cmd/fpkg/app.go

@@ -73,7 +73,6 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 			Username: "fortify",
 			Inner:    path.Join("/data/data", app.ID),
 			Outer:    pathSet.homeDir,
-			Shell:    shellPath,
 			Sandbox: &fst.SandboxConfig{
 				Hostname:      formatHostname(app.Name),
 				Devel:         app.Devel,

cmd/fpkg/with.go

@@ -34,7 +34,6 @@ func withNixDaemon(
 			Username: "fortify",
 			Inner:    path.Join("/data/data", app.ID),
 			Outer:    pathSet.homeDir,
-			Shell:    shellPath,
 			Sandbox: &fst.SandboxConfig{
 				Hostname: formatHostname(app.Name) + "-" + action,
 				Userns:   true, // nix sandbox requires userns
@@ -73,7 +72,6 @@ func withCacheDir(
 			Username: "nixos",
 			Inner:    path.Join("/data/data", app.ID, "cache"),
 			Outer:    pathSet.cacheDir, // this also ensures cacheDir via shim
-			Shell:    shellPath,
 			Sandbox: &fst.SandboxConfig{
 				Hostname: formatHostname(app.Name) + "-" + action,
 				Seccomp:  seccomp.FlagMultiarch,

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742655702,
+        "lastModified": 1742234739,
-        "narHash": "sha256-jbqlw4sPArFtNtA1s3kLg7/A4fzP4GLk9bGbtUJg0JQ=",
+        "narHash": "sha256-zFL6zsf/5OztR1NSNQF33dvS1fL/BzVUjabZq4qrtY4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0948aeedc296f964140d9429223c7e4a0702a1ff",
+        "rev": "f6af7280a3390e65c2ad8fd059cdc303426cbd59",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1743231893,
+        "lastModified": 1742512142,
-        "narHash": "sha256-tpJsHMUPEhEnzySoQxx7+kA+KUtgWqvlcUBqROYNNt0=",
+        "narHash": "sha256-8XfURTDxOm6+33swQJu/hx6xw1Tznl8vJJN5HwVqckg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c570c1f5304493cafe133b8d843c7c1c4a10d3a6",
+        "rev": "7105ae3957700a9646cc4b766f5815b23ed0c682",
         "type": "github"
       },
       "original": {

fst/config.go

@@ -35,8 +35,6 @@ type ConfinementConfig struct {
 	Inner string `json:"home_inner"`
 	// home directory in init namespace
 	Outer string `json:"home"`
-	// absolute path to shell, empty for host shell
-	Shell string `json:"shell,omitempty"`
 	// abstract sandbox configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
 	// extra acl ops, runs after everything else
@@ -99,7 +97,6 @@ func Template() *Config {
 			Username: "chronos",
 			Outer:    "/var/lib/persist/home/org.chromium.Chromium",
 			Inner:    "/var/lib/fortify",
-			Shell:    "/run/current-system/sw/bin/zsh",
 			Sandbox: &SandboxConfig{
 				Hostname:      "localhost",
 				Devel:         true,

internal/app/app_nixos_test.go

@@ -56,15 +56,15 @@ var testCasesNixos = []sealTestCase{
 		},
 		system.New(1000001).
 			Ensure("/tmp/fortify.1971", 0711).
-			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
+			Ephemeral(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
 			Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
+			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
+			Ensure("/tmp/fortify.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
+			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
 			CopyFile(nil, "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
-			Ephemeral(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
 			MustProxyDBus("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",

internal/app/app_pd_test.go

@@ -28,6 +28,10 @@ var testCasesPd = []sealTestCase{
 		},
 		system.New(1000000).
 			Ensure("/tmp/fortify.1971", 0711).
+			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
+			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			Ephemeral(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac", 0711).
+			Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
 		&sandbox.Params{
@@ -203,13 +207,14 @@ var testCasesPd = []sealTestCase{
 		},
 		system.New(1000009).
 			Ensure("/tmp/fortify.1971", 0711).
-			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
-			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
-			Wayland(new(*os.File), "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
 			Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
+			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
+			Ensure("/tmp/fortify.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
+			Ensure("/tmp/fortify.1971/wayland", 0711).
+			Wayland(new(*os.File), "/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
 			CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
 			MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
@@ -368,7 +373,7 @@ var testCasesPd = []sealTestCase{
 				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("fortify:x:65534:\n")).
-				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).
+				Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0", 0).
 				Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
 				Place(fst.Tmp+"/pulse-cookie", nil).
 				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).

