fortify: permissive defaults resolve home directory from os
All checks were successful
test / test (push) Successful in 21s

When starting with the permissive defaults "run" command, attempt to resolve home directory from os by default and fall back to /var/empty.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra 2024-11-18 13:01:07 +09:00
parent 748a0ae2c8
commit c026a4b5dc
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q

20
main.go
View File

@ -5,6 +5,8 @@ import (
"encoding/json" "encoding/json"
"flag" "flag"
"fmt" "fmt"
"os/user"
"strconv"
"strings" "strings"
"text/tabwriter" "text/tabwriter"
@ -165,7 +167,7 @@ func main() {
set.IntVar(&aid, "a", 0, "Fortify application ID") set.IntVar(&aid, "a", 0, "Fortify application ID")
set.Var(&groups, "g", "Groups inherited by the app process") set.Var(&groups, "g", "Groups inherited by the app process")
set.StringVar(&homeDir, "d", "/var/empty", "Application home directory") set.StringVar(&homeDir, "d", "os", "Application home directory")
set.StringVar(&userName, "u", "chronos", "Passwd name within sandbox") set.StringVar(&userName, "u", "chronos", "Passwd name within sandbox")
set.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket") set.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket")
set.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection") set.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection")
@ -186,6 +188,22 @@ func main() {
panic("unreachable") panic("unreachable")
} }
// resolve home directory from os when flag is unset
if homeDir == "os" {
var us string
if uid, err := os.Uid(aid); err != nil {
fmsg.Fatalf("cannot obtain uid from fsu: %v", err)
} else {
us = strconv.Itoa(uid)
}
if u, err := user.LookupId(us); err != nil {
fmsg.VPrintf("cannot look up uid %s", us)
homeDir = "/var/empty"
} else {
homeDir = u.HomeDir
}
}
config.Confinement.AppID = aid config.Confinement.AppID = aid
config.Confinement.Groups = groups config.Confinement.Groups = groups
config.Confinement.Outer = homeDir config.Confinement.Outer = homeDir