app: rename /fortify to /.fortify
Also removed the inner share tmpfs mount. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
8bf12bbe68
commit
7a8b625a57
@ -9,7 +9,7 @@ import (
|
|||||||
"git.gensokyo.uk/security/fortify/internal/system"
|
"git.gensokyo.uk/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
|
||||||
const fTmp = "/fortify"
|
const Tmp = "/.fortify"
|
||||||
|
|
||||||
// Config is used to seal an *App
|
// Config is used to seal an *App
|
||||||
type Config struct {
|
type Config struct {
|
||||||
@ -119,7 +119,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
|
|||||||
}).
|
}).
|
||||||
SetUID(uid).SetGID(uid).
|
SetUID(uid).SetGID(uid).
|
||||||
Procfs("/proc").
|
Procfs("/proc").
|
||||||
Tmpfs(fTmp, 4*1024)
|
Tmpfs(Tmp, 4*1024)
|
||||||
|
|
||||||
if !s.Dev {
|
if !s.Dev {
|
||||||
conf.DevTmpfs("/dev").Mqueue("/dev/mqueue")
|
conf.DevTmpfs("/dev").Mqueue("/dev/mqueue")
|
||||||
@ -148,7 +148,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if s.AutoEtc {
|
if s.AutoEtc {
|
||||||
conf.Bind("/etc", fTmp+"/etc")
|
conf.Bind("/etc", Tmp+"/etc")
|
||||||
|
|
||||||
// link host /etc contents to prevent passwd/group from being overwritten
|
// link host /etc contents to prevent passwd/group from being overwritten
|
||||||
if d, err := os.ReadDir("/etc"); err != nil {
|
if d, err := os.ReadDir("/etc"); err != nil {
|
||||||
@ -163,7 +163,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
|
|||||||
case "mtab":
|
case "mtab":
|
||||||
conf.Symlink("/proc/mounts", "/etc/"+name)
|
conf.Symlink("/proc/mounts", "/etc/"+name)
|
||||||
default:
|
default:
|
||||||
conf.Symlink(fTmp+"/etc/"+name, "/etc/"+name)
|
conf.Symlink(Tmp+"/etc/"+name, "/etc/"+name)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -100,7 +100,7 @@ var testCasesNixos = []sealTestCase{
|
|||||||
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/1971/bus",
|
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/1971/bus",
|
||||||
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
||||||
"HOME": "/var/lib/persist/module/fortify/0/1",
|
"HOME": "/var/lib/persist/module/fortify/0/1",
|
||||||
"PULSE_COOKIE": "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie",
|
"PULSE_COOKIE": fst.Tmp + "/pulse-cookie",
|
||||||
"PULSE_SERVER": "unix:/run/user/1971/pulse/native",
|
"PULSE_SERVER": "unix:/run/user/1971/pulse/native",
|
||||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||||
"TERM": "xterm-256color",
|
"TERM": "xterm-256color",
|
||||||
@ -116,7 +116,7 @@ var testCasesNixos = []sealTestCase{
|
|||||||
AsInit: true,
|
AsInit: true,
|
||||||
}).SetUID(1971).SetGID(1971).
|
}).SetUID(1971).SetGID(1971).
|
||||||
Procfs("/proc").
|
Procfs("/proc").
|
||||||
Tmpfs("/fortify", 4096).
|
Tmpfs(fst.Tmp, 4096).
|
||||||
DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||||
Bind("/bin", "/bin").
|
Bind("/bin", "/bin").
|
||||||
Bind("/usr/bin", "/usr/bin").
|
Bind("/usr/bin", "/usr/bin").
|
||||||
@ -129,87 +129,86 @@ var testCasesNixos = []sealTestCase{
|
|||||||
Bind("/sys/devices", "/sys/devices", true).
|
Bind("/sys/devices", "/sys/devices", true).
|
||||||
Bind("/run/opengl-driver", "/run/opengl-driver").
|
Bind("/run/opengl-driver", "/run/opengl-driver").
|
||||||
Bind("/dev/dri", "/dev/dri", true, true, true).
|
Bind("/dev/dri", "/dev/dri", true, true, true).
|
||||||
Bind("/etc", "/fortify/etc").
|
Bind("/etc", fst.Tmp+"/etc").
|
||||||
Symlink("/fortify/etc/alsa", "/etc/alsa").
|
Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
|
||||||
Symlink("/fortify/etc/bashrc", "/etc/bashrc").
|
Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
|
||||||
Symlink("/fortify/etc/binfmt.d", "/etc/binfmt.d").
|
Symlink(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
|
||||||
Symlink("/fortify/etc/dbus-1", "/etc/dbus-1").
|
Symlink(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
|
||||||
Symlink("/fortify/etc/default", "/etc/default").
|
Symlink(fst.Tmp+"/etc/default", "/etc/default").
|
||||||
Symlink("/fortify/etc/ethertypes", "/etc/ethertypes").
|
Symlink(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
|
||||||
Symlink("/fortify/etc/fonts", "/etc/fonts").
|
Symlink(fst.Tmp+"/etc/fonts", "/etc/fonts").
|
||||||
Symlink("/fortify/etc/fstab", "/etc/fstab").
|
Symlink(fst.Tmp+"/etc/fstab", "/etc/fstab").
|
||||||
Symlink("/fortify/etc/fuse.conf", "/etc/fuse.conf").
|
Symlink(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
|
||||||
Symlink("/fortify/etc/host.conf", "/etc/host.conf").
