security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 36 Wiki Activity

Compare commits

base: security:371dd5b938e70fa077d1452456fdd203b7a61cb9
Branches Tags
security:master
security:staging
security:develop
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1
..
compare: security:b39f3aeb59095aef123920d891fecf890ce0b088
Branches Tags
security:staging
security:develop
security:master
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1

No commits in common. "371dd5b938e70fa077d1452456fdd203b7a61cb9" and "b39f3aeb59095aef123920d891fecf890ce0b088" have entirely different histories.
371dd5b938 ... b39f3aeb59

14 changed files with 71 additions and 110 deletions
Show Stats Expand all files Collapse all files

4
fst/sandbox.go
View File

@ -245,7 +245,9 @@ func (s *SandboxConfig) ToContainer(sys SandboxSys, uid, gid *int) (*sandbox.Par
if etcPath == "" { if etcPath == "" {
etcPath = "/etc" etcPath = "/etc"
} }
container.Bind(etcPath, Tmp+"/etc", 0) container.
Bind(etcPath, Tmp+"/etc", 0).
Mkdir("/etc", 0700)
// link host /etc contents to prevent dropping passwd/group bind mounts // link host /etc contents to prevent dropping passwd/group bind mounts
if d, err := sys.ReadDir(etcPath); err != nil { if d, err := sys.ReadDir(etcPath); err != nil {

1
internal/app/app_nixos_test.go
View File

@ -124,6 +124,7 @@ var testCasesNixos = []sealTestCase{
Bind("/run/opengl-driver", "/run/opengl-driver", 0). Bind("/run/opengl-driver", "/run/opengl-driver", 0).
Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional). Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
Bind("/etc", fst.Tmp+"/etc", 0). Bind("/etc", fst.Tmp+"/etc", 0).
Mkdir("/etc", 0700).
Link(fst.Tmp+"/etc/alsa", "/etc/alsa"). Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d"). Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").

2
internal/app/app_pd_test.go
View File

@ -67,6 +67,7 @@ var testCasesPd = []sealTestCase{
Tmpfs("/run/user/1971", 8192, 0755). Tmpfs("/run/user/1971", 8192, 0755).
Tmpfs("/run/dbus", 8192, 0755). Tmpfs("/run/dbus", 8192, 0755).
Bind("/etc", fst.Tmp+"/etc", 0). Bind("/etc", fst.Tmp+"/etc", 0).
Mkdir("/etc", 0700).
Link(fst.Tmp+"/etc/alsa", "/etc/alsa"). Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d"). Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
@ -287,6 +288,7 @@ var testCasesPd = []sealTestCase{
Tmpfs("/run/user/1971", 8192, 0755). Tmpfs("/run/user/1971", 8192, 0755).
Tmpfs("/run/dbus", 8192, 0755). Tmpfs("/run/dbus", 8192, 0755).
Bind("/etc", fst.Tmp+"/etc", 0). Bind("/etc", fst.Tmp+"/etc", 0).
Mkdir("/etc", 0700).
Link(fst.Tmp+"/etc/alsa", "/etc/alsa"). Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d"). Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").

