2024-10-25 17:44:29 +09:00
package app_test
import (
2024-12-20 00:20:02 +09:00
"git.gensokyo.uk/security/fortify/acl"
"git.gensokyo.uk/security/fortify/dbus"
"git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/helper/bwrap"
"git.gensokyo.uk/security/fortify/internal/system"
2024-10-25 17:44:29 +09:00
)
var testCasesNixos = [ ] sealTestCase {
{
2024-12-06 04:25:33 +09:00
"nixos chromium direct wayland" , new ( stubNixOS ) ,
2024-12-18 15:50:46 +09:00
& fst . Config {
2024-10-27 11:56:20 +09:00
ID : "org.chromium.Chromium" ,
2024-11-21 12:13:12 +09:00
Command : [ ] string { "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start" } ,
2024-12-18 15:50:46 +09:00
Confinement : fst . ConfinementConfig {
2024-11-21 12:13:12 +09:00
AppID : 1 , Groups : [ ] string { } , Username : "u0_a1" ,
Outer : "/var/lib/persist/module/fortify/0/1" ,
2024-12-18 15:50:46 +09:00
Sandbox : & fst . SandboxConfig {
2024-12-06 04:25:33 +09:00
UserNS : true , Net : true , MapRealUID : true , DirectWayland : true , Env : nil ,
2024-12-18 15:50:46 +09:00
Filesystem : [ ] * fst . FilesystemConfig {
2024-11-21 12:13:12 +09:00
{ Src : "/bin" , Must : true } , { Src : "/usr/bin" , Must : true } ,
{ Src : "/nix/store" , Must : true } , { Src : "/run/current-system" , Must : true } ,
{ Src : "/sys/block" } , { Src : "/sys/bus" } , { Src : "/sys/class" } , { Src : "/sys/dev" } , { Src : "/sys/devices" } ,
{ Src : "/run/opengl-driver" , Must : true } , { Src : "/dev/dri" , Device : true } ,
} , AutoEtc : true ,
Override : [ ] string { "/var/run/nscd" } ,
} ,
SystemBus : & dbus . Config {
Talk : [ ] string { "org.bluez" , "org.freedesktop.Avahi" , "org.freedesktop.UPower" } ,
Filter : true ,
} ,
2024-10-27 11:56:20 +09:00
SessionBus : & dbus . Config {
Talk : [ ] string {
2024-11-21 12:13:12 +09:00
"org.freedesktop.FileManager1" , "org.freedesktop.Notifications" ,
"org.freedesktop.ScreenSaver" , "org.freedesktop.secrets" ,
"org.kde.kwalletd5" , "org.kde.kwalletd6" ,
2024-10-27 11:56:20 +09:00
} ,
Own : [ ] string {
"org.chromium.Chromium.*" ,
"org.mpris.MediaPlayer2.org.chromium.Chromium.*" ,
"org.mpris.MediaPlayer2.chromium.*" ,
} ,
2024-11-21 12:13:12 +09:00
Call : map [ string ] string { } , Broadcast : map [ string ] string { } ,
2024-10-27 11:56:20 +09:00
Filter : true ,
} ,
Enablements : system . EWayland . Mask ( ) | system . EDBus . Mask ( ) | system . EPulse . Mask ( ) ,
} ,
} ,
2024-12-18 15:50:46 +09:00
fst . ID {
2024-11-21 12:13:12 +09:00
0x8e , 0x2c , 0x76 , 0xb0 ,
0x66 , 0xda , 0xbe , 0x57 ,
0x4c , 0xf0 , 0x73 , 0xbd ,
0xb4 , 0x6e , 0xb5 , 0xc1 ,
2024-10-27 11:56:20 +09:00
} ,
2024-11-21 12:13:12 +09:00
system . New ( 1000001 ) .
2024-11-16 21:19:45 +09:00
Ensure ( "/tmp/fortify.1971" , 0711 ) .
2024-11-21 12:13:12 +09:00
Ephemeral ( system . Process , "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1" , 0711 ) .
2024-10-27 11:56:20 +09:00
Ensure ( "/tmp/fortify.1971/tmpdir" , 0700 ) . UpdatePermType ( system . User , "/tmp/fortify.1971/tmpdir" , acl . Execute ) .
2024-11-21 12:13:12 +09:00
Ensure ( "/tmp/fortify.1971/tmpdir/1" , 01700 ) . UpdatePermType ( system . User , "/tmp/fortify.1971/tmpdir/1" , acl . Read , acl . Write , acl . Execute ) .
2024-10-27 11:56:20 +09:00
Ensure ( "/run/user/1971/fortify" , 0700 ) . UpdatePermType ( system . User , "/run/user/1971/fortify" , acl . Execute ) .