internal/app/seal.go

@@ -85,53 +85,6 @@ type outcome struct {
 	f atomic.Bool
 }
 
-// shareHost holds optional share directory state that must not be accessed directly
-type shareHost struct {
-	// whether XDG_RUNTIME_DIR is used post fsu
-	useRuntimeDir bool
-	// process-specific directory in tmpdir, empty if unused
-	sharePath string
-	// process-specific directory in XDG_RUNTIME_DIR, empty if unused
-	runtimeSharePath string
-
-	seal *outcome
-	sc   fst.Paths
-}
-
-// ensureRuntimeDir must be called if direct access to paths within XDG_RUNTIME_DIR is required
-func (share *shareHost) ensureRuntimeDir() {
-	if share.useRuntimeDir {
-		return
-	}
-	share.useRuntimeDir = true
-	share.seal.sys.Ensure(share.sc.RunDirPath, 0700)
-	share.seal.sys.UpdatePermType(system.User, share.sc.RunDirPath, acl.Execute)
-	share.seal.sys.Ensure(share.sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
-	share.seal.sys.UpdatePermType(system.User, share.sc.RuntimePath, acl.Execute)
-}
-
-// instance returns a process-specific share path within tmpdir
-func (share *shareHost) instance() string {
-	if share.sharePath != "" {
-		return share.sharePath
-	}
-	share.sharePath = path.Join(share.sc.SharePath, share.seal.id.String())
-	share.seal.sys.Ephemeral(system.Process, share.sharePath, 0711)
-	return share.sharePath
-}
-
-// runtime returns a process-specific share path within XDG_RUNTIME_DIR
-func (share *shareHost) runtime() string {
-	if share.runtimeSharePath != "" {
-		return share.runtimeSharePath
-	}
-	share.ensureRuntimeDir()
-	share.runtimeSharePath = path.Join(share.sc.RunDirPath, share.seal.id.String())
-	share.seal.sys.Ephemeral(system.Process, share.runtimeSharePath, 0700)
-	share.seal.sys.UpdatePerm(share.runtimeSharePath, acl.Execute)
-	return share.runtimeSharePath
-}
-
 // fsuUser stores post-fsu credentials and metadata
 type fsuUser struct {
 	// application id
@@ -156,6 +109,11 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 	}
 	seal.ctx = ctx
 
+	shellPath := "/bin/sh"
+	if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
+		shellPath = s
+	}
+
 	{
 		// encode initial configuration for state tracking
 		ct := new(bytes.Buffer)
@@ -172,6 +130,10 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 			fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
 	}
 
+	/*
+		Resolve post-fsu user state
+	*/
+
 	seal.user = fsuUser{
 		aid:      newInt(config.Confinement.AppID),
 		data:     config.Confinement.Outer,
@@ -207,14 +169,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 	}
 
-	// this also falls back to host path if encountering an invalid path
+	/*
-	if !path.IsAbs(config.Confinement.Shell) {
+		Resolve initial container state
-		config.Confinement.Shell = "/bin/sh"
+	*/
-		if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
-			config.Confinement.Shell = s
-		}
-	}
-	// do not use the value of shell before this point
 
 	// permissive defaults
 	if config.Confinement.Sandbox == nil {
@@ -229,7 +186,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 					config.Path = p
 				}
 			} else {
-				config.Path = config.Confinement.Shell
+				config.Path = shellPath
 			}
 		}
 
@@ -299,9 +256,39 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		if seal.env == nil {
 			seal.env = make(map[string]string, 1<<6)
 		}
+		seal.env[shell] = shellPath
 	}
 
