cmd/fpkg: app bundle helper

This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once.

Signed-off-by: Ophestra <cat@gensokyo.uk>

fst/config.go

@@ -81,7 +81,6 @@ type SandboxConfig struct {
 }
 
 type ExtraPermConfig struct {
-	Ensure  bool   `json:"ensure,omitempty"`
 	Path    string `json:"path"`
 	Read    bool   `json:"r,omitempty"`
 	Write   bool   `json:"w,omitempty"`
@@ -89,12 +88,8 @@ type ExtraPermConfig struct {
 }
 
 func (e *ExtraPermConfig) String() string {
-	buf := make([]byte, 0, 5+len(e.Path))
-	buf = append(buf, '-', '-', '-')
-	if e.Ensure {
-		buf = append(buf, '+')
-	}
-	buf = append(buf, ':')
+	buf := make([]byte, 0, 4+len(e.Path))
+	buf = append(buf, '-', '-', '-', ':')
 	buf = append(buf, []byte(e.Path)...)
 	if e.Read {
 		buf[0] = 'r'

internal/app/seal.go

@@ -63,9 +63,8 @@ type appSeal struct {
 }
 
 type sealedExtraPerm struct {
-	name   string
-	perms  acl.Perms
-	ensure bool
+	name  string
+	perms acl.Perms
 }
 
 // Seal seals the app launch context
@@ -170,7 +169,6 @@ func (a *app) Seal(config *fst.Config) error {
 		if p.Execute {
 			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
 		}
-		seal.extraPerms[i].ensure = p.Ensure
 	}
 
 	// map sandbox config to bwrap

internal/app/share.go

@@ -297,9 +297,6 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
 		if p == nil {
 			continue
 		}
-		if p.ensure {
-			seal.sys.Ensure(p.name, 0700)
-		}
 		seal.sys.UpdatePermType(system.User, p.name, p.perms...)
 	}