Ensure ( "/run/user/1971" , 0700 ) . UpdatePermType ( system . User , "/run/user/1971" , acl . Execute ) . // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
2024-11-21 12:13:12 +09:00
Ephemeral ( system . Process , "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1" , 0700 ) . UpdatePermType ( system . Process , "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1" , acl . Execute ) .
WriteType ( system . Process , "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd" , "u0_a1:x:1971:1971:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n" ) .
WriteType ( system . Process , "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group" , "fortify:x:1971:\n" ) .
Link ( "/run/user/1971/wayland-0" , "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland" ) .
2024-10-27 11:56:20 +09:00
UpdatePermType ( system . EWayland , "/run/user/1971/wayland-0" , acl . Read , acl . Write , acl . Execute ) .
2024-11-21 12:13:12 +09:00
Link ( "/run/user/1971/pulse/native" , "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse" ) .
CopyFile ( "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie" , "/home/ophestra/xdg/config/pulse/cookie" ) .
MustProxyDBus ( "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus" , & dbus . Config {
2024-10-27 11:56:20 +09:00
Talk : [ ] string {
2024-11-21 12:13:12 +09:00
"org.freedesktop.FileManager1" , "org.freedesktop.Notifications" ,
"org.freedesktop.ScreenSaver" , "org.freedesktop.secrets" ,
"org.kde.kwalletd5" , "org.kde.kwalletd6" ,
2024-10-27 11:56:20 +09:00
} ,
Own : [ ] string {
"org.chromium.Chromium.*" ,
"org.mpris.MediaPlayer2.org.chromium.Chromium.*" ,
"org.mpris.MediaPlayer2.chromium.*" ,
} ,
2024-11-21 12:13:12 +09:00
Call : map [ string ] string { } , Broadcast : map [ string ] string { } ,
2024-10-27 11:56:20 +09:00
Filter : true ,
2024-11-21 12:13:12 +09:00
} , "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket" , & dbus . Config {
2024-10-27 11:56:20 +09:00
Talk : [ ] string {
"org.bluez" ,
"org.freedesktop.Avahi" ,
"org.freedesktop.UPower" ,
} ,
Filter : true ,
} ) .
2024-11-21 12:13:12 +09:00
UpdatePerm ( "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus" , acl . Read , acl . Write ) .
UpdatePerm ( "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket" , acl . Read , acl . Write ) ,
2024-10-27 11:56:20 +09:00
( & bwrap . Config {
Net : true ,
UserNS : true ,
2024-11-21 12:13:12 +09:00
Chdir : "/var/lib/persist/module/fortify/0/1" ,
2024-10-27 11:56:20 +09:00
Clearenv : true ,
SetEnv : map [ string ] string {
2024-11-21 12:13:12 +09:00
"DBUS_SESSION_BUS_ADDRESS" : "unix:path=/run/user/1971/bus" ,
2024-10-27 11:56:20 +09:00
"DBUS_SYSTEM_BUS_ADDRESS" : "unix:path=/run/dbus/system_bus_socket" ,
2024-11-21 12:13:12 +09:00
"HOME" : "/var/lib/persist/module/fortify/0/1" ,
2024-12-21 18:11:32 +09:00
"PULSE_COOKIE" : fst . Tmp + "/pulse-cookie" ,
2024-11-21 12:13:12 +09:00
"PULSE_SERVER" : "unix:/run/user/1971/pulse/native" ,
2024-10-27 11:56:20 +09:00
"SHELL" : "/run/current-system/sw/bin/zsh" ,
"TERM" : "xterm-256color" ,
2024-11-21 12:13:12 +09:00
"USER" : "u0_a1" ,
"WAYLAND_DISPLAY" : "/run/user/1971/wayland-0" ,
"XDG_RUNTIME_DIR" : "/run/user/1971" ,
2024-10-27 11:56:20 +09:00
"XDG_SESSION_CLASS" : "user" ,
"XDG_SESSION_TYPE" : "tty" ,
} ,
Chmod : make ( bwrap . ChmodConfig ) ,
2024-11-21 12:13:12 +09:00
NewSession : true ,
2024-10-27 11:56:20 +09:00
DieWithParent : true ,
AsInit : true ,
2024-11-21 12:13:12 +09:00
} ) . SetUID ( 1971 ) . SetGID ( 1971 ) .
2024-11-06 03:49:39 +09:00
Procfs ( "/proc" ) .
2024-12-21 18:11:32 +09:00
Tmpfs ( fst . Tmp , 4096 ) .
2024-11-06 03:49:39 +09:00
DevTmpfs ( "/dev" ) . Mqueue ( "/dev/mqueue" ) .
2024-11-21 12:13:12 +09:00
Bind ( "/bin" , "/bin" ) .
Bind ( "/usr/bin" , "/usr/bin" ) .
Bind ( "/nix/store" , "/nix/store" ) .
Bind ( "/run/current-system" , "/run/current-system" ) .
