Support binding home to an alternative path in the mount namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
866270ff05
commit
05b7dbf066
@ -23,7 +23,7 @@ var testCasesNixos = []sealTestCase{
|
|||||||
Confinement: app.ConfinementConfig{
|
Confinement: app.ConfinementConfig{
|
||||||
AppID: 0,
|
AppID: 0,
|
||||||
Username: "chronos",
|
Username: "chronos",
|
||||||
Home: "/home/chronos",
|
Outer: "/home/chronos",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
app.ID{
|
app.ID{
|
||||||
@ -204,7 +204,7 @@ var testCasesNixos = []sealTestCase{
|
|||||||
AppID: 9,
|
AppID: 9,
|
||||||
Groups: []string{"video"},
|
Groups: []string{"video"},
|
||||||
Username: "chronos",
|
Username: "chronos",
|
||||||
Home: "/home/chronos",
|
Outer: "/home/chronos",
|
||||||
SessionBus: &dbus.Config{
|
SessionBus: &dbus.Config{
|
||||||
Talk: []string{
|
Talk: []string{
|
||||||
"org.freedesktop.Notifications",
|
"org.freedesktop.Notifications",
|
||||||
|
@ -30,8 +30,10 @@ type ConfinementConfig struct {
|
|||||||
Groups []string `json:"groups"`
|
Groups []string `json:"groups"`
|
||||||
// passwd username in the sandbox, defaults to chronos
|
// passwd username in the sandbox, defaults to chronos
|
||||||
Username string `json:"username,omitempty"`
|
Username string `json:"username,omitempty"`
|
||||||
// home directory in sandbox
|
// home directory in sandbox, empty for outer
|
||||||
Home string `json:"home"`
|
Inner string `json:"home_inner"`
|
||||||
|
// home directory in init namespace
|
||||||
|
Outer string `json:"home"`
|
||||||
// bwrap sandbox confinement configuration
|
// bwrap sandbox confinement configuration
|
||||||
Sandbox *SandboxConfig `json:"sandbox"`
|
Sandbox *SandboxConfig `json:"sandbox"`
|
||||||
|
|
||||||
@ -185,7 +187,8 @@ func Template() *Config {
|
|||||||
AppID: 9,
|
AppID: 9,
|
||||||
Groups: []string{"video"},
|
Groups: []string{"video"},
|
||||||
Username: "chronos",
|
Username: "chronos",
|
||||||
Home: "/var/lib/persist/home/org.chromium.Chromium",
|
Outer: "/var/lib/persist/home/org.chromium.Chromium",
|
||||||
|
Inner: "/var/lib/fortify",
|
||||||
Sandbox: &SandboxConfig{
|
Sandbox: &SandboxConfig{
|
||||||
Hostname: "localhost",
|
Hostname: "localhost",
|
||||||
UserNS: true,
|
UserNS: true,
|
||||||
|
@ -100,15 +100,19 @@ func (a *app) Seal(config *Config) error {
|
|||||||
seal.sys.user = appUser{
|
seal.sys.user = appUser{
|
||||||
aid: config.Confinement.AppID,
|
aid: config.Confinement.AppID,
|
||||||
as: strconv.Itoa(config.Confinement.AppID),
|
as: strconv.Itoa(config.Confinement.AppID),
|
||||||
home: config.Confinement.Home,
|
data: config.Confinement.Outer,
|
||||||
|
home: config.Confinement.Inner,
|
||||||
username: config.Confinement.Username,
|
username: config.Confinement.Username,
|
||||||
}
|
}
|
||||||
if seal.sys.user.username == "" {
|
if seal.sys.user.username == "" {
|
||||||
seal.sys.user.username = "chronos"
|
seal.sys.user.username = "chronos"
|
||||||
}
|
}
|
||||||
if seal.sys.user.home == "" || !path.IsAbs(seal.sys.user.home) {
|
if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
|
||||||
return fmsg.WrapError(ErrHome,
|
return fmsg.WrapError(ErrHome,
|
||||||
fmt.Sprintf("invalid home directory %q", seal.sys.user.home))
|
fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
|
||||||
|
}
|
||||||
|
if seal.sys.user.home == "" {
|
||||||
|
seal.sys.user.home = seal.sys.user.data
|
||||||
}
|
}
|
||||||
|
|
||||||
// invoke fsu for full uid
|
// invoke fsu for full uid
|
||||||
|
@ -58,7 +58,7 @@ func (seal *appSeal) sharePasswd(os linux.System) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// bind home directory
|
// bind home directory
|
||||||
seal.sys.bwrap.Bind(homeDir, homeDir, false, true)
|
seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
|
||||||
seal.sys.bwrap.Chdir = homeDir
|
seal.sys.bwrap.Chdir = homeDir
|
||||||
|
|
||||||
seal.sys.bwrap.SetEnv["USER"] = username
|
seal.sys.bwrap.SetEnv["USER"] = username
|
||||||
|
@ -44,6 +44,8 @@ type appUser struct {
|
|||||||
// string representation of aid
|
// string representation of aid
|
||||||
as string
|
as string
|
||||||
|
|
||||||
|
// home directory host path
|
||||||
|
data string
|
||||||
// app user home directory
|
// app user home directory
|
||||||
home string
|
home string
|
||||||
// passwd database username
|
// passwd database username
|
||||||
|
2
main.go
2
main.go
@ -188,7 +188,7 @@ func main() {
|
|||||||
|
|
||||||
config.Confinement.AppID = aid
|
config.Confinement.AppID = aid
|
||||||
config.Confinement.Groups = groups
|
config.Confinement.Groups = groups
|
||||||
config.Confinement.Home = homeDir
|
config.Confinement.Outer = homeDir
|
||||||
config.Confinement.Username = userName
|
config.Confinement.Username = userName
|
||||||
|
|
||||||
// enablements from flags
|
// enablements from flags
|
||||||
|
Loading…
Reference in New Issue
Block a user