diff --git a/internal/app/app_nixos_test.go b/internal/app/app_nixos_test.go index e6e232b..b27dccf 100644 --- a/internal/app/app_nixos_test.go +++ b/internal/app/app_nixos_test.go @@ -62,8 +62,6 @@ var testCasesNixos = []sealTestCase{ Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute). Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute). - WriteType(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd", "u0_a1:x:1971:1971:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n"). - WriteType(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "fortify:x:1971:\n"). Link("/run/user/1971/wayland-0", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland"). UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute). Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse"). @@ -212,8 +210,8 @@ var testCasesNixos = []sealTestCase{ Tmpfs("/run/user", 1048576). Tmpfs("/run/user/1971", 8388608). Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", false, true). - Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd", "/etc/passwd"). - Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "/etc/group"). + CopyBind("/etc/passwd", []byte("u0_a1:x:1971:1971:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n")). + CopyBind("/etc/group", []byte("fortify:x:1971:\n")). Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland", "/run/user/1971/wayland-0"). Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native"). Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", fst.Tmp+"/pulse-cookie"). diff --git a/internal/app/app_pd_test.go b/internal/app/app_pd_test.go index e124e87..2d042a2 100644 --- a/internal/app/app_pd_test.go +++ b/internal/app/app_pd_test.go @@ -32,9 +32,7 @@ var testCasesPd = []sealTestCase{ Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute). Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute). Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset - Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute). - WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n"). - WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "fortify:x:65534:\n"), + Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute), (&bwrap.Config{ Net: true, UserNS: true, @@ -154,8 +152,8 @@ var testCasesPd = []sealTestCase{ Tmpfs("/run/user", 1048576). Tmpfs("/run/user/65534", 8388608). Bind("/home/chronos", "/home/chronos", false, true). - Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd"). - Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group"). + CopyBind("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")). + CopyBind("/etc/group", []byte("fortify:x:65534:\n")). Tmpfs("/var/run/nscd", 8192). Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify"). Symlink("fortify", "/.fortify/sbin/init"), @@ -218,8 +216,6 @@ var testCasesPd = []sealTestCase{ Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute). Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute). - WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n"). - WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "fortify:x:65534:\n"). Ensure("/tmp/fortify.1971/wayland", 0711). Wayland("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"). Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse"). @@ -382,8 +378,8 @@ var testCasesPd = []sealTestCase{ Tmpfs("/run/user", 1048576). Tmpfs("/run/user/65534", 8388608). Bind("/home/chronos", "/home/chronos", false, true). - Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd"). - Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group"). + CopyBind("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")). + CopyBind("/etc/group", []byte("fortify:x:65534:\n")). Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0"). Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native"). Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", fst.Tmp+"/pulse-cookie"). diff --git a/internal/app/share.go b/internal/app/share.go index 528cd09..fbeb099 100644 --- a/internal/app/share.go +++ b/internal/app/share.go @@ -113,34 +113,25 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error { sh = s } - // generate /etc/passwd - passwdPath := path.Join(seal.share, "passwd") - username := "chronos" - if seal.sys.user.username != "" { - username = seal.sys.user.username - } + // bind home directory homeDir := "/var/empty" if seal.sys.user.home != "" { homeDir = seal.sys.user.home } - - // bind home directory + username := "chronos" + if seal.sys.user.username != "" { + username = seal.sys.user.username + } seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true) seal.sys.bwrap.Chdir = homeDir - - seal.sys.bwrap.SetEnv["USER"] = username seal.sys.bwrap.SetEnv["HOME"] = homeDir + seal.sys.bwrap.SetEnv["USER"] = username - passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n" - seal.sys.Write(passwdPath, passwd) - - // write /etc/group - groupPath := path.Join(seal.share, "group") - seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n") - - // bind /etc/passwd and /etc/group - seal.sys.bwrap.Bind(passwdPath, "/etc/passwd") - seal.sys.bwrap.Bind(groupPath, "/etc/group") + // generate /etc/passwd and /etc/group + seal.sys.bwrap.CopyBind("/etc/passwd", + []byte(username+":x:"+seal.sys.mappedIDString+":"+seal.sys.mappedIDString+":Fortify:"+homeDir+":"+sh+"\n")) + seal.sys.bwrap.CopyBind("/etc/group", + []byte("fortify:x:"+seal.sys.mappedIDString+":\n")) /* Display servers