cmd/fshim: ensure data directory

Ensuring home directory in shim causes the directory to be owned by the target user.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/fshim/ipc/payload.go

@@ -13,6 +13,8 @@ type Payload struct {
 	Exec [2]string
 	// bwrap config
 	Bwrap *bwrap.Config
+	// path to outer home directory
+	Home string
 	// sync fd
 	Sync *uintptr
 

cmd/fshim/main.go

@@ -9,6 +9,7 @@ import (
 
 	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
+	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
@@ -80,6 +81,21 @@ func main() {
 		// not fatal
 	}
 
+	// ensure home directory as target user
+	if s, err := os.Stat(payload.Home); err != nil {
+		if os.IsNotExist(err) {
+			if err = os.Mkdir(payload.Home, 0700); err != nil {
+				fmsg.Fatalf("cannot create home directory: %v", err)
+			}
+		} else {
+			fmsg.Fatalf("cannot access home directory: %v", err)
+		}
+
+		// home directory is created, proceed
+	} else if !s.IsDir() {
+		fmsg.Fatalf("data path %q is not a directory", payload.Home)
+	}
+
 	var ic init0.Payload
 
 	// resolve argv0
@@ -117,8 +133,12 @@ func main() {
 		}()
 	}
 
+	// bind finit inside sandbox
+	finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
+	conf.Bind(finitPath, finitInnerPath)
+
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, finitPath,
+	if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
 		func(int, int) []string { return make([]string, 0) }); err != nil {
 		fmsg.Fatalf("malformed sandbox config: %v", err)
 	} else {

dbus/dbus_test.go

@@ -124,6 +124,8 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 
 		t.Run("proxy for "+id, func(t *testing.T) {
 			helper.InternalReplaceExecCommand(t)
+			overridePath(t)
+
 			p := dbus.New(tc[0].bus, tc[1].bus)
 			output := new(strings.Builder)
 
@@ -174,7 +176,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 
 				t.Run("sealed start of "+id, func(t *testing.T) {
 					if err := p.Start(nil, output, sandbox); err != nil {
-						t.Errorf("Start(nil, nil) error = %v",
+						t.Fatalf("Start(nil, nil) error = %v",
 							err)
 					}
 
@@ -213,3 +215,11 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 		})
 	}
 }
+
+func overridePath(t *testing.T) {
+	proxyName := dbus.ProxyName
+	dbus.ProxyName = "/nonexistent-xdg-dbus-proxy"
+	t.Cleanup(func() {
+		dbus.ProxyName = proxyName
+	})
+}

dbus/run.go

@@ -46,14 +46,16 @@ func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
 		// look up absolute path if name is just a file name
 		toolPath := p.name
 		if filepath.Base(p.name) == p.name {
-			if s, err := exec.LookPath(p.name); err == nil {
+			if s, err := exec.LookPath(p.name); err != nil {
+				return err
+			} else {
 				toolPath = s
 			}
 		}
 
 		// resolve libraries by parsing ldd output
 		var proxyDeps []*ldd.Entry
-		if path.IsAbs(toolPath) {
+		if toolPath != "/nonexistent-xdg-dbus-proxy" {
 			if l, err := ldd.Exec(toolPath); err != nil {
 				return err
 			} else {
@@ -91,6 +93,9 @@ func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
 			if path.IsAbs(ent.Path) {
 				roBindTarget[path.Dir(ent.Path)] = struct{}{}
 			}
+			if path.IsAbs(ent.Name) {
+				roBindTarget[path.Dir(ent.Name)] = struct{}{}
+			}
 		}
 
 		// resolve upstream bus directories

dist/install.sh

@@ -7,4 +7,8 @@ install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fini
 install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
 
 install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"
-install -vDm0400 "fsurc.default" "${FORTIFY_INSTALL_PREFIX}/etc/fsurc"
+if [ ! -f "${FORTIFY_INSTALL_PREFIX}/etc/fsurc" ]; then
+    install -vDm0400 "fsurc.default" "${FORTIFY_INSTALL_PREFIX}/etc/fsurc"
+fi
+
+install -vDm0644 "comp/_fortify" "${FORTIFY_INSTALL_PREFIX}/usr/share/zsh/site-functions/_fortify"

dist/release.sh

@@ -5,9 +5,10 @@ pname="fortify-${VERSION}"
 out="dist/${pname}"
 
 mkdir -p "${out}"
-cp "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
+cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
+cp -rv "comp" "${out}"
 
