security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 25 Wiki Activity

cmd/fpkg: remove workDir acl from activation
All checks were successful
Tests / Go tests (push) Successful in 33s
Details
Nix / NixOS tests (push) Successful in 3m56s
Details

Browse Source 
Activation does not require access to workDir, and by this point all information is available in dataHome.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2024-12-29 23:48:45 +09:00
parent f8d0786509
commit 66ba4cea5c
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/fpkg/install.go
View File

@ -155,7 +155,7 @@ func actionInstall(args []string) {
"rm -rf .local/state/{nix,home-manager}",
// run activation script
bundle.ActivationPackage + "/activate",
}, false, workDir, bundle, pathSet, dropShellActivate, cleanup)
}, false, bundle, pathSet, dropShellActivate, cleanup)
/*
Installation complete. Write metadata to block re-installs or downgrades.
@ -184,7 +184,7 @@ func actionInstall(args []string) {
cleanup()
}
func withNixDaemon(action string, command []string, net bool, workDir string, bundle *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
func withNixDaemon(action string, command []string, net bool, bundle *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
fortifyAppDropShell(&fst.Config{
ID: bundle.ID,
Command: []string{shell, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
@ -221,7 +221,6 @@ func withNixDaemon(action string, command []string, net bool, workDir string, bu
ExtraPerms: []*fst.ExtraPermConfig{
{Path: dataHome, Execute: true},
{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
{Path: workDir, Execute: true},
},
},
}, dropShell, beforeFail)