fortify/cmd/fpkg/start.go

package main

import (
	"flag"
	"path"

	"git.gensokyo.uk/security/fortify/fst"
	"git.gensokyo.uk/security/fortify/internal/fmsg"
)

func actionStart(args []string) {
	set := flag.NewFlagSet("start", flag.ExitOnError)
	var dropShell bool
	set.BoolVar(&dropShell, "s", false, "Drop to a shell")

	// Ignore errors; set is set for ExitOnError.
	_ = set.Parse(args)

	args = set.Args()

	if len(args) < 1 {
		fmsg.Fatal("invalid argument")
	}
	id := args[0]
	pathSet := pathSetByApp(id)
	app := loadBundleInfo(pathSet.metaPath, func() {})

	if app.ID != id {
		fmsg.Fatalf("app %q claims to have identifier %q", id, app.ID)
	}

	command := make([]string, 1, len(args))
	if !dropShell {
		command[0] = app.Launcher
	} else {
		command[0] = shell
	}
	command = append(command, args[1:]...)

	config := &fst.Config{
		ID:      app.ID,
		Command: command,
		Confinement: fst.ConfinementConfig{
			AppID:    app.AppID,
			Groups:   app.Groups,
			Username: "fortify",
			Inner:    path.Join("/data/data", app.ID),
			Outer:    pathSet.homeDir,
			Sandbox: &fst.SandboxConfig{
				Hostname:      formatHostname(app.Name),
				UserNS:        app.UserNS,
				Net:           app.Net,
				Dev:           app.Dev,
				NoNewSession:  app.NoNewSession || dropShell,
				MapRealUID:    app.MapRealUID,
				DirectWayland: app.DirectWayland,
				Filesystem: []*fst.FilesystemConfig{
					{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
					{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
					{Src: "/etc/resolv.conf"},
					{Src: "/sys/block"},
					{Src: "/sys/bus"},
					{Src: "/sys/class"},
					{Src: "/sys/dev"},
					{Src: "/sys/devices"},
				},
				Link: [][2]string{
					{app.CurrentSystem, "/run/current-system"},
					{"/run/current-system/sw/bin", "/bin"},
					{"/run/current-system/sw/bin", "/usr/bin"},
				},
				Etc:     path.Join(pathSet.cacheDir, "etc"),
				AutoEtc: true,
			},
			ExtraPerms: []*fst.ExtraPermConfig{
				{Path: dataHome, Execute: true},
				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
			},
			SystemBus:   app.SystemBus,
			SessionBus:  app.SessionBus,
			Enablements: app.Enablements,
		},
	}

	if app.GPU {
		config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
			// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
			&fst.FilesystemConfig{Src: "/dev/dri", Device: true},
			// mali
			&fst.FilesystemConfig{Src: "/dev/mali", Device: true},
			&fst.FilesystemConfig{Src: "/dev/mali0", Device: true},
			&fst.FilesystemConfig{Src: "/dev/umplock", Device: true},
			// nvidia
			&fst.FilesystemConfig{Src: "/dev/nvidiactl", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia-modeset", Device: true},
			// nvidia OpenCL/CUDA
			&fst.FilesystemConfig{Src: "/dev/nvidia-uvm", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia-uvm-tools", Device: true},

			// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
			&fst.FilesystemConfig{Src: "/dev/nvidia0", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia1", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia2", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia3", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia4", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia5", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia6", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia7", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia8", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia9", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia10", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia11", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia12", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia13", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia14", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia15", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia16", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia17", Device: true},
			&fst.FilesystemConfig{Src: "/dev/nvidia18", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia19", Device: true},
		)
	}

	fortifyApp(config, func() {})
	fmsg.Exit(0)
}
cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`package main`

			`import (`
			`"flag"`
			`"path"`

			`"git.gensokyo.uk/security/fortify/fst"`
			`"git.gensokyo.uk/security/fortify/internal/fmsg"`
			`)`