-go build -v -o "${out}/bin/" -ldflags "-s -w
+go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
   -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
   -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
   -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
@@ -16,4 +17,4 @@ go build -v -o "${out}/bin/" -ldflags "-s -w
 
 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
 rm -rf "./${out}"
-sha512sum "${out}.tar.gz" > "${out}.tar.gz.sha512"
+(cd dist && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")

fst/config.go

@@ -13,12 +13,11 @@ const Tmp = "/.fortify"
 
 // Config is used to seal an *App
 type Config struct {
-	// D-Bus application ID
+	// application ID
 	ID string `json:"id"`
 	// value passed through to the child process as its argv
 	Command []string `json:"command"`
 
-	// child confinement configuration
 	Confinement ConfinementConfig `json:"confinement"`
 }
 
@@ -28,7 +27,7 @@ type ConfinementConfig struct {
 	AppID int `json:"app_id"`
 	// list of supplementary groups to inherit
 	Groups []string `json:"groups"`
-	// passwd username in the sandbox, defaults to chronos
+	// passwd username in the sandbox, defaults to passwd name of target uid or chronos
 	Username string `json:"username,omitempty"`
 	// home directory in sandbox, empty for outer
 	Inner string `json:"home_inner"`
@@ -36,6 +35,8 @@ type ConfinementConfig struct {
 	Outer string `json:"home"`
 	// bwrap sandbox confinement configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
+	// extra acl entries to append
+	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
 
 	// reference to a system D-Bus proxy configuration,
 	// nil value disables system bus proxy
@@ -44,7 +45,7 @@ type ConfinementConfig struct {
 	// nil value makes session bus proxy assume built-in defaults
 	SessionBus *dbus.Config `json:"session_bus,omitempty"`
 
-	// child capability enablements
+	// system resources to expose to the sandbox
 	Enablements system.Enablements `json:"enablements"`
 }
 
@@ -52,7 +53,7 @@ type ConfinementConfig struct {
 type SandboxConfig struct {
 	// unix hostname within sandbox
 	Hostname string `json:"hostname,omitempty"`
-	// userns availability within sandbox
+	// allow userns within sandbox
 	UserNS bool `json:"userns,omitempty"`
 	// share net namespace
 	Net bool `json:"net,omitempty"`
@@ -71,12 +72,42 @@ type SandboxConfig struct {
 	Filesystem []*FilesystemConfig `json:"filesystem"`
 	// symlinks created inside the sandbox
 	Link [][2]string `json:"symlink"`
+	// read-only /etc directory
+	Etc string `json:"etc,omitempty"`
 	// automatically set up /etc symlinks
 	AutoEtc bool `json:"auto_etc"`
 	// paths to override by mounting tmpfs over them
 	Override []string `json:"override"`
 }
 
+type ExtraPermConfig struct {
+	Ensure  bool   `json:"ensure,omitempty"`
+	Path    string `json:"path"`
+	Read    bool   `json:"r,omitempty"`
+	Write   bool   `json:"w,omitempty"`
+	Execute bool   `json:"x,omitempty"`
+}
+
+func (e *ExtraPermConfig) String() string {
+	buf := make([]byte, 0, 5+len(e.Path))
+	buf = append(buf, '-', '-', '-')
+	if e.Ensure {
+		buf = append(buf, '+')
+	}
+	buf = append(buf, ':')
+	buf = append(buf, []byte(e.Path)...)
+	if e.Read {
+		buf[0] = 'r'
+	}
+	if e.Write {
+		buf[1] = 'w'
+	}
+	if e.Execute {
+		buf[2] = 'x'
+	}
+	return string(buf)
+}
+
 type FilesystemConfig struct {
 	// mount point in sandbox, same as src if empty
 	Dst string `json:"dst,omitempty"`
@@ -86,7 +117,7 @@ type FilesystemConfig struct {
 	Write bool `json:"write,omitempty"`
 	// device access
 	Device bool `json:"dev,omitempty"`
-	// exit if unable to share
+	// fail if mount fails
 	Must bool `json:"require,omitempty"`
 }
 
