app: port passwd and group files to copy

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-15 03:19:06 +09:00 · 2025-02-15 03:19:06 +09:00 · 0340c67995
commit 0340c67995
parent 72b0160aad
3 changed files with 18 additions and 33 deletions
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -62,8 +62,6 @@ var testCasesNixos = []sealTestCase{
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
 			WriteType(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd", "u0_a1:x:1971:1971:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n").
 			WriteType(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "fortify:x:1971:\n").
 			Link("/run/user/1971/wayland-0", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland").
 			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
@ -212,8 +210,8 @@ var testCasesNixos = []sealTestCase{
 			Tmpfs("/run/user", 1048576).
 			Tmpfs("/run/user/1971", 8388608).
 			Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", false, true).
-			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd", "/etc/passwd").
+			CopyBind("/etc/passwd", []byte("u0_a1:x:1971:1971:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n")).
-			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "/etc/group").
+			CopyBind("/etc/group", []byte("fortify:x:1971:\n")).
 			Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland", "/run/user/1971/wayland-0").
 			Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native").
 			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", fst.Tmp+"/pulse-cookie").
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -32,9 +32,7 @@ var testCasesPd = []sealTestCase{
 			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute).
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute).
+			Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute),
 			WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
 			WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "fortify:x:65534:\n"),
 		(&bwrap.Config{
 			Net:      true,
 			UserNS:   true,
@ -154,8 +152,8 @@ var testCasesPd = []sealTestCase{
 			Tmpfs("/run/user", 1048576).
 			Tmpfs("/run/user/65534", 8388608).
 			Bind("/home/chronos", "/home/chronos", false, true).
-			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
+			CopyBind("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
+			CopyBind("/etc/group", []byte("fortify:x:65534:\n")).
 			Tmpfs("/var/run/nscd", 8192).
 			Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
 			Symlink("fortify", "/.fortify/sbin/init"),
@ -218,8 +216,6 @@ var testCasesPd = []sealTestCase{
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
 			WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
 			WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "fortify:x:65534:\n").
 			Ensure("/tmp/fortify.1971/wayland", 0711).
 			Wayland("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
@ -382,8 +378,8 @@ var testCasesPd = []sealTestCase{
 			Tmpfs("/run/user", 1048576).
 			Tmpfs("/run/user/65534", 8388608).
 			Bind("/home/chronos", "/home/chronos", false, true).
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
+			CopyBind("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
+			CopyBind("/etc/group", []byte("fortify:x:65534:\n")).
 			Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0").
 			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", fst.Tmp+"/pulse-cookie").
--- a/internal/app/share.go
+++ b/internal/app/share.go
@ -113,34 +113,25 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
 		sh = s
 	}
-	// generate /etc/passwd
+	// bind home directory
 	passwdPath := path.Join(seal.share, "passwd")
 	username := "chronos"
 	if seal.sys.user.username != "" {
 		username = seal.sys.user.username
 	}
 	homeDir := "/var/empty"
 	if seal.sys.user.home != "" {
 		homeDir = seal.sys.user.home
 	}
-
+	username := "chronos"
-	// bind home directory
+	if seal.sys.user.username != "" {
 		username = seal.sys.user.username
 	}
 	seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
 	seal.sys.bwrap.Chdir = homeDir
 	seal.sys.bwrap.SetEnv["USER"] = username
 	seal.sys.bwrap.SetEnv["HOME"] = homeDir
 	seal.sys.bwrap.SetEnv["USER"] = username
-	passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
+	// generate /etc/passwd and /etc/group
-	seal.sys.Write(passwdPath, passwd)
+	seal.sys.bwrap.CopyBind("/etc/passwd",
-
+		[]byte(username+":x:"+seal.sys.mappedIDString+":"+seal.sys.mappedIDString+":Fortify:"+homeDir+":"+sh+"\n"))
-	// write /etc/group
+	seal.sys.bwrap.CopyBind("/etc/group",
-	groupPath := path.Join(seal.share, "group")
+		[]byte("fortify:x:"+seal.sys.mappedIDString+":\n"))
 	seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")
 	// bind /etc/passwd and /etc/group
 	seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
 	seal.sys.bwrap.Bind(groupPath, "/etc/group")
 	/*
 		Display servers