From c460892cbdfa66a2cf1f0ebcec59cf550e67962e Mon Sep 17 00:00:00 2001 From: Ophestra Date: Sat, 12 Apr 2025 18:00:25 +0900 Subject: [PATCH] fst: check template Signed-off-by: Ophestra --- fst/config.go | 81 ------------------------- fst/template.go | 87 +++++++++++++++++++++++++++ fst/template_test.go | 140 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 227 insertions(+), 81 deletions(-) create mode 100644 fst/template.go create mode 100644 fst/template_test.go diff --git a/fst/config.go b/fst/config.go index 5c25979..a56927f 100644 --- a/fst/config.go +++ b/fst/config.go @@ -3,7 +3,6 @@ package fst import ( "git.gensokyo.uk/security/fortify/dbus" - "git.gensokyo.uk/security/fortify/sandbox/seccomp" "git.gensokyo.uk/security/fortify/system" ) @@ -81,83 +80,3 @@ func (e *ExtraPermConfig) String() string { } return string(buf) } - -// Template returns a fully populated instance of Config. -func Template() *Config { - return &Config{ - ID: "org.chromium.Chromium", - Path: "/run/current-system/sw/bin/chromium", - Args: []string{ - "chromium", - "--ignore-gpu-blocklist", - "--disable-smooth-scrolling", - "--enable-features=UseOzonePlatform", - "--ozone-platform=wayland", - }, - Confinement: ConfinementConfig{ - AppID: 9, - Groups: []string{"video"}, - Username: "chronos", - Outer: "/var/lib/persist/home/org.chromium.Chromium", - Inner: "/var/lib/fortify", - Shell: "/run/current-system/sw/bin/zsh", - Sandbox: &SandboxConfig{ - Hostname: "localhost", - Devel: true, - Userns: true, - Net: true, - Device: true, - Seccomp: seccomp.FilterMultiarch, - Tty: true, - Multiarch: true, - MapRealUID: true, - DirectWayland: false, - // example API credentials pulled from Google Chrome - // DO NOT USE THESE IN A REAL BROWSER - Env: map[string]string{ - "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY", - "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com", - "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT", - }, - Filesystem: []*FilesystemConfig{ - {Src: "/nix/store"}, - {Src: "/run/current-system"}, - {Src: "/run/opengl-driver"}, - {Src: "/var/db/nix-channels"}, - {Src: "/var/lib/fortify/u0/org.chromium.Chromium", - Dst: "/data/data/org.chromium.Chromium", Write: true, Must: true}, - {Src: "/dev/dri", Device: true}, - }, - Link: [][2]string{{"/run/user/65534", "/run/user/150"}}, - Etc: "/etc", - AutoEtc: true, - Cover: []string{"/var/run/nscd"}, - }, - ExtraPerms: []*ExtraPermConfig{ - {Path: "/var/lib/fortify/u0", Ensure: true, Execute: true}, - {Path: "/var/lib/fortify/u0/org.chromium.Chromium", Read: true, Write: true, Execute: true}, - }, - SystemBus: &dbus.Config{ - See: nil, - Talk: []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"}, - Own: nil, - Call: nil, - Broadcast: nil, - Log: false, - Filter: true, - }, - SessionBus: &dbus.Config{ - See: nil, - Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver", - "org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"}, - Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*", - "org.mpris.MediaPlayer2.chromium.*"}, - Call: map[string]string{"org.freedesktop.portal.*": "*"}, - Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"}, - Log: false, - Filter: true, - }, - Enablements: system.EWayland | system.EDBus | system.EPulse, - }, - } -} diff --git a/fst/template.go b/fst/template.go new file mode 100644 index 0000000..0777c9d --- /dev/null +++ b/fst/template.go @@ -0,0 +1,87 @@ +package fst + +import ( + "git.gensokyo.uk/security/fortify/dbus" + "git.gensokyo.uk/security/fortify/sandbox/seccomp" + "git.gensokyo.uk/security/fortify/system" +) + +// Template returns a fully populated instance of Config. +func Template() *Config { + return &Config{ + ID: "org.chromium.Chromium", + Path: "/run/current-system/sw/bin/chromium", + Args: []string{ + "chromium", + "--ignore-gpu-blocklist", + "--disable-smooth-scrolling", + "--enable-features=UseOzonePlatform", + "--ozone-platform=wayland", + }, + Confinement: ConfinementConfig{ + AppID: 9, + Groups: []string{"video"}, + Username: "chronos", + Outer: "/var/lib/persist/home/org.chromium.Chromium", + Inner: "/var/lib/fortify", + Shell: "/run/current-system/sw/bin/zsh", + Sandbox: &SandboxConfig{ + Hostname: "localhost", + Devel: true, + Userns: true, + Net: true, + Device: true, + Seccomp: seccomp.FilterMultiarch, + Tty: true, + Multiarch: true, + MapRealUID: true, + DirectWayland: false, + // example API credentials pulled from Google