@@ -128,7 +159,11 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 	}
 
 	if !s.AutoEtc {
-		conf.Dir("/etc")
+		if s.Etc == "" {
+			conf.Dir("/etc")
+		} else {
+			conf.Bind(s.Etc, "/etc")
+		}
 	}
 
 	for _, c := range s.Filesystem {
@@ -148,10 +183,14 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 	}
 
 	if s.AutoEtc {
-		conf.Bind("/etc", Tmp+"/etc")
+		etc := s.Etc
+		if etc == "" {
+			etc = "/etc"
+		}
+		conf.Bind(etc, Tmp+"/etc")
 
 		// link host /etc contents to prevent passwd/group from being overwritten
-		if d, err := os.ReadDir("/etc"); err != nil {
+		if d, err := os.ReadDir(etc); err != nil {
 			return nil, err
 		} else {
 			for _, ent := range d {
@@ -213,6 +252,7 @@ func Template() *Config {
 					{Src: "/dev/dri", Device: true},
 				},
 				Link:     [][2]string{{"/run/user/65534", "/run/user/150"}},
+				Etc:      "/etc",
 				AutoEtc:  true,
 				Override: []string{"/var/run/nscd"},
 			},

helper/bwrap/config.set.go

@@ -106,7 +106,7 @@ func (c *Config) Mqueue(dest string) *Config {
 // Dir create dir in sandbox
 // (--dir DEST)
 func (c *Config) Dir(dest string) *Config {
-	c.Filesystem = append(c.Filesystem, &stringF{stringArgs[Dir], dest})
+	c.Filesystem = append(c.Filesystem, &stringF{awkwardArgs[Dir], dest})
 	return c
 }
 

internal/app/seal.go

@@ -8,6 +8,7 @@ import (
 	"regexp"
 	"strconv"
 
+	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
@@ -48,6 +49,8 @@ type appSeal struct {
 	et system.Enablements
 	// wayland socket direct access
 	directWayland bool
+	// extra UpdatePerm ops
+	extraPerms []*sealedExtraPerm
 
 	// prevents sharing from happening twice
 	shared bool
@@ -59,6 +62,12 @@ type appSeal struct {
 	// protected by upstream mutex
 }
 
+type sealedExtraPerm struct {
+	name   string
+	perms  acl.Perms
+	ensure bool
+}
+
 // Seal seals the app launch context
 func (a *app) Seal(config *fst.Config) error {
 	a.lock.Lock()
@@ -100,47 +109,68 @@ func (a *app) Seal(config *fst.Config) error {
 	if config.Confinement.AppID < 0 || config.Confinement.AppID > 9999 {
 		return fmsg.WrapError(ErrUser,
 			fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
+	}
+	seal.sys.user = appUser{
+		aid:      config.Confinement.AppID,
+		as:       strconv.Itoa(config.Confinement.AppID),
+		data:     config.Confinement.Outer,
+		home:     config.Confinement.Inner,
+		username: config.Confinement.Username,
+	}
+	if seal.sys.user.username == "" {
+		seal.sys.user.username = "chronos"
+	} else if !posixUsername.MatchString(seal.sys.user.username) {
+		return fmsg.WrapError(ErrName,
+			fmt.Sprintf("invalid user name %q", seal.sys.user.username))
+	}
+	if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
+		return fmsg.WrapError(ErrHome,
+			fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
+	}
+	if seal.sys.user.home == "" {
+		seal.sys.user.home = seal.sys.user.data
+	}
+
+	// invoke fsu for full uid
+	if u, err := a.os.Uid(seal.sys.user.aid); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			"cannot obtain uid from fsu:")
 	} else {
-		seal.sys.user = appUser{
+		seal.sys.user.uid = u
-			aid:      config.Confinement.AppID,
+		seal.sys.user.us = strconv.Itoa(u)
-			as:       strconv.Itoa(config.Confinement.AppID),
+	}
-			data:     config.Confinement.Outer,
-			home:     config.Confinement.Inner,
-			username: config.Confinement.Username,
-		}
-		if seal.sys.user.username == "" {
-			seal.sys.user.username = "chronos"
-		} else if !posixUsername.MatchString(seal.sys.user.username) {
-			return fmsg.WrapError(ErrName,
-				fmt.Sprintf("invalid user name %q", seal.sys.user.username))
-		}
-		if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
-			return fmsg.WrapError(ErrHome,
-				fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
-		}
-		if seal.sys.user.home == "" {
-			seal.sys.user.home = seal.sys.user.data
-		}
 