|
Symlink(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
|
||||||
Symlink("/fortify/etc/hostid", "/etc/hostid").
|
Symlink(fst.Tmp+"/etc/hostid", "/etc/hostid").
|
||||||
Symlink("/fortify/etc/hostname", "/etc/hostname").
|
Symlink(fst.Tmp+"/etc/hostname", "/etc/hostname").
|
||||||
Symlink("/fortify/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
|
Symlink(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
|
||||||
Symlink("/fortify/etc/hosts", "/etc/hosts").
|
Symlink(fst.Tmp+"/etc/hosts", "/etc/hosts").
|
||||||
Symlink("/fortify/etc/inputrc", "/etc/inputrc").
|
Symlink(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
|
||||||
Symlink("/fortify/etc/ipsec.d", "/etc/ipsec.d").
|
Symlink(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
|
||||||
Symlink("/fortify/etc/issue", "/etc/issue").
|
Symlink(fst.Tmp+"/etc/issue", "/etc/issue").
|
||||||
Symlink("/fortify/etc/kbd", "/etc/kbd").
|
Symlink(fst.Tmp+"/etc/kbd", "/etc/kbd").
|
||||||
Symlink("/fortify/etc/libblockdev", "/etc/libblockdev").
|
Symlink(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
|
||||||
Symlink("/fortify/etc/locale.conf", "/etc/locale.conf").
|
Symlink(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
|
||||||
Symlink("/fortify/etc/localtime", "/etc/localtime").
|
Symlink(fst.Tmp+"/etc/localtime", "/etc/localtime").
|
||||||
Symlink("/fortify/etc/login.defs", "/etc/login.defs").
|
Symlink(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
|
||||||
Symlink("/fortify/etc/lsb-release", "/etc/lsb-release").
|
Symlink(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
|
||||||
Symlink("/fortify/etc/lvm", "/etc/lvm").
|
Symlink(fst.Tmp+"/etc/lvm", "/etc/lvm").
|
||||||
Symlink("/fortify/etc/machine-id", "/etc/machine-id").
|
Symlink(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
|
||||||
Symlink("/fortify/etc/man_db.conf", "/etc/man_db.conf").
|
Symlink(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
|
||||||
Symlink("/fortify/etc/modprobe.d", "/etc/modprobe.d").
|
Symlink(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
|
||||||
Symlink("/fortify/etc/modules-load.d", "/etc/modules-load.d").
|
Symlink(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
|
||||||
Symlink("/proc/mounts", "/etc/mtab").
|
Symlink("/proc/mounts", "/etc/mtab").
|
||||||
Symlink("/fortify/etc/nanorc", "/etc/nanorc").
|
Symlink(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
|
||||||
Symlink("/fortify/etc/netgroup", "/etc/netgroup").
|
Symlink(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
|
||||||
Symlink("/fortify/etc/NetworkManager", "/etc/NetworkManager").
|
Symlink(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
|
||||||
Symlink("/fortify/etc/nix", "/etc/nix").
|
Symlink(fst.Tmp+"/etc/nix", "/etc/nix").
|
||||||
Symlink("/fortify/etc/nixos", "/etc/nixos").
|
Symlink(fst.Tmp+"/etc/nixos", "/etc/nixos").
|
||||||
Symlink("/fortify/etc/NIXOS", "/etc/NIXOS").
|
Symlink(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
|
||||||
Symlink("/fortify/etc/nscd.conf", "/etc/nscd.conf").
|
Symlink(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
|
||||||
Symlink("/fortify/etc/nsswitch.conf", "/etc/nsswitch.conf").
|
Symlink(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
|
||||||
Symlink("/fortify/etc/opensnitchd", "/etc/opensnitchd").
|
Symlink(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
|
||||||
Symlink("/fortify/etc/os-release", "/etc/os-release").
|
Symlink(fst.Tmp+"/etc/os-release", "/etc/os-release").
|
||||||
Symlink("/fortify/etc/pam", "/etc/pam").
|
Symlink(fst.Tmp+"/etc/pam", "/etc/pam").
|
||||||
Symlink("/fortify/etc/pam.d", "/etc/pam.d").
|
Symlink(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
|
||||||
Symlink("/fortify/etc/pipewire", "/etc/pipewire").
|
Symlink(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
|
||||||
Symlink("/fortify/etc/pki", "/etc/pki").
|
Symlink(fst.Tmp+"/etc/pki", "/etc/pki").
|
||||||
Symlink("/fortify/etc/polkit-1", "/etc/polkit-1").
|
Symlink(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
|
||||||
Symlink("/fortify/etc/profile", "/etc/profile").
|
Symlink(fst.Tmp+"/etc/profile", "/etc/profile").
|
||||||
Symlink("/fortify/etc/protocols", "/etc/protocols").
|
Symlink(fst.Tmp+"/etc/protocols", "/etc/protocols").
|
||||||
Symlink("/fortify/etc/qemu", "/etc/qemu").
|
Symlink(fst.Tmp+"/etc/qemu", "/etc/qemu").
|
||||||
Symlink("/fortify/etc/resolv.conf", "/etc/resolv.conf").
|
Symlink(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
|
||||||
Symlink("/fortify/etc/resolvconf.conf", "/etc/resolvconf.conf").
|
Symlink(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
|
||||||
Symlink("/fortify/etc/rpc", "/etc/rpc").