Chrome + // DO NOT USE THESE IN A REAL BROWSER + Env: map[string]string{ + "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY", + "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com", + "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT", + }, + Filesystem: []*FilesystemConfig{ + {Src: "/nix/store"}, + {Src: "/run/current-system"}, + {Src: "/run/opengl-driver"}, + {Src: "/var/db/nix-channels"}, + {Src: "/var/lib/fortify/u0/org.chromium.Chromium", + Dst: "/data/data/org.chromium.Chromium", Write: true, Must: true}, + {Src: "/dev/dri", Device: true}, + }, + Link: [][2]string{{"/run/user/65534", "/run/user/150"}}, + Etc: "/etc", + AutoEtc: true, + Cover: []string{"/var/run/nscd"}, + }, + ExtraPerms: []*ExtraPermConfig{ + {Path: "/var/lib/fortify/u0", Ensure: true, Execute: true}, + {Path: "/var/lib/fortify/u0/org.chromium.Chromium", Read: true, Write: true, Execute: true}, + }, + SystemBus: &dbus.Config{ + See: nil, + Talk: []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"}, + Own: nil, + Call: nil, + Broadcast: nil, + Log: false, + Filter: true, + }, + SessionBus: &dbus.Config{ + See: nil, + Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver", + "org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"}, + Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*", + "org.mpris.MediaPlayer2.chromium.*"}, + Call: map[string]string{"org.freedesktop.portal.*": "*"}, + Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"}, + Log: false, + Filter: true, + }, + Enablements: system.EWayland | system.EDBus | system.EPulse, + }, + } +} diff --git a/fst/template_test.go b/fst/template_test.go new file mode 100644 index 0000000..0ec2dae --- /dev/null +++ b/fst/template_test.go @@ -0,0 +1,140 @@ +package fst_test + +import ( + "encoding/json" + "testing" + + "git.gensokyo.uk/security/fortify/fst" +) + +func TestTemplate(t *testing.T) { + const want = `{ + "id": "org.chromium.Chromium", + "path": "/run/current-system/sw/bin/chromium", + "args": [ + "chromium", + "--ignore-gpu-blocklist", + "--disable-smooth-scrolling", + "--enable-features=UseOzonePlatform", + "--ozone-platform=wayland" + ], + "confinement": { + "app_id": 9, + "groups": [ + "video" + ], + "username": "chronos", + "home_inner": "/var/lib/fortify", + "home": "/var/lib/persist/home/org.chromium.Chromium", + "shell": "/run/current-system/sw/bin/zsh", + "sandbox": { + "hostname": "localhost", + "seccomp": 32, + "devel": true, + "userns": true, + "net": true, + "tty": true, + "multiarch": true, + "env": { + "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY", + "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com", + "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT" + }, + "map_real_uid": true, + "device": true, + "filesystem": [ + { + "src": "/nix/store" + }, + { + "src": "/run/current-system" + }, + { + "src": "/run/opengl-driver" + }, + { + "src": "/var/db/nix-channels" + }, + { + "dst": "/data/data/org.chromium.Chromium", + "src": "/var/lib/fortify/u0/org.chromium.Chromium", + "write": true, + "require": true + }, + { + "src": "/dev/dri", + "dev": true + } + ], + "symlink": [ + [ + "/run/user/65534", + "/run/user/150" + ] + ], + "etc": "/etc", + "auto_etc": true, + "cover": [ + "/var/run/nscd" + ] + }, + "extra_perms": [ + { + "ensure": true, + "path": "/var/lib/fortify/u0", + "x": true + }, + { + "path": "/var/lib/fortify/u0/org.chromium.Chromium", + "r": true, + "w": true, + "x": true + } + ], + "system_bus": { + "see": null, + "talk": [ + "org.bluez", + "org.freedesktop.Avahi", + "org.freedesktop.UPower" + ], + "own": null, + "call": null, + "broadcast": null, + "filter": true + }, + "session_bus": { + "see": null, + "talk": [ + "org.freedesktop.Notifications", + "org.freedesktop.FileManager1", + "org.freedesktop.ScreenSaver", + "org.freedesktop.secrets", + "org.kde.kwalletd5", + "org.kde.kwalletd6", + "org.gnome.SessionManager" + ], + "own": [ + "org.chromium.Chromium.*", + "org.mpris.MediaPlayer2.org.chromium.Chromium.*", + "org.mpris.MediaPlayer2.chromium.*" + ], + "call": { + "org.freedesktop.portal.*": "*" + }, + "broadcast": { + "org.freedesktop.portal.*": "@/org/freedesktop/portal/*" + }, + "filter": true + }, + "enablements": 13 + } +}` + + if p, err := json.MarshalIndent(fst.Template(), "", "\t"); err != nil { + t.Fatalf("cannot marshal: %v", err) + } else if s := string(p); s != want { + t.Fatalf("Template:\n%s\nwant:\n%s", + s, want) + } +}