-		// invoke fsu for full uid
+	// resolve supplementary group ids from names
-		if u, err := a.os.Uid(seal.sys.user.aid); err != nil {
+	seal.sys.user.supp = make([]string, len(config.Confinement.Groups))
-			return fmsg.WrapErrorSuffix(err,
+	for i, name := range config.Confinement.Groups {
-				"cannot obtain uid from fsu:")
+		if g, err := a.os.LookupGroup(name); err != nil {
+			return fmsg.WrapError(err,
+				fmt.Sprintf("unknown group %q", name))
 		} else {
-			seal.sys.user.uid = u
+			seal.sys.user.supp[i] = g.Gid
-			seal.sys.user.us = strconv.Itoa(u)
+		}
+	}
+
+	// build extra perms
+	seal.extraPerms = make([]*sealedExtraPerm, len(config.Confinement.ExtraPerms))
+	for i, p := range config.Confinement.ExtraPerms {
+		if p == nil {
+			continue
 		}
 
-		// resolve supplementary group ids from names
+		seal.extraPerms[i] = new(sealedExtraPerm)
-		seal.sys.user.supp = make([]string, len(config.Confinement.Groups))
+		seal.extraPerms[i].name = p.Path
-		for i, name := range config.Confinement.Groups {
+		seal.extraPerms[i].perms = make(acl.Perms, 0, 3)
-			if g, err := a.os.LookupGroup(name); err != nil {
+		if p.Read {
-				return fmsg.WrapError(err,
+			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Read)
-					fmt.Sprintf("unknown group %q", name))
-			} else {
-				seal.sys.user.supp[i] = g.Gid
-			}
 		}
+		if p.Write {
+			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Write)
+		}
+		if p.Execute {
+			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
+		}
+		seal.extraPerms[i].ensure = p.Ensure
 	}
 
 	// map sandbox config to bwrap
@@ -229,7 +259,7 @@ func (a *app) Seal(config *fst.Config) error {
 	seal.et = config.Confinement.Enablements
 
 	// this method calls all share methods in sequence
-	if err := seal.shareAll([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
+	if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
 		return err
 	}
 

internal/app/share.dbus.go

@@ -1,44 +0,0 @@
-package app
-
-import (
-	"path"
-
-	"git.gensokyo.uk/security/fortify/acl"
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/internal/system"
-)
-
-const (
-	dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
-	dbusSystemBusAddress  = "DBUS_SYSTEM_BUS_ADDRESS"
-)
-
-func (seal *appSeal) shareDBus(config [2]*dbus.Config) error {
-	if !seal.et.Has(system.EDBus) {
-		return nil
-	}
-
-	// downstream socket paths
-	sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
-
-	// configure dbus proxy
-	if f, err := seal.sys.ProxyDBus(config[0], config[1], sessionPath, systemPath); err != nil {
-		return err
-	} else {
-		seal.dbusMsg = f
-	}
-
-	// share proxy sockets
-	sessionInner := path.Join(seal.sys.runtime, "bus")
-	seal.sys.bwrap.SetEnv[dbusSessionBusAddress] = "unix:path=" + sessionInner
-	seal.sys.bwrap.Bind(sessionPath, sessionInner)
-	seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
-	if config[1] != nil {
-		systemInner := "/run/dbus/system_bus_socket"
-		seal.sys.bwrap.SetEnv[dbusSystemBusAddress] = "unix:path=" + systemInner
-		seal.sys.bwrap.Bind(systemPath, systemInner)
-		seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
-	}
-
-	return nil
-}