|
Symlink(fst.Tmp+"/etc/rpc", "/etc/rpc").
|
||||||
Symlink("/fortify/etc/samba", "/etc/samba").
|
Symlink(fst.Tmp+"/etc/samba", "/etc/samba").
|
||||||
Symlink("/fortify/etc/sddm.conf", "/etc/sddm.conf").
|
Symlink(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
|
||||||
Symlink("/fortify/etc/secureboot", "/etc/secureboot").
|
Symlink(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
|
||||||
Symlink("/fortify/etc/services", "/etc/services").
|
Symlink(fst.Tmp+"/etc/services", "/etc/services").
|
||||||
Symlink("/fortify/etc/set-environment", "/etc/set-environment").
|
Symlink(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
|
||||||
Symlink("/fortify/etc/shadow", "/etc/shadow").
|
Symlink(fst.Tmp+"/etc/shadow", "/etc/shadow").
|
||||||
Symlink("/fortify/etc/shells", "/etc/shells").
|
Symlink(fst.Tmp+"/etc/shells", "/etc/shells").
|
||||||
Symlink("/fortify/etc/ssh", "/etc/ssh").
|
Symlink(fst.Tmp+"/etc/ssh", "/etc/ssh").
|
||||||
Symlink("/fortify/etc/ssl", "/etc/ssl").
|
Symlink(fst.Tmp+"/etc/ssl", "/etc/ssl").
|
||||||
Symlink("/fortify/etc/static", "/etc/static").
|
Symlink(fst.Tmp+"/etc/static", "/etc/static").
|
||||||
Symlink("/fortify/etc/subgid", "/etc/subgid").
|
Symlink(fst.Tmp+"/etc/subgid", "/etc/subgid").
|
||||||
Symlink("/fortify/etc/subuid", "/etc/subuid").
|
Symlink(fst.Tmp+"/etc/subuid", "/etc/subuid").
|
||||||
Symlink("/fortify/etc/sudoers", "/etc/sudoers").
|
Symlink(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
|
||||||
Symlink("/fortify/etc/sysctl.d", "/etc/sysctl.d").
|
Symlink(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
|
||||||
Symlink("/fortify/etc/systemd", "/etc/systemd").
|
Symlink(fst.Tmp+"/etc/systemd", "/etc/systemd").
|
||||||
Symlink("/fortify/etc/terminfo", "/etc/terminfo").
|
Symlink(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
|
||||||
Symlink("/fortify/etc/tmpfiles.d", "/etc/tmpfiles.d").
|
Symlink(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
|
||||||
Symlink("/fortify/etc/udev", "/etc/udev").
|
Symlink(fst.Tmp+"/etc/udev", "/etc/udev").
|
||||||
Symlink("/fortify/etc/udisks2", "/etc/udisks2").
|
Symlink(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
|
||||||
Symlink("/fortify/etc/UPower", "/etc/UPower").
|
Symlink(fst.Tmp+"/etc/UPower", "/etc/UPower").
|
||||||
Symlink("/fortify/etc/vconsole.conf", "/etc/vconsole.conf").
|
Symlink(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
|
||||||
Symlink("/fortify/etc/X11", "/etc/X11").
|
Symlink(fst.Tmp+"/etc/X11", "/etc/X11").
|
||||||
Symlink("/fortify/etc/zfs", "/etc/zfs").
|
Symlink(fst.Tmp+"/etc/zfs", "/etc/zfs").
|
||||||
Symlink("/fortify/etc/zinputrc", "/etc/zinputrc").
|
Symlink(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
|
||||||
Symlink("/fortify/etc/zoneinfo", "/etc/zoneinfo").
|
Symlink(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
|
||||||
Symlink("/fortify/etc/zprofile", "/etc/zprofile").
|
Symlink(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
|
||||||
Symlink("/fortify/etc/zshenv", "/etc/zshenv").
|
Symlink(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
|
||||||
Symlink("/fortify/etc/zshrc", "/etc/zshrc").
|
Symlink(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
|
||||||
Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", false, true).
|
Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", false, true).
|
||||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
|
||||||
Tmpfs("/run/user", 1048576).
|
Tmpfs("/run/user", 1048576).
|
||||||
Tmpfs("/run/user/1971", 8388608).
|
Tmpfs("/run/user/1971", 8388608).
|
||||||
Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", false, true).
|
Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", false, true).
|
||||||
@ -217,7 +216,7 @@ var testCasesNixos = []sealTestCase{
|
|||||||
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "/etc/group").
|
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "/etc/group").
|
||||||
Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland", "/run/user/1971/wayland-0").
|
Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland", "/run/user/1971/wayland-0").
|
||||||
Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native").
|
Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native").
|
||||||
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie").
|
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", fst.Tmp+"/pulse-cookie").
|
||||||
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus").
|
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus").
|
||||||
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket").
|
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket").
|
||||||
Tmpfs("/var/run/nscd", 8192),
|
Tmpfs("/var/run/nscd", 8192),
|
||||||
|
@ -53,7 +53,7 @@ var testCasesPd = []sealTestCase{
|
|||||||
AsInit: true,
|
AsInit: true,
|
||||||
}).SetUID(65534).SetGID(65534).
|
}).SetUID(65534).SetGID(65534).
|
||||||
Procfs("/proc").
|
Procfs("/proc").
|
||||||
Tmpfs("/fortify", 4096).
|
Tmpfs(fst.Tmp, 4096).