Bind ( "/sys/block" , "/sys/block" , true ) .
Bind ( "/sys/bus" , "/sys/bus" , true ) .
Bind ( "/sys/class" , "/sys/class" , true ) .
Bind ( "/sys/dev" , "/sys/dev" , true ) .
Bind ( "/sys/devices" , "/sys/devices" , true ) .
Bind ( "/run/opengl-driver" , "/run/opengl-driver" ) .
2024-10-27 11:56:20 +09:00
Bind ( "/dev/dri" , "/dev/dri" , true , true , true ) .
2024-12-21 18:11:32 +09:00
Bind ( "/etc" , fst . Tmp + "/etc" ) .
Symlink ( fst . Tmp + "/etc/alsa" , "/etc/alsa" ) .
Symlink ( fst . Tmp + "/etc/bashrc" , "/etc/bashrc" ) .
Symlink ( fst . Tmp + "/etc/binfmt.d" , "/etc/binfmt.d" ) .
Symlink ( fst . Tmp + "/etc/dbus-1" , "/etc/dbus-1" ) .
Symlink ( fst . Tmp + "/etc/default" , "/etc/default" ) .
Symlink ( fst . Tmp + "/etc/ethertypes" , "/etc/ethertypes" ) .
Symlink ( fst . Tmp + "/etc/fonts" , "/etc/fonts" ) .
Symlink ( fst . Tmp + "/etc/fstab" , "/etc/fstab" ) .
Symlink ( fst . Tmp + "/etc/fuse.conf" , "/etc/fuse.conf" ) .
Symlink ( fst . Tmp + "/etc/host.conf" , "/etc/host.conf" ) .
Symlink ( fst . Tmp + "/etc/hostid" , "/etc/hostid" ) .
Symlink ( fst . Tmp + "/etc/hostname" , "/etc/hostname" ) .
Symlink ( fst . Tmp + "/etc/hostname.CHECKSUM" , "/etc/hostname.CHECKSUM" ) .
Symlink ( fst . Tmp + "/etc/hosts" , "/etc/hosts" ) .
Symlink ( fst . Tmp + "/etc/inputrc" , "/etc/inputrc" ) .
Symlink ( fst . Tmp + "/etc/ipsec.d" , "/etc/ipsec.d" ) .
Symlink ( fst . Tmp + "/etc/issue" , "/etc/issue" ) .
Symlink ( fst . Tmp + "/etc/kbd" , "/etc/kbd" ) .
Symlink ( fst . Tmp + "/etc/libblockdev" , "/etc/libblockdev" ) .
Symlink ( fst . Tmp + "/etc/locale.conf" , "/etc/locale.conf" ) .
Symlink ( fst . Tmp + "/etc/localtime" , "/etc/localtime" ) .
Symlink ( fst . Tmp + "/etc/login.defs" , "/etc/login.defs" ) .
Symlink ( fst . Tmp + "/etc/lsb-release" , "/etc/lsb-release" ) .
Symlink ( fst . Tmp + "/etc/lvm" , "/etc/lvm" ) .
Symlink ( fst . Tmp + "/etc/machine-id" , "/etc/machine-id" ) .
Symlink ( fst . Tmp + "/etc/man_db.conf" , "/etc/man_db.conf" ) .
Symlink ( fst . Tmp + "/etc/modprobe.d" , "/etc/modprobe.d" ) .
Symlink ( fst . Tmp + "/etc/modules-load.d" , "/etc/modules-load.d" ) .
2024-10-27 11:56:20 +09:00
Symlink ( "/proc/mounts" , "/etc/mtab" ) .
2024-12-21 18:11:32 +09:00
Symlink ( fst . Tmp + "/etc/nanorc" , "/etc/nanorc" ) .
Symlink ( fst . Tmp + "/etc/netgroup" , "/etc/netgroup" ) .
Symlink ( fst . Tmp + "/etc/NetworkManager" , "/etc/NetworkManager" ) .
Symlink ( fst . Tmp + "/etc/nix" , "/etc/nix" ) .
Symlink ( fst . Tmp + "/etc/nixos" , "/etc/nixos" ) .
Symlink ( fst . Tmp + "/etc/NIXOS" , "/etc/NIXOS" ) .
Symlink ( fst . Tmp + "/etc/nscd.conf" , "/etc/nscd.conf" ) .
Symlink ( fst . Tmp + "/etc/nsswitch.conf" , "/etc/nsswitch.conf" ) .
Symlink ( fst . Tmp + "/etc/opensnitchd" , "/etc/opensnitchd" ) .
Symlink ( fst . Tmp + "/etc/os-release" , "/etc/os-release" ) .
Symlink ( fst . Tmp + "/etc/pam" , "/etc/pam" ) .
Symlink ( fst . Tmp + "/etc/pam.d" , "/etc/pam.d" ) .
