fortify: permissive defaults resolve home directory from os
All checks were successful
test / test (push) Successful in 21s
All checks were successful
test / test (push) Successful in 21s
When starting with the permissive defaults "run" command, attempt to resolve home directory from os by default and fall back to /var/empty. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
748a0ae2c8
commit
c026a4b5dc
20
main.go
20
main.go
@ -5,6 +5,8 @@ import (
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"flag"
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"os/user"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"text/tabwriter"
|
"text/tabwriter"
|
||||||
|
|
||||||
@ -165,7 +167,7 @@ func main() {
|
|||||||
|
|
||||||
set.IntVar(&aid, "a", 0, "Fortify application ID")
|
set.IntVar(&aid, "a", 0, "Fortify application ID")
|
||||||
set.Var(&groups, "g", "Groups inherited by the app process")
|
set.Var(&groups, "g", "Groups inherited by the app process")
|
||||||
set.StringVar(&homeDir, "d", "/var/empty", "Application home directory")
|
set.StringVar(&homeDir, "d", "os", "Application home directory")
|
||||||
set.StringVar(&userName, "u", "chronos", "Passwd name within sandbox")
|
set.StringVar(&userName, "u", "chronos", "Passwd name within sandbox")
|
||||||
set.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket")
|
set.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket")
|
||||||
set.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection")
|
set.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection")
|
||||||
@ -186,6 +188,22 @@ func main() {
|
|||||||
panic("unreachable")
|
panic("unreachable")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// resolve home directory from os when flag is unset
|
||||||
|
if homeDir == "os" {
|
||||||
|
var us string
|
||||||
|
if uid, err := os.Uid(aid); err != nil {
|
||||||
|
fmsg.Fatalf("cannot obtain uid from fsu: %v", err)
|
||||||
|
} else {
|
||||||
|
us = strconv.Itoa(uid)
|
||||||
|
}
|
||||||
|
if u, err := user.LookupId(us); err != nil {
|
||||||
|
fmsg.VPrintf("cannot look up uid %s", us)
|
||||||
|
homeDir = "/var/empty"
|
||||||
|
} else {
|
||||||
|
homeDir = u.HomeDir
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
config.Confinement.AppID = aid
|
config.Confinement.AppID = aid
|
||||||
config.Confinement.Groups = groups
|
config.Confinement.Groups = groups
|
||||||
config.Confinement.Outer = homeDir
|
config.Confinement.Outer = homeDir
|
||||||
|
Loading…
Reference in New Issue
Block a user