|
||||||
DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||||
Bind("/bin", "/bin", false, true).
|
Bind("/bin", "/bin", false, true).
|
||||||
Bind("/boot", "/boot", false, true).
|
Bind("/boot", "/boot", false, true).
|
||||||
@ -100,87 +100,86 @@ var testCasesPd = []sealTestCase{
|
|||||||
Bind("/run/wrappers", "/run/wrappers", false, true).
|
Bind("/run/wrappers", "/run/wrappers", false, true).
|
||||||
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
||||||
Bind("/run/zed.state", "/run/zed.state", false, true).
|
Bind("/run/zed.state", "/run/zed.state", false, true).
|
||||||
Bind("/etc", "/fortify/etc").
|
Bind("/etc", fst.Tmp+"/etc").
|
||||||
Symlink("/fortify/etc/alsa", "/etc/alsa").
|
Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
|
||||||
Symlink("/fortify/etc/bashrc", "/etc/bashrc").
|
Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
|
||||||
Symlink("/fortify/etc/binfmt.d", "/etc/binfmt.d").
|
Symlink(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
|
||||||
Symlink("/fortify/etc/dbus-1", "/etc/dbus-1").
|
Symlink(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
|
||||||
Symlink("/fortify/etc/default", "/etc/default").
|
Symlink(fst.Tmp+"/etc/default", "/etc/default").
|
||||||
Symlink("/fortify/etc/ethertypes", "/etc/ethertypes").
|
Symlink(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
|
||||||
Symlink("/fortify/etc/fonts", "/etc/fonts").
|
Symlink(fst.Tmp+"/etc/fonts", "/etc/fonts").
|
||||||
Symlink("/fortify/etc/fstab", "/etc/fstab").
|
Symlink(fst.Tmp+"/etc/fstab", "/etc/fstab").
|
||||||
Symlink("/fortify/etc/fuse.conf", "/etc/fuse.conf").
|
Symlink(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
|
||||||
Symlink("/fortify/etc/host.conf", "/etc/host.conf").
|
Symlink(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
|
||||||
Symlink("/fortify/etc/hostid", "/etc/hostid").
|
Symlink(fst.Tmp+"/etc/hostid", "/etc/hostid").
|
||||||
Symlink("/fortify/etc/hostname", "/etc/hostname").
|
Symlink(fst.Tmp+"/etc/hostname", "/etc/hostname").
|
||||||
Symlink("/fortify/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
|
Symlink(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
|
||||||
Symlink("/fortify/etc/hosts", "/etc/hosts").
|
Symlink(fst.Tmp+"/etc/hosts", "/etc/hosts").
|
||||||
Symlink("/fortify/etc/inputrc", "/etc/inputrc").
|
Symlink(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
|
||||||
Symlink("/fortify/etc/ipsec.d", "/etc/ipsec.d").
|
Symlink(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
|
||||||
Symlink("/fortify/etc/issue", "/etc/issue").
|
Symlink(fst.Tmp+"/etc/issue", "/etc/issue").
|
||||||
Symlink("/fortify/etc/kbd", "/etc/kbd").
|
Symlink(fst.Tmp+"/etc/kbd", "/etc/kbd").
|
||||||
Symlink("/fortify/etc/libblockdev", "/etc/libblockdev").
|
Symlink(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
|
||||||
Symlink("/fortify/etc/locale.conf", "/etc/locale.conf").
|
Symlink(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
|
||||||
Symlink("/fortify/etc/localtime", "/etc/localtime").
|
Symlink(fst.Tmp+"/etc/localtime", "/etc/localtime").
|
||||||
Symlink("/fortify/etc/login.defs", "/etc/login.defs").
|
Symlink(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
|
||||||
Symlink("/fortify/etc/lsb-release", "/etc/lsb-release").
|
Symlink(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
|
||||||
Symlink("/fortify/etc/lvm", "/etc/lvm").
|
Symlink(fst.Tmp+"/etc/lvm", "/etc/lvm").
|
||||||
Symlink("/fortify/etc/machine-id", "/etc/machine-id").
|
Symlink(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
|
||||||
Symlink("/fortify/etc/man_db.conf", "/etc/man_db.conf").
|
Symlink(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
|
||||||
Symlink("/fortify/etc/modprobe.d", "/etc/modprobe.d").
|
Symlink(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
|
||||||
Symlink("/fortify/etc/modules-load.d", "/etc/modules-load.d").
|
Symlink(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
|
||||||
Symlink("/proc/mounts", "/etc/mtab").
|
Symlink("/proc/mounts", "/etc/mtab").
|
||||||
Symlink("/fortify/etc/nanorc", "/etc/nanorc").
|
Symlink(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
|
||||||
Symlink("/fortify/etc/netgroup", "/etc/netgroup").
|
Symlink(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
|
||||||
Symlink("/fortify/etc/NetworkManager", "/etc/NetworkManager").
|
Symlink(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
|
||||||
Symlink("/fortify/etc/nix", "/etc/nix").
|
Symlink(fst.Tmp+"/etc/nix", "/etc/nix").
|
||||||
Symlink("/fortify/etc/nixos", "/etc/nixos").
|
Symlink(fst.Tmp+"/etc/nixos", "/etc/nixos").
|
||||||
Symlink("/fortify/etc/NIXOS", "/etc/NIXOS").
|
Symlink(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
|
||||||
Symlink("/fortify/etc/nscd.conf", "/etc/nscd.conf").
