diff --git a/internal/app/share.runtime.go b/internal/app/share.runtime.go index 0c7149e..79570e6 100644 --- a/internal/app/share.runtime.go +++ b/internal/app/share.runtime.go @@ -31,15 +31,6 @@ func (seal *appSeal) shareRuntime() { // ensure runtime directory ACL (e.g. `/run/user/%d`) seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute) - // ensure Share (e.g. `/tmp/fortify.%d`) - // acl is unnecessary as this directory is world executable - seal.sys.Ensure(seal.SharePath, 0701) - - // ensure process-specific share (e.g. `/tmp/fortify.%d/%s`) - // acl is unnecessary as this directory is world executable - seal.share = path.Join(seal.SharePath, seal.id.String()) - seal.sys.Ephemeral(system.Process, seal.share, 0701) - // ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`) seal.shareLocal = path.Join(seal.RunDirPath, seal.id.String()) seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700) diff --git a/internal/app/share.system.go b/internal/app/share.system.go index e4c848b..9b2565a 100644 --- a/internal/app/share.system.go +++ b/internal/app/share.system.go @@ -14,6 +14,31 @@ const ( // shareSystem queues various system-related actions func (seal *appSeal) shareSystem() { + // ensure Share (e.g. `/tmp/fortify.%d`) + // acl is unnecessary as this directory is world executable + seal.sys.Ensure(seal.SharePath, 0701) + + // ensure process-specific share (e.g. `/tmp/fortify.%d/%s`) + // acl is unnecessary as this directory is world executable + seal.share = path.Join(seal.SharePath, seal.id.String()) + seal.sys.Ephemeral(system.Process, seal.share, 0701) + + // ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`) + targetTmpdirParent := path.Join(seal.SharePath, "tmpdir") + seal.sys.Ensure(targetTmpdirParent, 0700) + seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute) + + // ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`) + targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.Uid) + seal.sys.Ensure(targetTmpdir, 01700) + seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute) + seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true) + + // mount tmpfs on inner shared directory (e.g. `/tmp/fortify.%d`) + seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024) +} + +func (seal *appSeal) sharePasswd() { // look up shell sh := "/bin/sh" if s, ok := os.LookupEnv(shell); ok { @@ -44,21 +69,3 @@ func (seal *appSeal) shareSystem() { seal.sys.bwrap.Bind(passwdPath, "/etc/passwd") seal.sys.bwrap.Bind(groupPath, "/etc/group") } - -func (seal *appSeal) shareTmpdirChild() string { - // ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`) - targetTmpdirParent := path.Join(seal.SharePath, "tmpdir") - seal.sys.Ensure(targetTmpdirParent, 0700) - seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute) - - // ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`) - targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.Uid) - seal.sys.Ensure(targetTmpdir, 01700) - seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute) - seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true) - - // mount tmpfs on inner shared directory (e.g. `/tmp/fortify.%d`) - seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024) - - return targetTmpdir -} diff --git a/internal/app/system.go b/internal/app/system.go index 4aeaec2..240b38b 100644 --- a/internal/app/system.go +++ b/internal/app/system.go @@ -8,7 +8,6 @@ import ( "git.ophivana.moe/cat/fortify/internal" "git.ophivana.moe/cat/fortify/internal/state" "git.ophivana.moe/cat/fortify/internal/system" - "git.ophivana.moe/cat/fortify/internal/verbose" ) // appSeal seals the application with child-related information @@ -76,10 +75,9 @@ func (seal *appSeal) shareAll(bus [2]*dbus.Config) error { } seal.shared = true - targetTmpdir := seal.shareTmpdirChild() - verbose.Printf("child tmpdir %q configured\n", targetTmpdir) - seal.shareRuntime() seal.shareSystem() + seal.shareRuntime() + seal.sharePasswd() if err := seal.shareDisplay(); err != nil { return err }