security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

fst: optional configured shell path
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 1m44s
Details
Test / Fortify (push) Successful in 2m32s
Details
Test / Sandbox (race detector) (push) Successful in 2m51s
Details
Test / Fpkg (push) Successful in 3m33s
Details
Test / Fortify (race detector) (push) Successful in 4m11s
Details
Test / Flake checks (push) Successful in 1m2s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-31 19:31:37 +09:00
parent 986105958c
commit 4d55794361
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
5 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/fpkg/app.go
View File

@ -73,6 +73,7 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
Username: "fortify", Username: "fortify",
Inner: path.Join("/data/data", app.ID), Inner: path.Join("/data/data", app.ID),
Outer: pathSet.homeDir, Outer: pathSet.homeDir,
Shell: shellPath,
Sandbox: &fst.SandboxConfig{ Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(app.Name), Hostname: formatHostname(app.Name),
Devel: app.Devel, Devel: app.Devel,

2
cmd/fpkg/with.go
View File

@ -34,6 +34,7 @@ func withNixDaemon(
Username: "fortify", Username: "fortify",
Inner: path.Join("/data/data", app.ID), Inner: path.Join("/data/data", app.ID),
Outer: pathSet.homeDir, Outer: pathSet.homeDir,
Shell: shellPath,
Sandbox: &fst.SandboxConfig{ Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(app.Name) + "-" + action, Hostname: formatHostname(app.Name) + "-" + action,
Userns: true, // nix sandbox requires userns Userns: true, // nix sandbox requires userns
@ -72,6 +73,7 @@ func withCacheDir(
Username: "nixos", Username: "nixos",
Inner: path.Join("/data/data", app.ID, "cache"), Inner: path.Join("/data/data", app.ID, "cache"),
Outer: pathSet.cacheDir, // this also ensures cacheDir via shim Outer: pathSet.cacheDir, // this also ensures cacheDir via shim
Shell: shellPath,
Sandbox: &fst.SandboxConfig{ Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(app.Name) + "-" + action, Hostname: formatHostname(app.Name) + "-" + action,
Seccomp: seccomp.FlagMultiarch, Seccomp: seccomp.FlagMultiarch,

3
fst/config.go
View File

@ -35,6 +35,8 @@ type ConfinementConfig struct {
Inner string `json:"home_inner"` Inner string `json:"home_inner"`
// home directory in init namespace // home directory in init namespace
Outer string `json:"home"` Outer string `json:"home"`
// absolute path to shell, empty for host shell
Shell string `json:"shell,omitempty"`
// abstract sandbox configuration // abstract sandbox configuration
Sandbox *SandboxConfig `json:"sandbox"` Sandbox *SandboxConfig `json:"sandbox"`
// extra acl ops, runs after everything else // extra acl ops, runs after everything else
@ -97,6 +99,7 @@ func Template() *Config {
Username: "chronos", Username: "chronos",
Outer: "/var/lib/persist/home/org.chromium.Chromium", Outer: "/var/lib/persist/home/org.chromium.Chromium",
Inner: "/var/lib/fortify", Inner: "/var/lib/fortify",
Shell: "/run/current-system/sw/bin/zsh",
Sandbox: &SandboxConfig{ Sandbox: &SandboxConfig{
Hostname: "localhost", Hostname: "localhost",
Devel: true, Devel: true,

26
internal/app/seal.go
View File

@ -109,11 +109,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
} }
seal.ctx = ctx seal.ctx = ctx
shellPath := "/bin/sh"
if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
shellPath = s
}
{ {
// encode initial configuration for state tracking // encode initial configuration for state tracking
ct := new(bytes.Buffer) ct := new(bytes.Buffer)
@ -130,10 +125,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
fmt.Sprintf("aid %d out of range", config.Confinement.AppID)) fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
} }
/*
Resolve post-fsu user state
*/
seal.user = fsuUser{ seal.user = fsuUser{
aid: newInt(config.Confinement.AppID), aid: newInt(config.Confinement.AppID),
data: config.Confinement.Outer, data: config.Confinement.Outer,
@ -169,9 +160,14 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
} }
} }
/* // this also falls back to host path if encountering an invalid path
Resolve initial container state if !path.IsAbs(config.Confinement.Shell) {
*/ config.Confinement.Shell = "/bin/sh"
}
if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
config.Confinement.Shell = s
}
// do not use the value of shell before this point
// permissive defaults // permissive defaults
if config.Confinement.Sandbox == nil { if config.Confinement.Sandbox == nil {
@ -186,7 +182,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
config.Path = p config.Path = p
} }
} else { } else {
config.Path = shellPath config.Path = config.Confinement.Shell
} }
} }
@ -256,7 +252,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
if seal.env == nil { if seal.env == nil {
seal.env = make(map[string]string, 1<<6) seal.env = make(map[string]string, 1<<6)
} }
seal.env[shell] = shellPath
} }
/* /*
@ -323,9 +318,10 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
seal.container.Dir = homeDir seal.container.Dir = homeDir
seal.env["HOME"] = homeDir seal.env["HOME"] = homeDir
seal.env["USER"] = username seal.env["USER"] = username
seal.env[shell] = config.Confinement.Shell
seal.container.Place("/etc/passwd", seal.container.Place("/etc/passwd",
[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Fortify:"+homeDir+":"+shellPath+"\n")) []byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Fortify:"+homeDir+":"+config.Confinement.Shell+"\n"))
seal.container.Place("/etc/group", seal.container.Place("/etc/group",
[]byte("fortify:x:"+mapgid.String()+":\n")) []byte("fortify:x:"+mapgid.String()+":\n"))

3
print_test.go
View File

@ -202,6 +202,7 @@ App
"username": "chronos", "username": "chronos",
"home_inner": "/var/lib/fortify", "home_inner": "/var/lib/fortify",
"home": "/var/lib/persist/home/org.chromium.Chromium", "home": "/var/lib/persist/home/org.chromium.Chromium",
"shell": "/run/current-system/sw/bin/zsh",
"sandbox": { "sandbox": {
"hostname": "localhost", "hostname": "localhost",
"seccomp": 32, "seccomp": 32,
@ -326,6 +327,7 @@ App
"username": "chronos", "username": "chronos",
"home_inner": "/var/lib/fortify", "home_inner": "/var/lib/fortify",
"home": "/var/lib/persist/home/org.chromium.Chromium", "home": "/var/lib/persist/home/org.chromium.Chromium",
"shell": "/run/current-system/sw/bin/zsh",
"sandbox": { "sandbox": {
"hostname": "localhost", "hostname": "localhost",
"seccomp": 32, "seccomp": 32,
@ -504,6 +506,7 @@ func Test_printPs(t *testing.T) {
"username": "chronos", "username": "chronos",
"home_inner": "/var/lib/fortify", "home_inner": "/var/lib/fortify",
"home": "/var/lib/persist/home/org.chromium.Chromium", "home": "/var/lib/persist/home/org.chromium.Chromium",
"shell": "/run/current-system/sw/bin/zsh",
"sandbox": { "sandbox": {
"hostname": "localhost", "hostname": "localhost",
"seccomp": 32, "seccomp": 32,