security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity
a9986aab6a
fortify/internal/app/app.go

80 lines
1.4 KiB
Go
Raw Normal View History

app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
package app
import (
app: store values with string representation Improves code readability without changing memory layout. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 00:25:00 +09:00
"fmt"
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
"log"
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
"sync"
internal: wrap calls to os standard library functions This change helps tests stub out and simulate OS behaviour during the sealing process. This also removes dependency on XDG_RUNTIME_DIR as the internal.System implementation provided to App provides a compat directory inside the tmpdir-based share when XDG_RUNTIME_DIR is unavailable. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-23 21:46:21 +09:00
migrate to git.gensokyo.uk/security/fortify Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-20 00:20:02 +09:00
"git.gensokyo.uk/security/fortify/fst"
app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 12:33:51 +09:00
"git.gensokyo.uk/security/fortify/internal/fmsg"
sys: rename from linux Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-18 18:47:48 +09:00
"git.gensokyo.uk/security/fortify/internal/sys"
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
)
app: separate interface from implementation Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-18 23:05:37 +09:00
func New(os sys.State) (fst.App, error) {
a := new(app)
app: embed appSeal in app struct Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 01:10:37 +09:00
a.sys = os
app: store values with string representation Improves code readability without changing memory layout. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 00:25:00 +09:00
id := new(fst.ID)
err := fst.NewAppID(id)
a.id = newID(id)
return a, err
app: expose single run method App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 23:39:51 +09:00
}
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
func MustNew(os sys.State) fst.App {
a, err := New(os)
if err != nil {
log.Fatalf("cannot create app: %v", err)
}
return a
}
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
type app struct {
app: defer system.I revert Just returning an error after a successful call of commit will leave garbage behind with no way for the caller to clean them. This change ensures revert is always called after successful commit with at least per-process state enabled. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 21:05:48 +09:00
id *stringPair[fst.ID]
app: embed appSeal in app struct Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 01:10:37 +09:00
sys sys.State
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
*outcome
app: defer system.I revert Just returning an error after a successful call of commit will leave garbage behind with no way for the caller to clean them. This change ensures revert is always called after successful commit with at least per-process state enabled. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 21:05:48 +09:00
mu sync.RWMutex
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
}
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
func (a *app) ID() fst.ID { a.mu.RLock(); defer a.mu.RUnlock(); return a.id.unwrap() }
app: move app ID to app struct App ID is inherent to App, and it makes no sense to generate it as part of the app sealing process. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-20 00:07:48 +09:00
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
func (a *app) String() string {
if a == nil {
app: store values with string representation Improves code readability without changing memory layout. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 00:25:00 +09:00
return "(invalid app)"
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
}
app: embed appSeal in app struct Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 01:10:37 +09:00
a.mu.RLock()
defer a.mu.RUnlock()
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
if a.outcome != nil {
if a.outcome.user.uid == nil {
app: store values with string representation Improves code readability without changing memory layout. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 00:25:00 +09:00
return fmt.Sprintf("(sealed app %s with invalid uid)", a.id)
}
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
return fmt.Sprintf("(sealed app %s as uid %s)", a.id, a.outcome.user.uid)
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
}
app: store values with string representation Improves code readability without changing memory layout. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 00:25:00 +09:00
return fmt.Sprintf("(unsealed app %s)", a.id)
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 00:29:36 +09:00
}
app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 12:33:51 +09:00
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
func (a *app) Seal(config *fst.Config) (fst.SealedApp, error) {
app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 12:33:51 +09:00
a.mu.Lock()
defer a.mu.Unlock()
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
if a.outcome != nil {
app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 12:33:51 +09:00
panic("app sealed twice")
}
if config == nil {
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
return nil, fmsg.WrapError(ErrConfig,
app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 12:33:51 +09:00
"attempted to seal app with nil config")
}
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
seal := new(outcome)
seal.id = a.id
err := seal.finalise(a.sys, config)
app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 12:33:51 +09:00
if err == nil {
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
a.outcome = seal
app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 12:33:51 +09:00
}
app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 16:00:31 +09:00
return seal, err
app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 12:33:51 +09:00
}
Reference in New Issue Copy Permalink