|
Symlink(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
|
||||||
Symlink("/fortify/etc/nsswitch.conf", "/etc/nsswitch.conf").
|
Symlink(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
|
||||||
Symlink("/fortify/etc/opensnitchd", "/etc/opensnitchd").
|
Symlink(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
|
||||||
Symlink("/fortify/etc/os-release", "/etc/os-release").
|
Symlink(fst.Tmp+"/etc/os-release", "/etc/os-release").
|
||||||
Symlink("/fortify/etc/pam", "/etc/pam").
|
Symlink(fst.Tmp+"/etc/pam", "/etc/pam").
|
||||||
Symlink("/fortify/etc/pam.d", "/etc/pam.d").
|
Symlink(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
|
||||||
Symlink("/fortify/etc/pipewire", "/etc/pipewire").
|
Symlink(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
|
||||||
Symlink("/fortify/etc/pki", "/etc/pki").
|
Symlink(fst.Tmp+"/etc/pki", "/etc/pki").
|
||||||
Symlink("/fortify/etc/polkit-1", "/etc/polkit-1").
|
Symlink(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
|
||||||
Symlink("/fortify/etc/profile", "/etc/profile").
|
Symlink(fst.Tmp+"/etc/profile", "/etc/profile").
|
||||||
Symlink("/fortify/etc/protocols", "/etc/protocols").
|
Symlink(fst.Tmp+"/etc/protocols", "/etc/protocols").
|
||||||
Symlink("/fortify/etc/qemu", "/etc/qemu").
|
Symlink(fst.Tmp+"/etc/qemu", "/etc/qemu").
|
||||||
Symlink("/fortify/etc/resolv.conf", "/etc/resolv.conf").
|
Symlink(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
|
||||||
Symlink("/fortify/etc/resolvconf.conf", "/etc/resolvconf.conf").
|
Symlink(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
|
||||||
Symlink("/fortify/etc/rpc", "/etc/rpc").
|
Symlink(fst.Tmp+"/etc/rpc", "/etc/rpc").
|
||||||
Symlink("/fortify/etc/samba", "/etc/samba").
|
Symlink(fst.Tmp+"/etc/samba", "/etc/samba").
|
||||||
Symlink("/fortify/etc/sddm.conf", "/etc/sddm.conf").
|
Symlink(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
|
||||||
Symlink("/fortify/etc/secureboot", "/etc/secureboot").
|
Symlink(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
|
||||||
Symlink("/fortify/etc/services", "/etc/services").
|
Symlink(fst.Tmp+"/etc/services", "/etc/services").
|
||||||
Symlink("/fortify/etc/set-environment", "/etc/set-environment").
|
Symlink(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
|
||||||
Symlink("/fortify/etc/shadow", "/etc/shadow").
|
Symlink(fst.Tmp+"/etc/shadow", "/etc/shadow").
|
||||||
Symlink("/fortify/etc/shells", "/etc/shells").
|
Symlink(fst.Tmp+"/etc/shells", "/etc/shells").
|
||||||
Symlink("/fortify/etc/ssh", "/etc/ssh").
|
Symlink(fst.Tmp+"/etc/ssh", "/etc/ssh").
|
||||||
Symlink("/fortify/etc/ssl", "/etc/ssl").
|
Symlink(fst.Tmp+"/etc/ssl", "/etc/ssl").
|
||||||
Symlink("/fortify/etc/static", "/etc/static").
|
Symlink(fst.Tmp+"/etc/static", "/etc/static").
|
||||||
Symlink("/fortify/etc/subgid", "/etc/subgid").
|
Symlink(fst.Tmp+"/etc/subgid", "/etc/subgid").
|
||||||
Symlink("/fortify/etc/subuid", "/etc/subuid").
|
Symlink(fst.Tmp+"/etc/subuid", "/etc/subuid").
|
||||||
Symlink("/fortify/etc/sudoers", "/etc/sudoers").
|
Symlink(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
|
||||||
Symlink("/fortify/etc/sysctl.d", "/etc/sysctl.d").
|
Symlink(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
|
||||||
Symlink("/fortify/etc/systemd", "/etc/systemd").
|
Symlink(fst.Tmp+"/etc/systemd", "/etc/systemd").
|
||||||
Symlink("/fortify/etc/terminfo", "/etc/terminfo").
|
Symlink(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
|
||||||
Symlink("/fortify/etc/tmpfiles.d", "/etc/tmpfiles.d").
|
Symlink(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
|
||||||
Symlink("/fortify/etc/udev", "/etc/udev").
|
Symlink(fst.Tmp+"/etc/udev", "/etc/udev").
|
||||||
Symlink("/fortify/etc/udisks2", "/etc/udisks2").
|
Symlink(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
|
||||||
Symlink("/fortify/etc/UPower", "/etc/UPower").
|
Symlink(fst.Tmp+"/etc/UPower", "/etc/UPower").
|
||||||
Symlink("/fortify/etc/vconsole.conf", "/etc/vconsole.conf").
|
Symlink(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
|
||||||
Symlink("/fortify/etc/X11", "/etc/X11").
|
Symlink(fst.Tmp+"/etc/X11", "/etc/X11").
|
||||||
Symlink("/fortify/etc/zfs", "/etc/zfs").
|
Symlink(fst.Tmp+"/etc/zfs", "/etc/zfs").
|
||||||
Symlink("/fortify/etc/zinputrc", "/etc/zinputrc").
