app: ensure extra paths

The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app). Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:07:49 +09:00 · 2024-12-28 14:07:49 +09:00 · b9e2003d5b
commit b9e2003d5b
parent 66ec0d882f
3 changed files with 14 additions and 4 deletions
--- a/fst/config.go
+++ b/fst/config.go
@ -81,6 +81,7 @@ type SandboxConfig struct {
 }

 type ExtraPermConfig struct {
+	Ensure  bool   `json:"ensure,omitempty"`
 	Path    string `json:"path"`
 	Read    bool   `json:"r,omitempty"`
 	Write   bool   `json:"w,omitempty"`
@ -88,8 +89,12 @@ type ExtraPermConfig struct {
 }

 func (e *ExtraPermConfig) String() string {
-	buf := make([]byte, 0, 4+len(e.Path))
-	buf = append(buf, '-', '-', '-', ':')
+	buf := make([]byte, 0, 5+len(e.Path))
+	buf = append(buf, '-', '-', '-')
+	if e.Ensure {
+		buf = append(buf, '+')
+	}
+	buf = append(buf, ':')
 	buf = append(buf, []byte(e.Path)...)
 	if e.Read {
 		buf[0] = 'r'
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -63,8 +63,9 @@ type appSeal struct {
 }

 type sealedExtraPerm struct {
-	name  string
-	perms acl.Perms
+	name   string
+	perms  acl.Perms
+	ensure bool
 }

 // Seal seals the app launch context
@ -169,6 +170,7 @@ func (a *app) Seal(config *fst.Config) error {
 		if p.Execute {
 			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
 		}
+		seal.extraPerms[i].ensure = p.Ensure
 	}

 	// map sandbox config to bwrap
--- a/internal/app/share.go
+++ b/internal/app/share.go
@ -297,6 +297,9 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
 		if p == nil {
 			continue
 		}
+		if p.ensure {
+			seal.sys.Ensure(p.name, 0700)
+		}
 		seal.sys.UpdatePermType(system.User, p.name, p.perms...)
 	}