-	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
+	/*
+		Initialise externals
+	*/
+
+	sc := sys.Paths()
+	seal.runDirPath = sc.RunDirPath
+	seal.sys = system.New(seal.user.uid.unwrap())
+
+	/*
+		Work directories
+	*/
+
+	// base fortify share path
+	seal.sys.Ensure(sc.SharePath, 0711)
+
+	// outer paths used by the main process
+	seal.sys.Ensure(sc.RunDirPath, 0700)
+	seal.sys.UpdatePermType(system.User, sc.RunDirPath, acl.Execute)
+	seal.sys.Ensure(sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
+	seal.sys.UpdatePermType(system.User, sc.RuntimePath, acl.Execute)
+
+	// outer process-specific share directory
+	sharePath := path.Join(sc.SharePath, seal.id.String())
+	seal.sys.Ephemeral(system.Process, sharePath, 0711)
+	// similar to share but within XDG_RUNTIME_DIR
+	sharePathLocal := path.Join(sc.RunDirPath, seal.id.String())
+	seal.sys.Ephemeral(system.Process, sharePathLocal, 0700)
+	seal.sys.UpdatePerm(sharePathLocal, acl.Execute)
+
+	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as post-fsu user
 	innerRuntimeDir := path.Join("/run/user", mapuid.String())
 	seal.container.Tmpfs("/run/user", 1<<12, 0755)
 	seal.container.Tmpfs(innerRuntimeDir, 1<<23, 0700)
@@ -309,44 +296,44 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 	seal.env[xdgSessionClass] = "user"
 	seal.env[xdgSessionType] = "tty"
 
-	share := &shareHost{seal: seal, sc: sys.Paths()}
+	// outer path for inner /tmp
-	seal.runDirPath = share.sc.RunDirPath
-	seal.sys = system.New(seal.user.uid.unwrap())
-
 	{
-		seal.sys.Ensure(share.sc.SharePath, 0711)
+		tmpdir := path.Join(sc.SharePath, "tmpdir")
-		tmpdir := path.Join(share.sc.SharePath, "tmpdir")
 		seal.sys.Ensure(tmpdir, 0700)
 		seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute)
 		tmpdirInst := path.Join(tmpdir, seal.user.aid.String())
 		seal.sys.Ensure(tmpdirInst, 01700)
 		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
-		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
 		seal.container.Bind(tmpdirInst, "/tmp", sandbox.BindWritable)
 	}
 
-	{
+	/*
-		homeDir := "/var/empty"
+		Passwd database
-		if seal.user.home != "" {
+	*/
-			homeDir = seal.user.home
-		}
-		username := "chronos"
-		if seal.user.username != "" {
-			username = seal.user.username
-		}
-		seal.container.Bind(seal.user.data, homeDir, sandbox.BindWritable)
-		seal.container.Dir = homeDir
-		seal.env["HOME"] = homeDir
-		seal.env["USER"] = username
-		seal.env[shell] = config.Confinement.Shell
 
-		seal.container.Place("/etc/passwd",
+	homeDir := "/var/empty"
-			[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Fortify:"+homeDir+":"+config.Confinement.Shell+"\n"))
+	if seal.user.home != "" {
-		seal.container.Place("/etc/group",
+		homeDir = seal.user.home
-			[]byte("fortify:x:"+mapgid.String()+":\n"))
 	}
+	username := "chronos"
+	if seal.user.username != "" {
+		username = seal.user.username
+	}
+	seal.container.Bind(seal.user.data, homeDir, sandbox.BindWritable)
+	seal.container.Dir = homeDir
+	seal.env["HOME"] = homeDir
+	seal.env["USER"] = username
 
-	// pass TERM for proper terminal I/O in initial process
+	seal.container.Place("/etc/passwd",
+		[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Fortify:"+homeDir+":"+shellPath+"\n"))
+	seal.container.Place("/etc/group",
+		[]byte("fortify:x:"+mapgid.String()+":\n"))
+
+	/*
+		Display servers
+	*/
+
+	// pass $TERM for proper terminal I/O in shell
 	if t, ok := sys.LookupEnv(term); ok {
 		seal.env[term] = t
 	}
@@ -356,9 +343,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		var socketPath string
 		if name, ok := sys.LookupEnv(wl.WaylandDisplay); !ok {
 			fmsg.Verbose(wl.WaylandDisplay + " is not set, assuming " + wl.FallbackName)
-			socketPath = path.Join(share.sc.RuntimePath, wl.FallbackName)
+			socketPath = path.Join(sc.RuntimePath, wl.FallbackName)
 		} else if !path.IsAbs(name) {
-			socketPath = path.Join(share.sc.RuntimePath, name)
+			socketPath = path.Join(sc.RuntimePath, name)
 		} else {
 			socketPath = name
 		}
@@ -367,18 +354,18 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		seal.env[wl.WaylandDisplay] = wl.FallbackName
 
