Support binding home to an alternative path in the mount namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
866270ff05
commit
05b7dbf066
@ -23,7 +23,7 @@ var testCasesNixos = []sealTestCase{
|
||||
Confinement: app.ConfinementConfig{
|
||||
AppID: 0,
|
||||
Username: "chronos",
|
||||
Home: "/home/chronos",
|
||||
Outer: "/home/chronos",
|
||||
},
|
||||
},
|
||||
app.ID{
|
||||
@ -204,7 +204,7 @@ var testCasesNixos = []sealTestCase{
|
||||
AppID: 9,
|
||||
Groups: []string{"video"},
|
||||
Username: "chronos",
|
||||
Home: "/home/chronos",
|
||||
Outer: "/home/chronos",
|
||||
SessionBus: &dbus.Config{
|
||||
Talk: []string{
|
||||
"org.freedesktop.Notifications",
|
||||
|
@ -30,8 +30,10 @@ type ConfinementConfig struct {
|
||||
Groups []string `json:"groups"`
|
||||
// passwd username in the sandbox, defaults to chronos
|
||||
Username string `json:"username,omitempty"`
|
||||
// home directory in sandbox
|
||||
Home string `json:"home"`
|
||||
// home directory in sandbox, empty for outer
|
||||
Inner string `json:"home_inner"`
|
||||
// home directory in init namespace
|
||||
Outer string `json:"home"`
|
||||
// bwrap sandbox confinement configuration
|
||||
Sandbox *SandboxConfig `json:"sandbox"`
|
||||
|
||||
@ -185,7 +187,8 @@ func Template() *Config {
|
||||
AppID: 9,
|
||||
Groups: []string{"video"},
|
||||
Username: "chronos",
|
||||
Home: "/var/lib/persist/home/org.chromium.Chromium",
|
||||
Outer: "/var/lib/persist/home/org.chromium.Chromium",
|
||||
Inner: "/var/lib/fortify",
|
||||
Sandbox: &SandboxConfig{
|
||||
Hostname: "localhost",
|
||||
UserNS: true,
|
||||
|
@ -100,15 +100,19 @@ func (a *app) Seal(config *Config) error {
|
||||
seal.sys.user = appUser{
|
||||
aid: config.Confinement.AppID,
|
||||
as: strconv.Itoa(config.Confinement.AppID),
|
||||
home: config.Confinement.Home,
|
||||
data: config.Confinement.Outer,
|
||||
home: config.Confinement.Inner,
|
||||
username: config.Confinement.Username,
|
||||
}
|
||||
if seal.sys.user.username == "" {
|
||||
seal.sys.user.username = "chronos"
|
||||
}
|
||||
if seal.sys.user.home == "" || !path.IsAbs(seal.sys.user.home) {
|
||||
if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
|
||||
return fmsg.WrapError(ErrHome,
|
||||
fmt.Sprintf("invalid home directory %q", seal.sys.user.home))
|
||||
fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
|
||||
}
|
||||
if seal.sys.user.home == "" {
|
||||
seal.sys.user.home = seal.sys.user.data
|
||||
}
|
||||
|
||||
// invoke fsu for full uid
|
||||
|
@ -58,7 +58,7 @@ func (seal *appSeal) sharePasswd(os linux.System) {
|
||||
}
|
||||
|
||||
// bind home directory
|
||||
seal.sys.bwrap.Bind(homeDir, homeDir, false, true)
|
||||
seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
|
||||
seal.sys.bwrap.Chdir = homeDir
|
||||
|
||||
seal.sys.bwrap.SetEnv["USER"] = username
|
||||
|
@ -44,6 +44,8 @@ type appUser struct {
|
||||
// string representation of aid
|
||||
as string
|
||||
|
||||
// home directory host path
|
||||
data string
|
||||
// app user home directory
|
||||
home string
|
||||
// passwd database username
|
||||
|
Loading…
Reference in New Issue
Block a user