Symlink ( fst . Tmp + "/etc/pipewire" , "/etc/pipewire" ) .
Symlink ( fst . Tmp + "/etc/pki" , "/etc/pki" ) .
Symlink ( fst . Tmp + "/etc/polkit-1" , "/etc/polkit-1" ) .
Symlink ( fst . Tmp + "/etc/profile" , "/etc/profile" ) .
Symlink ( fst . Tmp + "/etc/protocols" , "/etc/protocols" ) .
Symlink ( fst . Tmp + "/etc/qemu" , "/etc/qemu" ) .
Symlink ( fst . Tmp + "/etc/resolv.conf" , "/etc/resolv.conf" ) .
Symlink ( fst . Tmp + "/etc/resolvconf.conf" , "/etc/resolvconf.conf" ) .
Symlink ( fst . Tmp + "/etc/rpc" , "/etc/rpc" ) .
Symlink ( fst . Tmp + "/etc/samba" , "/etc/samba" ) .
Symlink ( fst . Tmp + "/etc/sddm.conf" , "/etc/sddm.conf" ) .
Symlink ( fst . Tmp + "/etc/secureboot" , "/etc/secureboot" ) .
Symlink ( fst . Tmp + "/etc/services" , "/etc/services" ) .
Symlink ( fst . Tmp + "/etc/set-environment" , "/etc/set-environment" ) .
Symlink ( fst . Tmp + "/etc/shadow" , "/etc/shadow" ) .
Symlink ( fst . Tmp + "/etc/shells" , "/etc/shells" ) .
Symlink ( fst . Tmp + "/etc/ssh" , "/etc/ssh" ) .
Symlink ( fst . Tmp + "/etc/ssl" , "/etc/ssl" ) .
Symlink ( fst . Tmp + "/etc/static" , "/etc/static" ) .
Symlink ( fst . Tmp + "/etc/subgid" , "/etc/subgid" ) .
Symlink ( fst . Tmp + "/etc/subuid" , "/etc/subuid" ) .
Symlink ( fst . Tmp + "/etc/sudoers" , "/etc/sudoers" ) .
Symlink ( fst . Tmp + "/etc/sysctl.d" , "/etc/sysctl.d" ) .
Symlink ( fst . Tmp + "/etc/systemd" , "/etc/systemd" ) .
Symlink ( fst . Tmp + "/etc/terminfo" , "/etc/terminfo" ) .
Symlink ( fst . Tmp + "/etc/tmpfiles.d" , "/etc/tmpfiles.d" ) .
Symlink ( fst . Tmp + "/etc/udev" , "/etc/udev" ) .
Symlink ( fst . Tmp + "/etc/udisks2" , "/etc/udisks2" ) .
Symlink ( fst . Tmp + "/etc/UPower" , "/etc/UPower" ) .
Symlink ( fst . Tmp + "/etc/vconsole.conf" , "/etc/vconsole.conf" ) .
Symlink ( fst . Tmp + "/etc/X11" , "/etc/X11" ) .
Symlink ( fst . Tmp + "/etc/zfs" , "/etc/zfs" ) .
Symlink ( fst . Tmp + "/etc/zinputrc" , "/etc/zinputrc" ) .
Symlink ( fst . Tmp + "/etc/zoneinfo" , "/etc/zoneinfo" ) .
Symlink ( fst . Tmp + "/etc/zprofile" , "/etc/zprofile" ) .
Symlink ( fst . Tmp + "/etc/zshenv" , "/etc/zshenv" ) .
Symlink ( fst . Tmp + "/etc/zshrc" , "/etc/zshrc" ) .
2024-11-21 12:13:12 +09:00
Bind ( "/tmp/fortify.1971/tmpdir/1" , "/tmp" , false , true ) .
2024-10-27 11:56:20 +09:00
Tmpfs ( "/run/user" , 1048576 ) .
2024-11-21 12:13:12 +09:00
Tmpfs ( "/run/user/1971" , 8388608 ) .
Bind ( "/var/lib/persist/module/fortify/0/1" , "/var/lib/persist/module/fortify/0/1" , false , true ) .
Bind ( "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd" , "/etc/passwd" ) .
Bind ( "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group" , "/etc/group" ) .
Bind ( "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland" , "/run/user/1971/wayland-0" ) .
Bind ( "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse" , "/run/user/1971/pulse/native" ) .
2024-12-21 18:11:32 +09:00
Bind ( "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie" , fst . Tmp + "/pulse-cookie" ) .
2024-11-21 12:13:12 +09:00
Bind ( "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus" , "/run/user/1971/bus" ) .
Bind ( "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket" , "/run/dbus/system_bus_socket" ) .
2024-10-27 11:56:20 +09:00
Tmpfs ( "/var/run/nscd" , 8192 ) ,
} ,
2024-10-25 17:44:29 +09:00
}