 		if !config.Confinement.Sandbox.DirectWayland { // set up security-context-v1
+			socketDir := path.Join(sc.SharePath, "wayland")
+			outerPath := path.Join(socketDir, seal.id.String())
+			seal.sys.Ensure(socketDir, 0711)
 			appID := config.ID
 			if appID == "" {
 				// use instance ID in case app id is not set
 				appID = "uk.gensokyo.fortify." + seal.id.String()
 			}
-			// downstream socket paths
-			outerPath := path.Join(share.instance(), "wayland")
 			seal.sys.Wayland(&seal.sync, outerPath, socketPath, appID, seal.id.String())
 			seal.container.Bind(outerPath, innerPath, 0)
 		} else { // bind mount wayland socket (insecure)
 			fmsg.Verbose("direct wayland access, PROCEED WITH CAUTION")
-			share.ensureRuntimeDir()
 			seal.container.Bind(socketPath, innerPath, 0)
 			seal.sys.UpdatePermType(system.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
 		}
@@ -395,9 +382,13 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 	}
 
+	/*
+		PulseAudio server and authentication
+	*/
+
 	if config.Confinement.Enablements&system.EPulse != 0 {
 		// PulseAudio runtime directory (usually `/run/user/%d/pulse`)
-		pulseRuntimeDir := path.Join(share.sc.RuntimePath, "pulse")
+		pulseRuntimeDir := path.Join(sc.RuntimePath, "pulse")
 		// PulseAudio socket (usually `/run/user/%d/pulse/native`)
 		pulseSocket := path.Join(pulseRuntimeDir, "native")
 
@@ -425,7 +416,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 
 		// hard link pulse socket into target-executable share
-		innerPulseRuntimeDir := path.Join(share.runtime(), "pulse")
+		innerPulseRuntimeDir := path.Join(sharePathLocal, "pulse")
 		innerPulseSocket := path.Join(innerRuntimeDir, "pulse", "native")
 		seal.sys.Link(pulseSocket, innerPulseRuntimeDir)
 		seal.container.Bind(innerPulseRuntimeDir, innerPulseSocket, 0)
@@ -444,6 +435,10 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 	}
 
+	/*
+		D-Bus proxy
+	*/
+
 	if config.Confinement.Enablements&system.EDBus != 0 {
 		// ensure dbus session bus defaults
 		if config.Confinement.SessionBus == nil {
@@ -451,7 +446,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 
 		// downstream socket paths
-		sharePath := share.instance()
 		sessionPath, systemPath := path.Join(sharePath, "bus"), path.Join(sharePath, "system_bus_socket")
 
 		// configure dbus proxy
@@ -477,6 +471,10 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 	}
 
+	/*
+		Miscellaneous
+	*/
+
 	for _, dest := range config.Confinement.Sandbox.Cover {
 		seal.container.Tmpfs(dest, 1<<13, 0755)
 	}

options.md

@@ -35,7 +35,7 @@ package
 
 
 *Default:*
-` <derivation fortify-static-x86_64-unknown-linux-musl-0.3.3> `
+` <derivation fortify-static-x86_64-unknown-linux-musl-0.3.2> `
 
 
 
@@ -644,7 +644,7 @@ package
 
 
 *Default:*
-` <derivation fortify-fsu-0.3.3> `
+` <derivation fortify-fsu-0.3.2> `
 
 
 

package.nix

@@ -31,7 +31,7 @@
 
 buildGoModule rec {
   pname = "fortify";
-  version = "0.3.3";
+  version = "0.3.2";
 
   src = builtins.path {
     name = "${pname}-src";

print.go

@@ -77,9 +77,7 @@ func printShowInstance(
 	if len(config.Confinement.Groups) > 0 {
 		t.Printf(" Groups:\t%q\n", config.Confinement.Groups)
 	}
-	if config.Confinement.Outer != "" {
+	t.Printf(" Directory:\t%s\n", config.Confinement.Outer)
-		t.Printf(" Directory:\t%s\n", config.Confinement.Outer)
-	}
 	if config.Confinement.Sandbox != nil {
 		sandbox := config.Confinement.Sandbox
 		if sandbox.Hostname != "" {
@@ -116,12 +114,7 @@ func printShowInstance(
 		// Env           map[string]string   `json:"env"`
 		// Link          [][2]string         `json:"symlink"`
 	}
-	if config.Confinement.Sandbox != nil {
+	t.Printf(" Command:\t%s\n", strings.Join(config.Args, " "))
-		t.Printf(" Path:\t%s\n", config.Path)
-	}
-	if len(config.Args) > 0 {
-		t.Printf(" Arguments:\t%s\n", strings.Join(config.Args, " "))
-	}
 	t.Printf("\n")
 
 	if !short {
@@ -254,18 +247,22 @@ func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON boo
 	t := newPrinter(output)
 	defer t.MustFlush()
 