|
Symlink(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
|
||||||
Symlink("/fortify/etc/zoneinfo", "/etc/zoneinfo").
|
Symlink(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
|
||||||
Symlink("/fortify/etc/zprofile", "/etc/zprofile").
|
Symlink(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
|
||||||
Symlink("/fortify/etc/zshenv", "/etc/zshenv").
|
Symlink(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
|
||||||
Symlink("/fortify/etc/zshrc", "/etc/zshrc").
|
Symlink(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
|
||||||
Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", false, true).
|
Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", false, true).
|
||||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
|
||||||
Tmpfs("/run/user", 1048576).
|
Tmpfs("/run/user", 1048576).
|
||||||
Tmpfs("/run/user/65534", 8388608).
|
Tmpfs("/run/user/65534", 8388608).
|
||||||
Bind("/home/chronos", "/home/chronos", false, true).
|
Bind("/home/chronos", "/home/chronos", false, true).
|
||||||
@ -293,7 +292,7 @@ var testCasesPd = []sealTestCase{
|
|||||||
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
|
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
|
||||||
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
||||||
"HOME": "/home/chronos",
|
"HOME": "/home/chronos",
|
||||||
"PULSE_COOKIE": "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
|
"PULSE_COOKIE": fst.Tmp + "/pulse-cookie",
|
||||||
"PULSE_SERVER": "unix:/run/user/65534/pulse/native",
|
"PULSE_SERVER": "unix:/run/user/65534/pulse/native",
|
||||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||||
"TERM": "xterm-256color",
|
"TERM": "xterm-256color",
|
||||||
@ -308,7 +307,7 @@ var testCasesPd = []sealTestCase{
|
|||||||
AsInit: true,
|
AsInit: true,
|
||||||
}).SetUID(65534).SetGID(65534).
|
}).SetUID(65534).SetGID(65534).
|
||||||
Procfs("/proc").
|
Procfs("/proc").
|
||||||
Tmpfs("/fortify", 4096).
|
Tmpfs(fst.Tmp, 4096).
|
||||||
DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||||
Bind("/bin", "/bin", false, true).
|
Bind("/bin", "/bin", false, true).
|
||||||
Bind("/boot", "/boot", false, true).
|
Bind("/boot", "/boot", false, true).
|
||||||
@ -356,87 +355,86 @@ var testCasesPd = []sealTestCase{
|
|||||||
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
||||||
Bind("/run/zed.state", "/run/zed.state", false, true).
|
Bind("/run/zed.state", "/run/zed.state", false, true).
|
||||||
Bind("/dev/dri", "/dev/dri", true, true, true).
|
Bind("/dev/dri", "/dev/dri", true, true, true).
|
||||||
Bind("/etc", "/fortify/etc").
|
Bind("/etc", fst.Tmp+"/etc").
|
||||||
Symlink("/fortify/etc/alsa", "/etc/alsa").
|
Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
|
||||||
Symlink("/fortify/etc/bashrc", "/etc/bashrc").
|
Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
|
||||||
Symlink("/fortify/etc/binfmt.d", "/etc/binfmt.d").
|
Symlink(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
|
||||||
Symlink("/fortify/etc/dbus-1", "/etc/dbus-1").
|
Symlink(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
|
||||||
Symlink("/fortify/etc/default", "/etc/default").
|
Symlink(fst.Tmp+"/etc/default", "/etc/default").
|
||||||
Symlink("/fortify/etc/ethertypes", "/etc/ethertypes").
|
Symlink(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
|
||||||
Symlink("/fortify/etc/fonts", "/etc/fonts").
|
Symlink(fst.Tmp+"/etc/fonts", "/etc/fonts").
|
||||||
Symlink("/fortify/etc/fstab", "/etc/fstab").
|
Symlink(fst.Tmp+"/etc/fstab", "/etc/fstab").
|
||||||
Symlink("/fortify/etc/fuse.conf", "/etc/fuse.conf").
|
Symlink(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
|
||||||
Symlink("/fortify/etc/host.conf", "/etc/host.conf").
|
Symlink(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
|
||||||
Symlink("/fortify/etc/hostid", "/etc/hostid").
|
Symlink(fst.Tmp+"/etc/hostid", "/etc/hostid").
|
||||||
Symlink("/fortify/etc/hostname", "/etc/hostname").
|
Symlink(fst.Tmp+"/etc/hostname", "/etc/hostname").
|
||||||
Symlink("/fortify/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
|
Symlink(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
|
||||||
Symlink("/fortify/etc/hosts", "/etc/hosts").
|
Symlink(fst.Tmp+"/etc/hosts", "/etc/hosts").
|
||||||
Symlink("/fortify/etc/inputrc", "/etc/inputrc").
|
Symlink(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
|
||||||
Symlink("/fortify/etc/ipsec.d", "/etc/ipsec.d").
|
Symlink(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
|
||||||
Symlink("/fortify/etc/issue", "/etc/issue").
|
Symlink(fst.Tmp+"/etc/issue", "/etc/issue").
|
||||||
Symlink("/fortify/etc/kbd", "/etc/kbd").
|
Symlink(fst.Tmp+"/etc/kbd", "/etc/kbd").
|
||||||
Symlink("/fortify/etc/libblockdev", "/etc/libblockdev").
|
Symlink(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
|
||||||
Symlink("/fortify/etc/locale.conf", "/etc/locale.conf").