31
nixos.nix
View File

@ -84,8 +84,6 @@ in
command = if app.command == null then app.name else app.command; command = if app.command == null then app.name else app.command;
script = if app.script == null then ("exec " + command + " $@") else app.script; script = if app.script == null then ("exec " + command + " $@") else app.script;
enablements = with app.capability; (if wayland then 1 else 0) + (if x11 then 2 else 0) + (if dbus then 4 else 0) + (if pulse then 8 else 0); enablements = with app.capability; (if wayland then 1 else 0) + (if x11 then 2 else 0) + (if dbus then 4 else 0) + (if pulse then 8 else 0);
isGraphical = if app.gpu != null then app.gpu else app.capability.wayland || app.capability.x11;
conf = { conf = {
inherit (app) id; inherit (app) id;
path = pkgs.writeScript "${app.name}-start" '' path = pkgs.writeScript "${app.name}-start" ''
@ -93,7 +91,6 @@ in
${script} ${script}
''; '';
args = [ "${app.name}-start" ]; args = [ "${app.name}-start" ];
confinement = { confinement = {
app_id = aid; app_id = aid;
inherit (app) groups; inherit (app) groups;
@ -111,7 +108,6 @@ in
; ;
map_real_uid = app.mapRealUid; map_real_uid = app.mapRealUid;
direct_wayland = app.insecureWayland; direct_wayland = app.insecureWayland;
filesystem = filesystem =
let let
bind = src: { inherit src; }; bind = src: { inherit src; };
@ -128,6 +124,7 @@ in
(mustBind "/bin") (mustBind "/bin")
(mustBind "/usr/bin") (mustBind "/usr/bin")
(mustBind "/nix/store") (mustBind "/nix/store")
(mustBind "/run/current-system")
(bind "/sys/block") (bind "/sys/block")
(bind "/sys/bus") (bind "/sys/bus")
(bind "/sys/class") (bind "/sys/class")
@ -138,7 +135,8 @@ in
(mustBind "/nix/var") (mustBind "/nix/var")
(bind "/var/db/nix-channels") (bind "/var/db/nix-channels")
] ]
++ optionals isGraphical [ ++ optionals (if app.gpu != null then app.gpu else app.capability.wayland || app.capability.x11) [
(bind "/run/opengl-driver")
(devBind "/dev/dri") (devBind "/dev/dri")
(devBind "/dev/nvidiactl") (devBind "/dev/nvidiactl")
(devBind "/dev/nvidia-modeset") (devBind "/dev/nvidia-modeset")
@ -149,30 +147,7 @@ in
++ app.extraPaths; ++ app.extraPaths;
auto_etc = true; auto_etc = true;
cover = [ "/var/run/nscd" ]; cover = [ "/var/run/nscd" ];
symlink =
[
[
"*/run/current-system"
"/run/current-system"
]
]
++ optionals (isGraphical && config.hardware.graphics.enable) (
[
[
config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument
"/run/opengl-driver"
]
]
++ optionals (app.multiarch && config.hardware.graphics.enable32Bit) [
[
config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument
/run/opengl-driver-32
]
]
);
}; };
inherit enablements; inherit enablements;
inherit (dbusConfig) session_bus system_bus; inherit (dbusConfig) session_bus system_bus;
}; };

3
sandbox/container.go
View File

@ -96,9 +96,6 @@ type (
*Ops *Ops
// Extra seccomp options. // Extra seccomp options.
Seccomp seccomp.SyscallOpts Seccomp seccomp.SyscallOpts
// Permission bits of newly created parent directories.
// The zero value is interpreted as 0755.
ParentPerm os.FileMode
Flags HardeningFlags Flags HardeningFlags
} }

3
sandbox/init.go
View File

@ -68,9 +68,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
if params.Ops == nil { if params.Ops == nil {
log.Fatal("invalid setup parameters") log.Fatal("invalid setup parameters")
} }
if params.ParentPerm == 0 {
params.ParentPerm = 0755
}
setVerbose(params.Verbose) setVerbose(params.Verbose)
msg.Verbose("received setup parameters") msg.Verbose("received setup parameters")

6
sandbox/mount.go
View File

@ -25,7 +25,7 @@ func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) err
var targetFinal string var targetFinal string
if v, err := filepath.EvalSymlinks(target); err != nil { if v, err := filepath.EvalSymlinks(target); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} else { } else {
targetFinal = v targetFinal = v
if targetFinal != target { if targetFinal != target {
@ -45,7 +45,7 @@ func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) err
fmt.Sprintf("cannot open %q:", targetFinal)) fmt.Sprintf("cannot open %q:", targetFinal))
} }
if v, err := os.Readlink(p.fd(destFd)); err != nil { if v, err := os.Readlink(p.fd(destFd)); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} else if err = syscall.Close(destFd); err != nil { } else if err = syscall.Close(destFd); err != nil {
return wrapErrSuffix(err, return wrapErrSuffix(err,
fmt.Sprintf("cannot close %q:", targetFinal)) fmt.Sprintf("cannot close %q:", targetFinal))
@ -102,7 +102,7 @@ func remountWithFlags(n *vfs.MountInfoNode, mf uintptr) error {
func mountTmpfs(fsname, name string, size int, perm os.FileMode) error { func mountTmpfs(fsname, name string, size int, perm os.FileMode) error {
target := toSysroot(name) target := toSysroot(name)
if err := os.MkdirAll(target, parentPerm(perm)); err != nil { if err := os.MkdirAll(target, parentPerm(perm)); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
opt := fmt.Sprintf("mode=%#o", perm) opt := fmt.Sprintf("mode=%#o", perm)
if size > 0 { if size > 0 {