-	t.Println("\tInstance\tPID\tApplication\tUptime")
+	t.Println("\tInstance\tPID\tApp\tUptime\tEnablements\tCommand")
 	for _, e := range exp {
-		as := "(No configuration information)"
+		var (
+			es = "(No confinement information)"
+			cs = "(No command information)"
+			as = "(No configuration information)"
+		)
 		if e.Config != nil {
+			es = e.Config.Confinement.Enablements.String()
+			cs = fmt.Sprintf("%q", e.Config.Args)
 			as = strconv.Itoa(e.Config.Confinement.AppID)
-			if e.Config.ID != "" {
-				as += " (" + e.Config.ID + ")"
-			}
 		}
-		t.Printf("\t%s\t%d\t%s\t%s\n",
+		t.Printf("\t%s\t%d\t%s\t%s\t%s\t%s\n",
-			e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String())
+			e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String(), strings.TrimPrefix(es, ", "), cs)
 	}
+	t.Println()
 }
 
 type expandedStateEntry struct {

print_test.go

@@ -44,8 +44,7 @@ func Test_printShowInstance(t *testing.T) {
  Flags:          userns net dev tty mapuid autoetc
  Etc:            /etc
  Cover:          /var/run/nscd
- Path:           /run/current-system/sw/bin/chromium
+ Command:        chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
- Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 
 Filesystem
  +/nix/store
@@ -76,22 +75,26 @@ System bus
 App
  ID:             0
  Enablements:    (no enablements)
+ Directory:      
+ Command:        
 
 `},
 		{"config flag none", nil, &fst.Config{Confinement: fst.ConfinementConfig{Sandbox: new(fst.SandboxConfig)}}, false, false, `App
  ID:             0
  Enablements:    (no enablements)
+ Directory:      
  Flags:          none
  Etc:            /etc
- Path:           
+ Command:        
 
 `},
 		{"config nil entries", nil, &fst.Config{Confinement: fst.ConfinementConfig{Sandbox: &fst.SandboxConfig{Filesystem: make([]*fst.FilesystemConfig, 1)}, ExtraPerms: make([]*fst.ExtraPermConfig, 1)}}, false, false, `App
  ID:             0
  Enablements:    (no enablements)
+ Directory:      
  Flags:          none
  Etc:            /etc
- Path:           
+ Command:        
 
 Filesystem
 
@@ -103,6 +106,8 @@ Extra ACL
 App
  ID:             0
  Enablements:    (no enablements)
+ Directory:      
+ Command:        
 
 Session bus
  Filter:    false
@@ -123,8 +128,7 @@ App
  Flags:          userns net dev tty mapuid autoetc
  Etc:            /etc
  Cover:          /var/run/nscd
- Path:           /run/current-system/sw/bin/chromium
+ Command:        chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
- Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 
 Filesystem
  +/nix/store
@@ -159,6 +163,8 @@ State
 App
  ID:             0
  Enablements:    (no enablements)
+ Directory:      
+ Command:        
 
 `},
 
@@ -202,7 +208,6 @@ App
       "username": "chronos",
       "home_inner": "/var/lib/fortify",
       "home": "/var/lib/persist/home/org.chromium.Chromium",
-      "shell": "/run/current-system/sw/bin/zsh",
       "sandbox": {
         "hostname": "localhost",
         "seccomp": 32,
@@ -327,7 +332,6 @@ App
     "username": "chronos",
     "home_inner": "/var/lib/fortify",
     "home": "/var/lib/persist/home/org.chromium.Chromium",
-    "shell": "/run/current-system/sw/bin/zsh",
     "sandbox": {
       "hostname": "localhost",
       "seccomp": 32,
@@ -454,16 +458,20 @@ func Test_printPs(t *testing.T) {
 		short, json bool
 		want        string
 	}{
-		{"no entries", make(state.Entries), false, false, `    Instance    PID    Application    Uptime
+		{"no entries", make(state.Entries), false, false, `    Instance    PID    App    Uptime    Enablements    Command
+
 `},
 		{"no entries short", make(state.Entries), true, false, ``},
-		{"nil instance", state.Entries{testID: nil}, false, false, `    Instance    PID    Application    Uptime
+		{"nil instance", state.Entries{testID: nil}, false, false, `    Instance    PID    App    Uptime    Enablements    Command
+
 `},
-		{"state corruption", state.Entries{fst.ID{}: testState}, false, false, `    Instance    PID    Application    Uptime
+		{"state corruption", state.Entries{fst.ID{}: testState}, false, false, `    Instance    PID    App    Uptime    Enablements    Command
+
 `},
 