|
Symlink(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
|
||||||
Symlink("/fortify/etc/localtime", "/etc/localtime").
|
Symlink(fst.Tmp+"/etc/localtime", "/etc/localtime").
|
||||||
Symlink("/fortify/etc/login.defs", "/etc/login.defs").
|
Symlink(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
|
||||||
Symlink("/fortify/etc/lsb-release", "/etc/lsb-release").
|
Symlink(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
|
||||||
Symlink("/fortify/etc/lvm", "/etc/lvm").
|
Symlink(fst.Tmp+"/etc/lvm", "/etc/lvm").
|
||||||
Symlink("/fortify/etc/machine-id", "/etc/machine-id").
|
Symlink(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
|
||||||
Symlink("/fortify/etc/man_db.conf", "/etc/man_db.conf").
|
Symlink(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
|
||||||
Symlink("/fortify/etc/modprobe.d", "/etc/modprobe.d").
|
Symlink(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
|
||||||
Symlink("/fortify/etc/modules-load.d", "/etc/modules-load.d").
|
Symlink(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
|
||||||
Symlink("/proc/mounts", "/etc/mtab").
|
Symlink("/proc/mounts", "/etc/mtab").
|
||||||
Symlink("/fortify/etc/nanorc", "/etc/nanorc").
|
Symlink(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
|
||||||
Symlink("/fortify/etc/netgroup", "/etc/netgroup").
|
Symlink(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
|
||||||
Symlink("/fortify/etc/NetworkManager", "/etc/NetworkManager").
|
Symlink(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
|
||||||
Symlink("/fortify/etc/nix", "/etc/nix").
|
Symlink(fst.Tmp+"/etc/nix", "/etc/nix").
|
||||||
Symlink("/fortify/etc/nixos", "/etc/nixos").
|
Symlink(fst.Tmp+"/etc/nixos", "/etc/nixos").
|
||||||
Symlink("/fortify/etc/NIXOS", "/etc/NIXOS").
|
Symlink(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
|
||||||
Symlink("/fortify/etc/nscd.conf", "/etc/nscd.conf").
|
Symlink(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
|
||||||
Symlink("/fortify/etc/nsswitch.conf", "/etc/nsswitch.conf").
|
Symlink(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
|
||||||
Symlink("/fortify/etc/opensnitchd", "/etc/opensnitchd").
|
Symlink(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
|
||||||
Symlink("/fortify/etc/os-release", "/etc/os-release").
|
Symlink(fst.Tmp+"/etc/os-release", "/etc/os-release").
|
||||||
Symlink("/fortify/etc/pam", "/etc/pam").
|
Symlink(fst.Tmp+"/etc/pam", "/etc/pam").
|
||||||
Symlink("/fortify/etc/pam.d", "/etc/pam.d").
|
Symlink(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
|
||||||
Symlink("/fortify/etc/pipewire", "/etc/pipewire").
|
Symlink(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
|
||||||
Symlink("/fortify/etc/pki", "/etc/pki").
|
Symlink(fst.Tmp+"/etc/pki", "/etc/pki").
|
||||||
Symlink("/fortify/etc/polkit-1", "/etc/polkit-1").
|
Symlink(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
|
||||||
Symlink("/fortify/etc/profile", "/etc/profile").
|
Symlink(fst.Tmp+"/etc/profile", "/etc/profile").
|
||||||
Symlink("/fortify/etc/protocols", "/etc/protocols").
|
Symlink(fst.Tmp+"/etc/protocols", "/etc/protocols").
|
||||||
Symlink("/fortify/etc/qemu", "/etc/qemu").
|
Symlink(fst.Tmp+"/etc/qemu", "/etc/qemu").
|
||||||
Symlink("/fortify/etc/resolv.conf", "/etc/resolv.conf").
|
Symlink(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
|
||||||
Symlink("/fortify/etc/resolvconf.conf", "/etc/resolvconf.conf").
|
Symlink(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
|
||||||
Symlink("/fortify/etc/rpc", "/etc/rpc").
|
Symlink(fst.Tmp+"/etc/rpc", "/etc/rpc").
|
||||||
Symlink("/fortify/etc/samba", "/etc/samba").
|
Symlink(fst.Tmp+"/etc/samba", "/etc/samba").
|
||||||
Symlink("/fortify/etc/sddm.conf", "/etc/sddm.conf").
|
Symlink(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
|
||||||
Symlink("/fortify/etc/secureboot", "/etc/secureboot").
|
Symlink(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
|
||||||
Symlink("/fortify/etc/services", "/etc/services").
|
Symlink(fst.Tmp+"/etc/services", "/etc/services").
|
||||||
Symlink("/fortify/etc/set-environment", "/etc/set-environment").
|
Symlink(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
|
||||||
Symlink("/fortify/etc/shadow", "/etc/shadow").
|
Symlink(fst.Tmp+"/etc/shadow", "/etc/shadow").
|
||||||
Symlink("/fortify/etc/shells", "/etc/shells").
|
Symlink(fst.Tmp+"/etc/shells", "/etc/shells").
|
||||||
Symlink("/fortify/etc/ssh", "/etc/ssh").
|
Symlink(fst.Tmp+"/etc/ssh", "/etc/ssh").
|
||||||
Symlink("/fortify/etc/ssl", "/etc/ssl").
|
Symlink(fst.Tmp+"/etc/ssl", "/etc/ssl").