7
sandbox/output.go
View File

@ -17,10 +17,3 @@ func wrapErrSuffix(err error, a ...any) error {
} }
return msg.WrapErr(err, append(a, err)...) return msg.WrapErr(err, append(a, err)...)
} }
func wrapErrSelf(err error) error {
if err == nil {
return nil
}
return msg.WrapErr(err, err.Error())
}

8
sandbox/path.go
View File

@ -32,16 +32,16 @@ func toHost(name string) string {
func createFile(name string, perm, pperm os.FileMode, content []byte) error { func createFile(name string, perm, pperm os.FileMode, content []byte) error {
if err := os.MkdirAll(path.Dir(name), pperm); err != nil { if err := os.MkdirAll(path.Dir(name), pperm); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
f, err := os.OpenFile(name, syscall.O_CREAT|syscall.O_EXCL|syscall.O_WRONLY, perm) f, err := os.OpenFile(name, syscall.O_CREAT|syscall.O_EXCL|syscall.O_WRONLY, perm)
if err != nil { if err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
if content != nil { if content != nil {
_, err = f.Write(content) _, err = f.Write(content)
if err != nil { if err != nil {
err = wrapErrSelf(err) err = msg.WrapErr(err, err.Error())
} }
} }
return errors.Join(f.Close(), err) return errors.Join(f.Close(), err)
@ -78,7 +78,7 @@ func (p *procPaths) stdout() string { return p.self + "/fd/1" }
func (p *procPaths) fd(fd int) string { return p.self + "/fd/" + strconv.Itoa(fd) } func (p *procPaths) fd(fd int) string { return p.self + "/fd/" + strconv.Itoa(fd) }
func (p *procPaths) mountinfo(f func(d *vfs.MountInfoDecoder) error) error { func (p *procPaths) mountinfo(f func(d *vfs.MountInfoDecoder) error) error {
if r, err := os.Open(p.self + "/mountinfo"); err != nil { if r, err := os.Open(p.self + "/mountinfo"); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} else { } else {
d := vfs.NewMountInfoDecoder(r) d := vfs.NewMountInfoDecoder(r)
err0 := f(d) err0 := f(d)