-		{"valid", state.Entries{testID: testState}, false, false, `    Instance    PID           Application                  Uptime
+		{"valid", state.Entries{testID: testState}, false, false, `    Instance    PID           App    Uptime     Enablements                  Command
-    8e2c76b0    3735928559    9 (org.chromium.Chromium)    1h2m32s
+    8e2c76b0    3735928559    9      1h2m32s    wayland, dbus, pulseaudio    ["chromium" "--ignore-gpu-blocklist" "--disable-smooth-scrolling" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland"]
+
 `},
 		{"valid short", state.Entries{testID: testState}, true, false, `8e2c76b0
 `},
@@ -506,7 +514,6 @@ func Test_printPs(t *testing.T) {
         "username": "chronos",
         "home_inner": "/var/lib/fortify",
         "home": "/var/lib/persist/home/org.chromium.Chromium",
-        "shell": "/run/current-system/sw/bin/zsh",
         "sandbox": {
           "hostname": "localhost",
           "seccomp": 32,

sandbox/container.go

@@ -104,6 +104,16 @@ type (
 
 		Flags HardeningFlags
 	}
+
+	Ops []Op
+	Op  interface {
+		early(params *Params) error
+		apply(params *Params) error
+		prefix() string
+
+		Is(op Op) bool
+		fmt.Stringer
+	}
 )
 
 func (p *Container) Start() error {

sandbox/init.go

@@ -45,6 +45,10 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		log.Fatal("this process must run as pid 1")
 	}
 
+	/*
+		receive setup payload
+	*/
+
 	var (
 		params      initParams
 		closeSetup  func() error
@@ -107,6 +111,10 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	// cache sysctl before pivot_root
 	LastCap()
 
+	/*
+		set up mount points from intermediate root
+	*/
+
 	if err := syscall.Mount("", "/", "",
 		syscall.MS_SILENT|syscall.MS_SLAVE|syscall.MS_REC,
 		""); err != nil {
@@ -147,7 +155,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	if err := os.Mkdir(hostDir, 0755); err != nil {
 		log.Fatalf("%v", err)
 	}
-	// pivot_root uncovers basePath in hostDir
 	if err := syscall.PivotRoot(basePath, hostDir); err != nil {
 		log.Fatalf("cannot pivot into intermediate root: %v", err)
 	}
@@ -166,7 +173,10 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		}
 	}
 
-	// setup requiring host root complete at this point
+	/*
+		pivot to sysroot
+	*/
+
 	if err := syscall.Mount(hostDir, hostDir, "",
 		syscall.MS_SILENT|syscall.MS_REC|syscall.MS_PRIVATE,
 		""); err != nil {
@@ -206,6 +216,10 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		}
 	}
 
+	/*
+		caps/securebits and seccomp filter
+	*/
+
 	if _, _, errno := syscall.Syscall(PR_SET_NO_NEW_PRIVS, 1, 0, 0); errno != 0 {
 		log.Fatalf("prctl(PR_SET_NO_NEW_PRIVS): %v", errno)
 	}
@@ -241,13 +255,20 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		log.Fatalf("cannot load syscall filter: %v", err)
 	}
 
+	/*
+		pass through extra files
+	*/
+
 	extraFiles := make([]*os.File, params.Count)
 	for i := range extraFiles {
-		// setup fd is placed before all extra files
 		extraFiles[i] = os.NewFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
 	}
 	syscall.Umask(oldmask)
 
+	/*
+		prepare initial process
+	*/
+
 	cmd := exec.Command(params.Path)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Args = params.Args
@@ -260,11 +281,22 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	}
 	msg.Suspend()
 
