app: extra acl entries from configuration
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
c70f0612ad
commit
847b667489
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
@ -35,6 +35,8 @@ type ConfinementConfig struct {
|
||||
Outer string `json:"home"`
|
||||
// bwrap sandbox confinement configuration
|
||||
Sandbox *SandboxConfig `json:"sandbox"`
|
||||
// extra acl entries to append
|
||||
ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
|
||||
|
||||
// reference to a system D-Bus proxy configuration,
|
||||
// nil value disables system bus proxy
|
||||
@ -78,6 +80,29 @@ type SandboxConfig struct {
|
||||
Override []string `json:"override"`
|
||||
}
|
||||
|
||||
type ExtraPermConfig struct {
|
||||
Path string `json:"path"`
|
||||
Read bool `json:"r,omitempty"`
|
||||
Write bool `json:"w,omitempty"`
|
||||
Execute bool `json:"x,omitempty"`
|
||||
}
|
||||
|
||||
func (e *ExtraPermConfig) String() string {
|
||||
buf := make([]byte, 0, 4+len(e.Path))
|
||||
buf = append(buf, '-', '-', '-', ':')
|
||||
buf = append(buf, []byte(e.Path)...)
|
||||
if e.Read {
|
||||
buf[0] = 'r'
|
||||
}
|
||||
if e.Write {
|
||||
buf[1] = 'w'
|
||||
}
|
||||
if e.Execute {
|
||||
buf[2] = 'x'
|
||||
}
|
||||
return string(buf)
|
||||
}
|
||||
|
||||
type FilesystemConfig struct {
|
||||
// mount point in sandbox, same as src if empty
|
||||
Dst string `json:"dst,omitempty"`
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"regexp"
|
||||
"strconv"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/acl"
|
||||
"git.gensokyo.uk/security/fortify/dbus"
|
||||
"git.gensokyo.uk/security/fortify/fst"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
@ -48,6 +49,8 @@ type appSeal struct {
|
||||
et system.Enablements
|
||||
// wayland socket direct access
|
||||
directWayland bool
|
||||
// extra UpdatePerm ops
|
||||
extraPerms []*sealedExtraPerm
|
||||
|
||||
// prevents sharing from happening twice
|
||||
shared bool
|
||||
@ -59,6 +62,11 @@ type appSeal struct {
|
||||
// protected by upstream mutex
|
||||
}
|
||||
|
||||
type sealedExtraPerm struct {
|
||||
name string
|
||||
perms acl.Perms
|
||||
}
|
||||
|
||||
// Seal seals the app launch context
|
||||
func (a *app) Seal(config *fst.Config) error {
|
||||
a.lock.Lock()
|
||||
@ -100,7 +108,7 @@ func (a *app) Seal(config *fst.Config) error {
|
||||
if config.Confinement.AppID < 0 || config.Confinement.AppID > 9999 {
|
||||
return fmsg.WrapError(ErrUser,
|
||||
fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
|
||||
} else {
|
||||
}
|
||||
seal.sys.user = appUser{
|
||||
aid: config.Confinement.AppID,
|
||||
as: strconv.Itoa(config.Confinement.AppID),
|
||||
@ -141,6 +149,26 @@ func (a *app) Seal(config *fst.Config) error {
|
||||
seal.sys.user.supp[i] = g.Gid
|
||||
}
|
||||
}
|
||||
|
||||
// build extra perms
|
||||
seal.extraPerms = make([]*sealedExtraPerm, len(config.Confinement.ExtraPerms))
|
||||
for i, p := range config.Confinement.ExtraPerms {
|
||||
if p == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
seal.extraPerms[i] = new(sealedExtraPerm)
|
||||
seal.extraPerms[i].name = p.Path
|
||||
seal.extraPerms[i].perms = make(acl.Perms, 0, 3)
|
||||
if p.Read {
|
||||
seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Read)
|
||||
}
|
||||
if p.Write {
|
||||
seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Write)
|
||||
}
|
||||
if p.Execute {
|
||||
seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
|
||||
}
|
||||
}
|
||||
|
||||
// map sandbox config to bwrap
|
||||
|
||||
@ -292,6 +292,14 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
|
||||
seal.sys.bwrap.Tmpfs(dest, 8*1024)
|
||||
}
|
||||
|
||||
// append extra perms
|
||||
for _, p := range seal.extraPerms {
|
||||
if p == nil {
|
||||
continue
|
||||
}
|
||||
seal.sys.UpdatePermType(system.User, p.name, p.perms...)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
18
print.go
18
print.go
@ -90,14 +90,17 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
|
||||
fmt.Fprintf(w, " Command:\t%s\n", strings.Join(config.Command, " "))
|
||||
fmt.Fprintf(w, "\n")
|
||||
|
||||
if !short && config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
|
||||
fmt.Fprintf(w, "Filesystem:\n")
|
||||
if !short {
|
||||
if config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
|
||||
fmt.Fprintf(w, "Filesystem\n")
|
||||
for _, f := range config.Confinement.Sandbox.Filesystem {
|
||||
if f == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
expr := new(strings.Builder)
|
||||
expr.Grow(3 + len(f.Src) + 1 + len(f.Dst))
|
||||
|
||||
if f.Device {
|
||||
expr.WriteString(" d")
|
||||
} else if f.Write {
|
||||
@ -118,6 +121,17 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
|
||||
}
|
||||
fmt.Fprintf(w, "\n")
|
||||
}
|
||||
if len(config.Confinement.ExtraPerms) > 0 {
|
||||
fmt.Fprintf(w, "Extra ACL\n")
|
||||
for _, p := range config.Confinement.ExtraPerms {
|
||||
if p == nil {
|
||||
continue
|
||||
}
|
||||
fmt.Fprintf(w, " %s\n", p.String())
|
||||
}
|
||||
fmt.Fprintf(w, "\n")
|
||||
}
|
||||
}
|
||||
|
||||
printDBus := func(c *dbus.Config) {
|
||||
fmt.Fprintf(w, " Filter:\t%v\n", c.Filter)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user