72
sandbox/sequential.go
View File

@ -8,7 +8,6 @@ import (
"path" "path"
"path/filepath" "path/filepath"
"slices" "slices"
"strings"
"syscall" "syscall"
"unsafe" "unsafe"
) )
@ -39,7 +38,7 @@ func (b *BindMount) early(*Params) error {
b.SourceFinal = "\x00" b.SourceFinal = "\x00"
return nil return nil
} }
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} else { } else {
b.SourceFinal = v b.SourceFinal = v
return nil return nil
@ -66,10 +65,10 @@ func (b *BindMount) apply(*Params) error {
// this perm value emulates bwrap behaviour as it clears bits from 0755 based on // this perm value emulates bwrap behaviour as it clears bits from 0755 based on
// op->perms which is never set for any bind setup op so always results in 0700 // op->perms which is never set for any bind setup op so always results in 0700
if fi, err := os.Stat(source); err != nil { if fi, err := os.Stat(source); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} else if fi.IsDir() { } else if fi.IsDir() {
if err = os.MkdirAll(target, 0700); err != nil { if err = os.MkdirAll(target, 0700); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
} else if err = ensureFile(target, 0444, 0700); err != nil { } else if err = ensureFile(target, 0444, 0700); err != nil {
return err return err
@ -105,7 +104,7 @@ func init() { gob.Register(new(MountProc)) }
type MountProc string type MountProc string
func (p MountProc) early(*Params) error { return nil } func (p MountProc) early(*Params) error { return nil }
func (p MountProc) apply(params *Params) error { func (p MountProc) apply(*Params) error {
v := string(p) v := string(p)
if !path.IsAbs(v) { if !path.IsAbs(v) {
@ -114,8 +113,8 @@ func (p MountProc) apply(params *Params) error {
} }
target := toSysroot(v) target := toSysroot(v)
if err := os.MkdirAll(target, params.ParentPerm); err != nil { if err := os.MkdirAll(target, 0755); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
return wrapErrSuffix(syscall.Mount("proc", target, "proc", return wrapErrSuffix(syscall.Mount("proc", target, "proc",
syscall.MS_NOSUID|syscall.MS_NOEXEC|syscall.MS_NODEV, ""), syscall.MS_NOSUID|syscall.MS_NOEXEC|syscall.MS_NODEV, ""),
@ -145,13 +144,13 @@ func (d MountDev) apply(params *Params) error {
} }
target := toSysroot(v) target := toSysroot(v)
if err := mountTmpfs("devtmpfs", v, 0, params.ParentPerm); err != nil { if err := mountTmpfs("devtmpfs", v, 0, 0755); err != nil {
return err return err
} }
for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} { for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
targetPath := toSysroot(path.Join(v, name)) targetPath := toSysroot(path.Join(v, name))
if err := ensureFile(targetPath, 0444, params.ParentPerm); err != nil { if err := ensureFile(targetPath, 0444, 0755); err != nil {
return err return err
} }
if err := hostProc.bindMount( if err := hostProc.bindMount(
@ -168,7 +167,7 @@ func (d MountDev) apply(params *Params) error {
"/proc/self/fd/"+string(rune(i+'0')), "/proc/self/fd/"+string(rune(i+'0')),
path.Join(target, name), path.Join(target, name),
); err != nil { ); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
} }
for _, pair := range [][2]string{ for _, pair := range [][2]string{
@ -177,14 +176,14 @@ func (d MountDev) apply(params *Params) error {
{"pts/ptmx", "ptmx"}, {"pts/ptmx", "ptmx"},
} { } {
if err := os.Symlink(pair[0], path.Join(target, pair[1])); err != nil { if err := os.Symlink(pair[0], path.Join(target, pair[1])); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
} }
devPtsPath := path.Join(target, "pts") devPtsPath := path.Join(target, "pts")
for _, name := range []string{path.Join(target, "shm"), devPtsPath} { for _, name := range []string{path.Join(target, "shm"), devPtsPath} {
if err := os.Mkdir(name, params.ParentPerm); err != nil { if err := os.Mkdir(name, 0755); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
} }
@ -202,11 +201,11 @@ func (d MountDev) apply(params *Params) error {
uintptr(unsafe.Pointer(&buf[0])), uintptr(unsafe.Pointer(&buf[0])),
); errno == 0 { ); errno == 0 {
consolePath := toSysroot(path.Join(v, "console")) consolePath := toSysroot(path.Join(v, "console"))
if err := ensureFile(consolePath, 0444, params.ParentPerm); err != nil { if err := ensureFile(consolePath, 0444, 0755); err != nil {
return err return err
} }
if name, err := os.Readlink(hostProc.stdout()); err != nil { if name, err := os.Readlink(hostProc.stdout()); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} else if err = hostProc.bindMount( } else if err = hostProc.bindMount(
toHost(name), toHost(name),
consolePath, consolePath,
@ -235,7 +234,7 @@ func init() { gob.Register(new(MountMqueue)) }
type MountMqueue string type MountMqueue string
func (m MountMqueue) early(*Params) error { return nil } func (m MountMqueue) early(*Params) error { return nil }
func (m MountMqueue) apply(params *Params) error { func (m MountMqueue) apply(*Params) error {
v := string(m) v := string(m)
if !path.IsAbs(v) { if !path.IsAbs(v) {
@ -244,8 +243,8 @@ func (m MountMqueue) apply(params *Params) error {
} }
target := toSysroot(v) target := toSysroot(v)
if err := os.MkdirAll(target, params.ParentPerm); err != nil { if err := os.MkdirAll(target, 0755); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
return wrapErrSuffix(syscall.Mount("mqueue", target, "mqueue", return wrapErrSuffix(syscall.Mount("mqueue", target, "mqueue",
syscall.MS_NOSUID|syscall.MS_NOEXEC|syscall.MS_NODEV, ""), syscall.MS_NOSUID|syscall.MS_NOEXEC|syscall.MS_NODEV, ""),
@ -295,22 +294,8 @@ func init() { gob.Register(new(Symlink)) }
// Symlink creates a symlink in the container filesystem. // Symlink creates a symlink in the container filesystem.
type Symlink [2]string type Symlink [2]string
func (l *Symlink) early(*Params) error { func (l *Symlink) early(*Params) error { return nil }
if strings.HasPrefix(l[0], "*") { func (l *Symlink) apply(*Params) error {
l[0] = l[0][1:]
if !path.IsAbs(l[0]) {
return msg.WrapErr(syscall.EBADE,
fmt.Sprintf("path %q is not absolute", l[0]))
}
if name, err := os.Readlink(l[0]); err != nil {
return wrapErrSelf(err)
} else {
l[0] = name
}
}
return nil
}
func (l *Symlink) apply(params *Params) error {
// symlink target is an arbitrary path value, so only validate link name here // symlink target is an arbitrary path value, so only validate link name here
if !path.IsAbs(l[1]) { if !path.IsAbs(l[1]) {
return msg.WrapErr(syscall.EBADE, return msg.WrapErr(syscall.EBADE,
@ -318,11 +303,14 @@ func (l *Symlink) apply(params *Params) error {
} }
target := toSysroot(l[1]) target := toSysroot(l[1])
if err := os.MkdirAll(path.Dir(target), params.ParentPerm); err != nil { if err := ensureFile(target, 0444, 0755); err != nil {
return wrapErrSelf(err) return err
}
if err := os.Remove(target); err != nil {
return msg.WrapErr(err, err.Error())
} }
if err := os.Symlink(l[0], target); err != nil { if err := os.Symlink(l[0], target); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
return nil return nil
} }
@ -351,7 +339,7 @@ func (m *Mkdir) apply(*Params) error {
} }
if err := os.MkdirAll(toSysroot(m.Path), m.Perm); err != nil { if err := os.MkdirAll(toSysroot(m.Path), m.Perm); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
return nil return nil
} }
@ -373,7 +361,7 @@ type Tmpfile struct {
} }
func (t *Tmpfile) early(*Params) error { return nil } func (t *Tmpfile) early(*Params) error { return nil }
func (t *Tmpfile) apply(params *Params) error { func (t *Tmpfile) apply(*Params) error {
if !path.IsAbs(t.Path) { if !path.IsAbs(t.Path) {
return msg.WrapErr(syscall.EBADE, return msg.WrapErr(syscall.EBADE,
fmt.Sprintf("path %q is not absolute", t.Path)) fmt.Sprintf("path %q is not absolute", t.Path))
@ -381,7 +369,7 @@ func (t *Tmpfile) apply(params *Params) error {
var tmpPath string var tmpPath string
if f, err := os.CreateTemp("/", "tmp.*"); err != nil { if f, err := os.CreateTemp("/", "tmp.*"); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} else if _, err = f.Write(t.Data); err != nil { } else if _, err = f.Write(t.Data); err != nil {
return wrapErrSuffix(err, return wrapErrSuffix(err,
"cannot write to intermediate file:") "cannot write to intermediate file:")
@ -393,7 +381,7 @@ func (t *Tmpfile) apply(params *Params) error {
} }
target := toSysroot(t.Path) target := toSysroot(t.Path)
if err := ensureFile(target, 0444, params.ParentPerm); err != nil { if err := ensureFile(target, 0444, 0755); err != nil {
return err return err
} else if err = hostProc.bindMount( } else if err = hostProc.bindMount(
tmpPath, tmpPath,
@ -403,7 +391,7 @@ func (t *Tmpfile) apply(params *Params) error {
); err != nil { ); err != nil {
return err return err
} else if err = os.Remove(tmpPath); err != nil { } else if err = os.Remove(tmpPath); err != nil {
return wrapErrSelf(err) return msg.WrapErr(err, err.Error())
} }
return nil return nil
} }