|
||||||
Symlink("/fortify/etc/static", "/etc/static").
|
Symlink(fst.Tmp+"/etc/static", "/etc/static").
|
||||||
Symlink("/fortify/etc/subgid", "/etc/subgid").
|
Symlink(fst.Tmp+"/etc/subgid", "/etc/subgid").
|
||||||
Symlink("/fortify/etc/subuid", "/etc/subuid").
|
Symlink(fst.Tmp+"/etc/subuid", "/etc/subuid").
|
||||||
Symlink("/fortify/etc/sudoers", "/etc/sudoers").
|
Symlink(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
|
||||||
Symlink("/fortify/etc/sysctl.d", "/etc/sysctl.d").
|
Symlink(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
|
||||||
Symlink("/fortify/etc/systemd", "/etc/systemd").
|
Symlink(fst.Tmp+"/etc/systemd", "/etc/systemd").
|
||||||
Symlink("/fortify/etc/terminfo", "/etc/terminfo").
|
Symlink(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
|
||||||
Symlink("/fortify/etc/tmpfiles.d", "/etc/tmpfiles.d").
|
Symlink(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
|
||||||
Symlink("/fortify/etc/udev", "/etc/udev").
|
Symlink(fst.Tmp+"/etc/udev", "/etc/udev").
|
||||||
Symlink("/fortify/etc/udisks2", "/etc/udisks2").
|
Symlink(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
|
||||||
Symlink("/fortify/etc/UPower", "/etc/UPower").
|
Symlink(fst.Tmp+"/etc/UPower", "/etc/UPower").
|
||||||
Symlink("/fortify/etc/vconsole.conf", "/etc/vconsole.conf").
|
Symlink(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
|
||||||
Symlink("/fortify/etc/X11", "/etc/X11").
|
Symlink(fst.Tmp+"/etc/X11", "/etc/X11").
|
||||||
Symlink("/fortify/etc/zfs", "/etc/zfs").
|
Symlink(fst.Tmp+"/etc/zfs", "/etc/zfs").
|
||||||
Symlink("/fortify/etc/zinputrc", "/etc/zinputrc").
|
Symlink(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
|
||||||
Symlink("/fortify/etc/zoneinfo", "/etc/zoneinfo").
|
Symlink(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
|
||||||
Symlink("/fortify/etc/zprofile", "/etc/zprofile").
|
Symlink(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
|
||||||
Symlink("/fortify/etc/zshenv", "/etc/zshenv").
|
Symlink(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
|
||||||
Symlink("/fortify/etc/zshrc", "/etc/zshrc").
|
Symlink(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
|
||||||
Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", false, true).
|
Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", false, true).
|
||||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
|
||||||
Tmpfs("/run/user", 1048576).
|
Tmpfs("/run/user", 1048576).
|
||||||
Tmpfs("/run/user/65534", 8388608).
|
Tmpfs("/run/user/65534", 8388608).
|
||||||
Bind("/home/chronos", "/home/chronos", false, true).
|
Bind("/home/chronos", "/home/chronos", false, true).
|
||||||
@ -444,7 +442,7 @@ var testCasesPd = []sealTestCase{
|
|||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
|
||||||
Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0").
|
Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0").
|
||||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
|
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", fst.Tmp+"/pulse-cookie").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
|
||||||
Tmpfs("/var/run/nscd", 8192),
|
Tmpfs("/var/run/nscd", 8192),
|
||||||
|
@ -6,6 +6,7 @@ import (
|
|||||||
"io/fs"
|
"io/fs"
|
||||||
"path"
|
"path"
|
||||||
|
|
||||||
|
"git.gensokyo.uk/security/fortify/fst"
|
||||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||||
"git.gensokyo.uk/security/fortify/internal/linux"
|
"git.gensokyo.uk/security/fortify/internal/linux"
|
||||||
"git.gensokyo.uk/security/fortify/internal/system"
|
"git.gensokyo.uk/security/fortify/internal/system"
|
||||||
@ -69,9 +70,10 @@ func (seal *appSeal) sharePulse(os linux.System) error {
|
|||||||
fmsg.VPrintln(err.(*fmsg.BaseError).Message())
|
fmsg.VPrintln(err.(*fmsg.BaseError).Message())
|
||||||
} else {
|
} else {
|
||||||
dst := path.Join(seal.share, "pulse-cookie")
|
dst := path.Join(seal.share, "pulse-cookie")
|
||||||
seal.sys.bwrap.SetEnv[pulseCookie] = dst
|
innerDst := fst.Tmp + "/pulse-cookie"
|
||||||
|
seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
|
||||||
seal.sys.CopyFile(dst, src)
|
seal.sys.CopyFile(dst, src)
|
||||||
seal.sys.bwrap.Bind(dst, dst)
|
seal.sys.bwrap.Bind(dst, innerDst)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
@ -33,9 +33,6 @@ func (seal *appSeal) shareSystem() {
|
|||||||
seal.sys.Ensure(targetTmpdir, 01700)
|
seal.sys.Ensure(targetTmpdir, 01700)
|
||||||
seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
|
seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
|
||||||
seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
|
seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
|
||||||
|
|
||||||
// mount tmpfs on inner shared directory (e.g. `/tmp/fortify.%d`)
|
|
||||||
seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (seal *appSeal) sharePasswd(os linux.System) {
|
func (seal *appSeal) sharePasswd(os linux.System) {
|
||||||
|
Loading…
Reference in New Issue
Block a user