+	/*
+		close setup pipe
+	*/
+
 	if err := closeSetup(); err != nil {
 		log.Println("cannot close setup pipe:", err)
 		// not fatal
 	}
 
+	/*
+		perform init duties
+	*/
+
+	sig := make(chan os.Signal, 2)
+	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
+
 	type winfo struct {
 		wpid    int
 		wstatus syscall.WaitStatus
@@ -301,10 +333,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		close(done)
 	}()
 
-	// handle signals to dump withheld messages
-	sig := make(chan os.Signal, 2)
-	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
-
 	// closed after residualProcessTimeout has elapsed after initial process death
 	timeout := make(chan struct{})
 
@@ -317,6 +345,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 			} else {
 				msg.Verbosef("terminating on %s", s.String())
 			}
+			msg.BeforeExit()
 			os.Exit(0)
 		case w := <-info:
 			if w.wpid == cmd.Process.Pid {

sandbox/sequential.go

@@ -13,22 +13,6 @@ import (
 	"unsafe"
 )
 
-type (
-	Ops []Op
-	Op  interface {
-		// early is called in host root.
-		early(params *Params) error
-		// apply is called in intermediate root.
-		apply(params *Params) error
-
-		prefix() string
-		Is(op Op) bool
-		fmt.Stringer
-	}
-)
-
-func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
-
 func init() { gob.Register(new(BindMount)) }
 
 // BindMount bind mounts host path Source on container path Target.

test/test.py

@@ -176,11 +176,25 @@ machine.send_chars("clear; wayland-info && touch /tmp/client-ok\n")
 machine.wait_for_file(tmpdir_path(0, "client-ok"), timeout=15)
 collect_state_ui("foot_wayland")
 check_state("ne-foot", 1)
-# Verify lack of acl on XDG_RUNTIME_DIR:
+# Verify acl on XDG_RUNTIME_DIR:
-machine.fail(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {aid(0) + 1000000}")
+print(machine.succeed(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {aid(0) + 1000000}"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot", timeout=5)
-machine.fail(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {aid(0) + 1000000}", timeout=5)
+# Verify acl cleanup on XDG_RUNTIME_DIR:
+machine.wait_until_fails(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {aid(0) + 1000000}", timeout=5)
+
+# Start app (foot) with Wayland enablement from a terminal:
+swaymsg("exec foot $SHELL -c '(ne-foot) & sleep 1 && fortify show $(fortify ps --short) && touch /tmp/ps-show-ok && cat'")
+wait_for_window(f"u0_a{aid(0)}@machine")
+machine.send_chars("clear; wayland-info && touch /tmp/term-ok\n")
+machine.wait_for_file(tmpdir_path(0, "term-ok"), timeout=15)
+machine.wait_for_file("/tmp/ps-show-ok", timeout=5)
+collect_state_ui("foot_wayland_term")
+check_state("ne-foot", 1)
+machine.send_chars("exit\n")
+wait_for_window("foot")
+machine.send_key("ctrl-c")
+machine.wait_until_fails("pgrep foot", timeout=5)
 
 # Test PulseAudio (fortify does not support PipeWire yet):
 swaymsg("exec pa-foot")
@@ -219,22 +233,6 @@ machine.wait_until_fails(f"getfacl --absolute-names --omit-header --numeric /run
 # Test syscall filter:
 print(machine.fail("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 strace-failure"))
 
-# Start app (foot) with Wayland enablement from a terminal:
-swaymsg("exec foot $SHELL -c '(ne-foot) & disown && exec $SHELL'")
-wait_for_window(f"u0_a{aid(0)}@machine")
-machine.send_chars("clear; wayland-info && touch /tmp/term-ok\n")
-machine.wait_for_file(tmpdir_path(0, "term-ok"), timeout=15)
-machine.send_key("alt-h")
-machine.send_chars("clear; fortify show $(fortify ps --short) && touch /tmp/ps-show-ok && exec cat\n")
-machine.wait_for_file("/tmp/ps-show-ok", timeout=5)
-collect_state_ui("foot_wayland_term")
-check_state("ne-foot", 1)
-machine.send_key("alt-l")
-machine.send_chars("exit\n")
-wait_for_window("alice@machine")
-machine.send_key("ctrl-c")
-machine.wait_until_fails("pgrep foot", timeout=5)
-
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")