10
test/sandbox/case/mapuid.nix
View File

@ -39,7 +39,7 @@
urandom = fs "42001b6" null null; urandom = fs "42001b6" null null;
zero = fs "42001b6" null null; zero = fs "42001b6" null null;
} null; } null;
etc = fs "800001ed" { etc = fs "800001c0" {
".clean" = fs "80001ff" null null; ".clean" = fs "80001ff" null null;
".updated" = fs "80001ff" null null; ".updated" = fs "80001ff" null null;
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
@ -111,9 +111,9 @@
} null; } null;
nix = fs "800001c0" { store = fs "801001fd" null null; } null; nix = fs "800001c0" { store = fs "801001fd" null null; } null;
proc = fs "8000016d" null null; proc = fs "8000016d" null null;
run = fs "800001ed" { run = fs "800001c0" {
current-system = fs "80001ff" null null; current-system = fs "8000016d" null null;
opengl-driver = fs "80001ff" null null; opengl-driver = fs "8000016d" null null;
user = fs "800001ed" { user = fs "800001ed" {
"1000" = fs "800001ed" { "1000" = fs "800001ed" {
bus = fs "10001fd" null null; bus = fs "10001fd" null null;
@ -195,11 +195,13 @@
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on") (ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent ignore "/run/current-system" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent ignore "/run/opengl-driver" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")

