app: ensure extra paths
All checks were successful
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 3m37s

The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app).

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2024-12-28 14:07:49 +09:00
parent 66ec0d882f
commit b9e2003d5b
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
3 changed files with 14 additions and 4 deletions

View File

@ -81,6 +81,7 @@ type SandboxConfig struct {
}
type ExtraPermConfig struct {
Ensure bool `json:"ensure,omitempty"`
Path string `json:"path"`
Read bool `json:"r,omitempty"`
Write bool `json:"w,omitempty"`
@ -88,8 +89,12 @@ type ExtraPermConfig struct {
}
func (e *ExtraPermConfig) String() string {
buf := make([]byte, 0, 4+len(e.Path))
buf = append(buf, '-', '-', '-', ':')
buf := make([]byte, 0, 5+len(e.Path))
buf = append(buf, '-', '-', '-')
if e.Ensure {
buf = append(buf, '+')
}
buf = append(buf, ':')
buf = append(buf, []byte(e.Path)...)
if e.Read {
buf[0] = 'r'

View File

@ -65,6 +65,7 @@ type appSeal struct {
type sealedExtraPerm struct {
name string
perms acl.Perms
ensure bool
}
// Seal seals the app launch context
@ -169,6 +170,7 @@ func (a *app) Seal(config *fst.Config) error {
if p.Execute {
seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
}
seal.extraPerms[i].ensure = p.Ensure
}
// map sandbox config to bwrap

View File

@ -297,6 +297,9 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
if p == nil {
continue
}
if p.ensure {
seal.sys.Ensure(p.name, 0700)
}
seal.sys.UpdatePermType(system.User, p.name, p.perms...)
}