app/share: fix order to ensure SharePath before any of its subdirectories
shareTmpdirChild happened to request an ephemeral dir within SharePath and was called before shareRuntime which ensures that path. This commit moves SharePath initialisation to shareSystem and moves shareTmpdirChild into ShareSystem. Further cleanup and tests are desperately needed for the app package but for now this fix will have to do. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
4ebb98649e
commit
65bd7d18db
@ -31,15 +31,6 @@ func (seal *appSeal) shareRuntime() {
|
|||||||
// ensure runtime directory ACL (e.g. `/run/user/%d`)
|
// ensure runtime directory ACL (e.g. `/run/user/%d`)
|
||||||
seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
|
seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
|
||||||
|
|
||||||
// ensure Share (e.g. `/tmp/fortify.%d`)
|
|
||||||
// acl is unnecessary as this directory is world executable
|
|
||||||
seal.sys.Ensure(seal.SharePath, 0701)
|
|
||||||
|
|
||||||
// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
|
|
||||||
// acl is unnecessary as this directory is world executable
|
|
||||||
seal.share = path.Join(seal.SharePath, seal.id.String())
|
|
||||||
seal.sys.Ephemeral(system.Process, seal.share, 0701)
|
|
||||||
|
|
||||||
// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
|
// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
|
||||||
seal.shareLocal = path.Join(seal.RunDirPath, seal.id.String())
|
seal.shareLocal = path.Join(seal.RunDirPath, seal.id.String())
|
||||||
seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
|
seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
|
||||||
|
@ -14,6 +14,31 @@ const (
|
|||||||
|
|
||||||
// shareSystem queues various system-related actions
|
// shareSystem queues various system-related actions
|
||||||
func (seal *appSeal) shareSystem() {
|
func (seal *appSeal) shareSystem() {
|
||||||
|
// ensure Share (e.g. `/tmp/fortify.%d`)
|
||||||
|
// acl is unnecessary as this directory is world executable
|
||||||
|
seal.sys.Ensure(seal.SharePath, 0701)
|
||||||
|
|
||||||
|
// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
|
||||||
|
// acl is unnecessary as this directory is world executable
|
||||||
|
seal.share = path.Join(seal.SharePath, seal.id.String())
|
||||||
|
seal.sys.Ephemeral(system.Process, seal.share, 0701)
|
||||||
|
|
||||||
|
// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
|
||||||
|
targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
|
||||||
|
seal.sys.Ensure(targetTmpdirParent, 0700)
|
||||||
|
seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
|
||||||
|
|
||||||
|
// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
|
||||||
|
targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.Uid)
|
||||||
|
seal.sys.Ensure(targetTmpdir, 01700)
|
||||||
|
seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
|
||||||
|
seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
|
||||||
|
|
||||||
|
// mount tmpfs on inner shared directory (e.g. `/tmp/fortify.%d`)
|
||||||
|
seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (seal *appSeal) sharePasswd() {
|
||||||
// look up shell
|
// look up shell
|
||||||
sh := "/bin/sh"
|
sh := "/bin/sh"
|
||||||
if s, ok := os.LookupEnv(shell); ok {
|
if s, ok := os.LookupEnv(shell); ok {
|
||||||
@ -44,21 +69,3 @@ func (seal *appSeal) shareSystem() {
|
|||||||
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
||||||
seal.sys.bwrap.Bind(groupPath, "/etc/group")
|
seal.sys.bwrap.Bind(groupPath, "/etc/group")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (seal *appSeal) shareTmpdirChild() string {
|
|
||||||
// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
|
|
||||||
targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
|
|
||||||
seal.sys.Ensure(targetTmpdirParent, 0700)
|
|
||||||
seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
|
|
||||||
|
|
||||||
// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
|
|
||||||
targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.Uid)
|
|
||||||
seal.sys.Ensure(targetTmpdir, 01700)
|
|
||||||
seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
|
|
||||||
seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
|
|
||||||
|
|
||||||
// mount tmpfs on inner shared directory (e.g. `/tmp/fortify.%d`)
|
|
||||||
seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024)
|
|
||||||
|
|
||||||
return targetTmpdir
|
|
||||||
}
|
|
||||||
|
@ -8,7 +8,6 @@ import (
|
|||||||
"git.ophivana.moe/cat/fortify/internal"
|
"git.ophivana.moe/cat/fortify/internal"
|
||||||
"git.ophivana.moe/cat/fortify/internal/state"
|
"git.ophivana.moe/cat/fortify/internal/state"
|
||||||
"git.ophivana.moe/cat/fortify/internal/system"
|
"git.ophivana.moe/cat/fortify/internal/system"
|
||||||
"git.ophivana.moe/cat/fortify/internal/verbose"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// appSeal seals the application with child-related information
|
// appSeal seals the application with child-related information
|
||||||
@ -76,10 +75,9 @@ func (seal *appSeal) shareAll(bus [2]*dbus.Config) error {
|
|||||||
}
|
}
|
||||||
seal.shared = true
|
seal.shared = true
|
||||||
|
|
||||||
targetTmpdir := seal.shareTmpdirChild()
|
|
||||||
verbose.Printf("child tmpdir %q configured\n", targetTmpdir)
|
|
||||||
seal.shareRuntime()
|
|
||||||
seal.shareSystem()
|
seal.shareSystem()
|
||||||
|
seal.shareRuntime()
|
||||||
|
seal.sharePasswd()
|
||||||
if err := seal.shareDisplay(); err != nil {
|
if err := seal.shareDisplay(); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user