			`func actionStart(args []string) {`
			`set := flag.NewFlagSet("start", flag.ExitOnError)`
			`var dropShell bool`
cmd/fpkg/start: correct drop to shell wording Activation no longer happens during application startup. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-29 00:56:14 +09:00			`set.BoolVar(&dropShell, "s", false, "Drop to a shell")`
cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00
			`// Ignore errors; set is set for ExitOnError.`
			`_ = set.Parse(args)`

			`args = set.Args()`

			`if len(args) < 1 {`
			`fmsg.Fatal("invalid argument")`
			`}`
			`id := args[0]`
			`pathSet := pathSetByApp(id)`
			`app := loadBundleInfo(pathSet.metaPath, func() {})`

			`if app.ID != id {`
			`fmsg.Fatalf("app %q claims to have identifier %q", id, app.ID)`
			`}`

			`command := make([]string, 1, len(args))`
			`if !dropShell {`
			`command[0] = app.Launcher`
			`} else {`
			`command[0] = shell`
			`}`
			`command = append(command, args[1:]...)`

			`config := &fst.Config{`
			`ID: app.ID,`
			`Command: command,`
			`Confinement: fst.ConfinementConfig{`
			`AppID: app.AppID,`
			`Groups: app.Groups,`
			`Username: "fortify",`
			`Inner: path.Join("/data/data", app.ID),`
			`Outer: pathSet.homeDir,`
			`Sandbox: &fst.SandboxConfig{`
			`Hostname: formatHostname(app.Name),`
			`UserNS: app.UserNS,`
			`Net: app.Net,`
			`Dev: app.Dev,`
			`NoNewSession: app.NoNewSession \|\| dropShell,`
			`MapRealUID: app.MapRealUID,`
			`DirectWayland: app.DirectWayland,`
			`Filesystem: []*fst.FilesystemConfig{`
			`{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},`
			`{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},`
			`{Src: "/etc/resolv.conf"},`
			`{Src: "/sys/block"},`
			`{Src: "/sys/bus"},`
			`{Src: "/sys/class"},`
			`{Src: "/sys/dev"},`
			`{Src: "/sys/devices"},`
			`},`
			`Link: [][2]string{`
			`{app.CurrentSystem, "/run/current-system"},`
			`{"/run/current-system/sw/bin", "/bin"},`
			`{"/run/current-system/sw/bin", "/usr/bin"},`
			`},`
			`Etc: path.Join(pathSet.cacheDir, "etc"),`
			`AutoEtc: true,`
			`},`
			`ExtraPerms: []*fst.ExtraPermConfig{`
			`{Path: dataHome, Execute: true},`
			`{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},`
			`},`
			`SystemBus: app.SystemBus,`
			`SessionBus: app.SessionBus,`
			`Enablements: app.Enablements,`
			`},`
			`}`

			`if app.GPU {`
			`config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,`
cmd/fpkg: bind and document more gpu devices Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-29 18:25:26 +09:00			`// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79`
			`&fst.FilesystemConfig{Src: "/dev/dri", Device: true},`
			`// mali`
			`&fst.FilesystemConfig{Src: "/dev/mali", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/mali0", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/umplock", Device: true},`
			`// nvidia`
			`&fst.FilesystemConfig{Src: "/dev/nvidiactl", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia-modeset", Device: true},`
			`// nvidia OpenCL/CUDA`
			`&fst.FilesystemConfig{Src: "/dev/nvidia-uvm", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia-uvm-tools", Device: true},`

			`// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff`
			`&fst.FilesystemConfig{Src: "/dev/nvidia0", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia1", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia2", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia3", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia4", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia5", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia6", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia7", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia8", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia9", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia10", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia11", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia12", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia13", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia14", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia15", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia16", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia17", Device: true},`
			`&fst.FilesystemConfig{Src: "/dev/nvidia18", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia19", Device: true},`
			`)`
cmd/fpkg: app bundle helper This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk> 2024-12-26 13:21:49 +09:00			`}`

			`fortifyApp(config, func() {})`
			`fmsg.Exit(0)`
			`}`