10
test/sandbox/case/preset.nix
View File

@ -39,7 +39,7 @@
urandom = fs "42001b6" null null; urandom = fs "42001b6" null null;
zero = fs "42001b6" null null; zero = fs "42001b6" null null;
} null; } null;
etc = fs "800001ed" { etc = fs "800001c0" {
".clean" = fs "80001ff" null null; ".clean" = fs "80001ff" null null;
".updated" = fs "80001ff" null null; ".updated" = fs "80001ff" null null;
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
@ -111,9 +111,9 @@
} null; } null;
nix = fs "800001c0" { store = fs "801001fd" null null; } null; nix = fs "800001c0" { store = fs "801001fd" null null; } null;
proc = fs "8000016d" null null; proc = fs "8000016d" null null;
run = fs "800001ed" { run = fs "800001c0" {
current-system = fs "80001ff" null null; current-system = fs "8000016d" null null;
opengl-driver = fs "80001ff" null null; opengl-driver = fs "8000016d" null null;
user = fs "800001ed" { user = fs "800001ed" {
"65534" = fs "800001ed" { "65534" = fs "800001ed" {
bus = fs "10001fd" null null; bus = fs "10001fd" null null;
@ -195,11 +195,13 @@
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on") (ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent ignore "/run/current-system" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent ignore "/run/opengl-driver" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001")

10
test/sandbox/case/tty.nix
View File

@ -40,7 +40,7 @@
urandom = fs "42001b6" null null; urandom = fs "42001b6" null null;
zero = fs "42001b6" null null; zero = fs "42001b6" null null;
} null; } null;
etc = fs "800001ed" { etc = fs "800001c0" {
".clean" = fs "80001ff" null null; ".clean" = fs "80001ff" null null;
".updated" = fs "80001ff" null null; ".updated" = fs "80001ff" null null;
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
@ -112,9 +112,9 @@
} null; } null;
nix = fs "800001c0" { store = fs "801001fd" null null; } null; nix = fs "800001c0" { store = fs "801001fd" null null; } null;
proc = fs "8000016d" null null; proc = fs "8000016d" null null;
run = fs "800001ed" { run = fs "800001c0" {
current-system = fs "80001ff" null null; current-system = fs "8000016d" null null;
opengl-driver = fs "80001ff" null null; opengl-driver = fs "8000016d" null null;
user = fs "800001ed" { user = fs "800001ed" {
"65534" = fs "800001ed" { "65534" = fs "800001ed" {
bus = fs "10001fd" null null; bus = fs "10001fd" null null;
@ -197,11 +197,13 @@
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on") (ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent ignore "/run/current-system" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent ignore "/run/opengl-driver" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")

