Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Pointing xdg-dbus-proxy to stdout/stderr makes a huge mess. This change enables app to neatly print out prefixed xdg-dbus-proxy messages after output is resumed.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This implements lazy loading of the systemd marker (they are not accessed in init and shim) and ensures consistent behaviour when running with a stub.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Fortify overrides /etc/passwd and /etc/group in the sandbox. Bind mounting /etc results in them being replaced when the passwd database is updated on host.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This change helps tests stub out and simulate OS behaviour during the sealing process. This also removes dependency on XDG_RUNTIME_DIR as the internal.System implementation provided to App provides a compat directory inside the tmpdir-based share when XDG_RUNTIME_DIR is unavailable.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
The behaviour of print functions from package fmt is not thread safe. Functions provided by fmsg wrap around Logger methods. This makes prefix much cleaner and makes it easy to deal with future changes to logging.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Values used in the Wayland mediation implementation is stored in various struct fields strewn across multiple app structs and checks are messy and confusing. This commit unifies them into a single struct and access it using much better looking methods.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Both machinectl and sudo launch methods launch shim as shim is now responsible for setting up the sandbox. Various app structures are adapted to accommodate bwrap configuration and mediated wayland access.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Launch methods serve the primary purpose of setting UID in the init namespace, which bubblewrap does not do. Furthermore, all applications will start within a bubblewrap sandbox once it has been implemented.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value.
In anticipation of the client/server split also made changes:
- Console messages are cleaned up to be consistent
- State tracking is fully rewritten to be cleaner and usable for multiple process and client/server
- Encapsulate errors to easier identify type of action causing the error as well as additional info
- System-level setup operations is grouped in a way that can be collectively committed/reverted
and gracefully handles errors returned by each operation
- Resource sharing is made more fine-grained with PID-scoped resources whenever possible,
a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available
- Application setup takes a JSON-friendly config struct and deterministically generates system setup operations
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>