security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity

app/seal: embed enablements
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Run NixOS test (push) Successful in 3m28s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-02-19 00:41:51 +09:00
parent d1f83f40d6
commit 9a10eeab90
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
internal/app/seal.go
View File

@ -48,8 +48,6 @@ type appSeal struct {
// process-specific share directory path local to XDG_RUNTIME_DIR // process-specific share directory path local to XDG_RUNTIME_DIR
shareLocal string shareLocal string
// pass-through enablement tracking from config
et system.Enablements
// initial config gob encoding buffer // initial config gob encoding buffer
ct io.WriterTo ct io.WriterTo
// wayland socket direct access // wayland socket direct access
@ -62,6 +60,7 @@ type appSeal struct {
// seal system-level component // seal system-level component
sys *appSealSys sys *appSealSys
system.Enablements
fst.Paths fst.Paths
// protected by upstream mutex // protected by upstream mutex
@ -258,7 +257,7 @@ func (a *app) Seal(config *fst.Config) error {
seal.sys.I.WrapErr = fmsg.WrapError seal.sys.I.WrapErr = fmsg.WrapError
// pass through enablements // pass through enablements
seal.et = config.Confinement.Enablements seal.Enablements = config.Confinement.Enablements
// this method calls all share methods in sequence // this method calls all share methods in sequence
if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil { if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {

8
internal/app/share.go
View File

@ -140,7 +140,7 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os sys.State) error {
} }
// set up wayland // set up wayland
if seal.et.Has(system.EWayland) { if seal.Has(system.EWayland) {
var socketPath string var socketPath string
if name, ok := os.LookupEnv(wl.WaylandDisplay); !ok { if name, ok := os.LookupEnv(wl.WaylandDisplay); !ok {
fmsg.Verbose(wl.WaylandDisplay + " is not set, assuming " + wl.FallbackName) fmsg.Verbose(wl.WaylandDisplay + " is not set, assuming " + wl.FallbackName)
@ -175,7 +175,7 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os sys.State) error {
} }
// set up X11 // set up X11
if seal.et.Has(system.EX11) { if seal.Has(system.EX11) {
// discover X11 and grant user permission via the `ChangeHosts` command // discover X11 and grant user permission via the `ChangeHosts` command
if d, ok := os.LookupEnv(display); !ok { if d, ok := os.LookupEnv(display); !ok {
return fmsg.WrapError(ErrXDisplay, return fmsg.WrapError(ErrXDisplay,
@ -191,7 +191,7 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os sys.State) error {
PulseAudio server and authentication PulseAudio server and authentication
*/ */
if seal.et.Has(system.EPulse) { if seal.Has(system.EPulse) {
// check PulseAudio directory presence (e.g. `/run/user/%d/pulse`) // check PulseAudio directory presence (e.g. `/run/user/%d/pulse`)
pd := path.Join(seal.RuntimePath, "pulse") pd := path.Join(seal.RuntimePath, "pulse")
ps := path.Join(pd, "native") ps := path.Join(pd, "native")
@ -243,7 +243,7 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os sys.State) error {
D-Bus proxy D-Bus proxy
*/ */
if seal.et.Has(system.EDBus) { if seal.Has(system.EDBus) {
// ensure dbus session bus defaults // ensure dbus session bus defaults
if bus[0] == nil { if bus[0] == nil {
bus[0] = dbus.NewConfig(seal.fid, true, true) bus[0] = dbus.NewConfig(seal.fid, true, true)