14
test/test.py
View File

@ -141,7 +141,7 @@ def silent_output_interrupt(flags):
wait_for_window("alice@machine") wait_for_window("alice@machine")
# aid 0 does not have home-manager # aid 0 does not have home-manager
machine.send_chars(f"exec fortify run {flags}-a 0 sh -c 'export PATH=/run/current-system/sw/bin:$PATH && touch /tmp/pd-silent-ready && sleep infinity' &>/tmp/pd-silent\n") machine.send_chars(f"exec fortify run {flags}-a 0 sh -c 'export PATH=/run/current-system/sw/bin:$PATH && touch /tmp/pd-silent-ready && sleep infinity' &>/tmp/pd-silent\n")
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/pd-silent-ready", timeout=15) machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/pd-silent-ready", timeout=10)
machine.succeed("rm /tmp/fortify.1000/tmpdir/0/pd-silent-ready") machine.succeed("rm /tmp/fortify.1000/tmpdir/0/pd-silent-ready")
machine.send_key("ctrl-c") machine.send_key("ctrl-c")
machine.wait_until_fails("pgrep foot", timeout=5) machine.wait_until_fails("pgrep foot", timeout=5)
@ -172,18 +172,18 @@ fortify("-v run --wayland -X --dbus --pulse -u p1 foot && touch /tmp/p1-exit-ok"
wait_for_window("p1@machine") wait_for_window("p1@machine")
print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")) print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000"))
machine.send_chars("exit\n") machine.send_chars("exit\n")
machine.wait_for_file("/tmp/p1-exit-ok", timeout=15) machine.wait_for_file("/tmp/p1-exit-ok", timeout=10)
# Verify acl is kept alive: # Verify acl is kept alive:
print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")) print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000"))
machine.send_chars("exit\n") machine.send_chars("exit\n")
machine.wait_for_file("/tmp/p0-exit-ok", timeout=15) machine.wait_for_file("/tmp/p0-exit-ok", timeout=10)
machine.fail("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000") machine.fail("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")
# Start app (foot) with Wayland enablement: # Start app (foot) with Wayland enablement:
swaymsg("exec ne-foot") swaymsg("exec ne-foot")
wait_for_window(f"u0_a{aid(0)}@machine") wait_for_window(f"u0_a{aid(0)}@machine")
machine.send_chars("clear; wayland-info && touch /tmp/client-ok\n") machine.send_chars("clear; wayland-info && touch /tmp/client-ok\n")
machine.wait_for_file(tmpdir_path(0, "client-ok"), timeout=15) machine.wait_for_file(tmpdir_path(0, "client-ok"), timeout=10)
collect_state_ui("foot_wayland") collect_state_ui("foot_wayland")
check_state("ne-foot", 1) check_state("ne-foot", 1)
# Verify acl on XDG_RUNTIME_DIR: # Verify acl on XDG_RUNTIME_DIR:
@ -197,7 +197,7 @@ machine.wait_until_fails(f"getfacl --absolute-names --omit-header --numeric /run
swaymsg("exec foot $SHELL -c '(ne-foot) & sleep 1 && fortify show $(fortify ps --short) && touch /tmp/ps-show-ok && cat'") swaymsg("exec foot $SHELL -c '(ne-foot) & sleep 1 && fortify show $(fortify ps --short) && touch /tmp/ps-show-ok && cat'")
wait_for_window(f"u0_a{aid(0)}@machine") wait_for_window(f"u0_a{aid(0)}@machine")
machine.send_chars("clear; wayland-info && touch /tmp/term-ok\n") machine.send_chars("clear; wayland-info && touch /tmp/term-ok\n")
machine.wait_for_file(tmpdir_path(0, "term-ok"), timeout=15) machine.wait_for_file(tmpdir_path(0, "term-ok"), timeout=10)
machine.wait_for_file("/tmp/ps-show-ok", timeout=5) machine.wait_for_file("/tmp/ps-show-ok", timeout=5)
collect_state_ui("foot_wayland_term") collect_state_ui("foot_wayland_term")
check_state("ne-foot", 1) check_state("ne-foot", 1)
@ -220,7 +220,7 @@ machine.wait_until_fails("pgrep foot", timeout=5)
swaymsg("exec x11-alacritty") swaymsg("exec x11-alacritty")
wait_for_window(f"u0_a{aid(2)}@machine") wait_for_window(f"u0_a{aid(2)}@machine")
machine.send_chars("clear; glinfo && touch /tmp/x11-ok\n") machine.send_chars("clear; glinfo && touch /tmp/x11-ok\n")
machine.wait_for_file(tmpdir_path(2, "x11-ok"), timeout=15) machine.wait_for_file(tmpdir_path(2, "x11-ok"), timeout=10)
collect_state_ui("alacritty_x11") collect_state_ui("alacritty_x11")
check_state("x11-alacritty", 2) check_state("x11-alacritty", 2)
machine.send_chars("exit\n") machine.send_chars("exit\n")
@ -231,7 +231,7 @@ swaymsg("exec da-foot")
wait_for_window(f"u0_a{aid(3)}@machine") wait_for_window(f"u0_a{aid(3)}@machine")
machine.send_chars("clear; wayland-info && touch /tmp/direct-ok\n") machine.send_chars("clear; wayland-info && touch /tmp/direct-ok\n")
collect_state_ui("foot_direct") collect_state_ui("foot_direct")
machine.wait_for_file(tmpdir_path(3, "direct-ok"), timeout=15) machine.wait_for_file(tmpdir_path(3, "direct-ok"), timeout=10)
check_state("da-foot", 1) check_state("da-foot", 1)
# Verify acl on XDG_RUNTIME_DIR: # Verify acl on XDG_RUNTIME_DIR:
print(machine.succeed(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {aid(3) + 1000000}")) print(machine.succeed(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {aid(3) + 1000000}"))