
			`Username: "fortify",`
			`Inner: path.Join("/data/data", app.ID),`
			`Outer: pathSet.homeDir,`
			`Sandbox: &fst.SandboxConfig{`
			`Hostname: formatHostname(app.Name),`
			`UserNS: app.UserNS,`
			`Net: app.Net,`
			`Dev: app.Dev,`
cmd/fpkg: expose syscall policy options Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-01-22 12:01:30 +09:00			`Syscall: &bwrap.SyscallPolicy{DenyDevel: !app.Devel, Multiarch: app.Multiarch, Bluetooth: app.Bluetooth},`
cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`NoNewSession: app.NoNewSession \|\| dropShell,`
			`MapRealUID: app.MapRealUID,`
			`DirectWayland: app.DirectWayland,`
			`Filesystem: []*fst.FilesystemConfig{`
			`{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},`
			`{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},`
			`{Src: "/etc/resolv.conf"},`
			`{Src: "/sys/block"},`
			`{Src: "/sys/bus"},`
			`{Src: "/sys/class"},`
			`{Src: "/sys/dev"},`
			`{Src: "/sys/devices"},`
			`},`
			`Link: [][2]string{`
			`{app.CurrentSystem, "/run/current-system"},`
			`{"/run/current-system/sw/bin", "/bin"},`
			`{"/run/current-system/sw/bin", "/usr/bin"},`
			`},`
			`Etc: path.Join(pathSet.cacheDir, "etc"),`
			`AutoEtc: true,`
			`},`
			`ExtraPerms: []*fst.ExtraPermConfig{`
			`{Path: dataHome, Execute: true},`
			`{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},`
			`},`
			`SystemBus: app.SystemBus,`
			`SessionBus: app.SessionBus,`
			`Enablements: app.Enablements,`
			`},`
			`}`

cmd/fpkg: expose nixGL wrappers Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-30 02:02:20 +09:00			`/*`
			`Expose GPU devices.`
			`*/`

cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`if app.GPU {`
			`config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,`
cmd/fpkg: expose nixGL wrappers Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-30 02:02:20 +09:00			`&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")})`
			`appendGPUFilesystem(config)`
cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`}`

cmd/fpkg: expose nixGL wrappers Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-30 02:02:20 +09:00			`/*`
			`Spawn app.`
			`*/`

cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`fortifyApp(config, func() {})`
			`fmsg.Exit(0)`
			`}`
cmd/fpkg: expose nixGL wrappers Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-30 02:02:20 +09:00
			`func appendGPUFilesystem(config *fst.Config) {`
			`config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{`
			`// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79`
			`{Src: "/dev/dri", Device: true},`
			`// mali`
			`{Src: "/dev/mali", Device: true},`
			`{Src: "/dev/mali0", Device: true},`
			`{Src: "/dev/umplock", Device: true},`
			`// nvidia`
			`{Src: "/dev/nvidiactl", Device: true},`
			`{Src: "/dev/nvidia-modeset", Device: true},`
			`// nvidia OpenCL/CUDA`
			`{Src: "/dev/nvidia-uvm", Device: true},`
			`{Src: "/dev/nvidia-uvm-tools", Device: true},`

			`// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff`
			`{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},`
			`{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},`
			`{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},`
			`{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},`
			`{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},`
			`{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},`
			`{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},`
			`{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},`
			`{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},`
			`{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},`
			`}...)`
			`}`