internal/app/share.display.go

@@ -1,81 +0,0 @@
-package app
-
-import (
-	"errors"
-	"path"
-
-	"git.gensokyo.uk/security/fortify/acl"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/linux"
-	"git.gensokyo.uk/security/fortify/internal/system"
-)
-
-const (
-	term    = "TERM"
-	display = "DISPLAY"
-
-	// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html
-	waylandDisplay = "WAYLAND_DISPLAY"
-)
-
-var (
-	ErrWayland  = errors.New(waylandDisplay + " unset")
-	ErrXDisplay = errors.New(display + " unset")
-)
-
-func (seal *appSeal) shareDisplay(os linux.System) error {
-	// pass $TERM to launcher
-	if t, ok := os.LookupEnv(term); ok {
-		seal.sys.bwrap.SetEnv[term] = t
-	}
-
-	// set up wayland
-	if seal.et.Has(system.EWayland) {
-		var wp string
-		if wd, ok := os.LookupEnv(waylandDisplay); !ok {
-			return fmsg.WrapError(ErrWayland,
-				"WAYLAND_DISPLAY is not set")
-		} else {
-			wp = path.Join(seal.RuntimePath, wd)
-		}
-
-		w := path.Join(seal.sys.runtime, "wayland-0")
-		seal.sys.bwrap.SetEnv[waylandDisplay] = w
-
-		if seal.directWayland {
-			// hardlink wayland socket
-			wpi := path.Join(seal.shareLocal, "wayland")
-			seal.sys.Link(wp, wpi)
-			seal.sys.bwrap.Bind(wpi, w)
-
-			// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
-			seal.sys.UpdatePermType(system.EWayland, wp, acl.Read, acl.Write, acl.Execute)
-		} else {
-			wc := path.Join(seal.SharePath, "wayland")
-			wt := path.Join(wc, seal.id)
-			seal.sys.Ensure(wc, 0711)
-			appID := seal.fid
-			if appID == "" {
-				// use instance ID in case app id is not set
-				appID = "moe.ophivana.fortify." + seal.id
-			}
-			seal.sys.Wayland(wt, wp, appID, seal.id)
-			seal.sys.bwrap.Bind(wt, w)
-		}
-	}
-
-	// set up X11
-	if seal.et.Has(system.EX11) {
-		// discover X11 and grant user permission via the `ChangeHosts` command
-		if d, ok := os.LookupEnv(display); !ok {
-			return fmsg.WrapError(ErrXDisplay,
-				"DISPLAY is not set")
-		} else {
-			seal.sys.ChangeHosts("#" + seal.sys.user.us)
-			seal.sys.bwrap.SetEnv[display] = d
-			seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
-		}
-	}
-
-	return nil
-}

internal/app/share.go

@@ -0,0 +1,346 @@
+package app
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"path"
+
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/system"
+)
+
+const (
+	home  = "HOME"
+	shell = "SHELL"
+
+	xdgConfigHome   = "XDG_CONFIG_HOME"
+	xdgRuntimeDir   = "XDG_RUNTIME_DIR"
+	xdgSessionClass = "XDG_SESSION_CLASS"
+	xdgSessionType  = "XDG_SESSION_TYPE"
+
+	term    = "TERM"
+	display = "DISPLAY"
+
+	// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html
+	waylandDisplay = "WAYLAND_DISPLAY"
+
+	pulseServer = "PULSE_SERVER"
+	pulseCookie = "PULSE_COOKIE"
+
+	dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
+	dbusSystemBusAddress  = "DBUS_SYSTEM_BUS_ADDRESS"
+)
+
+var (
+	ErrWayland  = errors.New(waylandDisplay + " unset")
+	ErrXDisplay = errors.New(display + " unset")
+
+	ErrPulseCookie = errors.New("pulse cookie not present")
+	ErrPulseSocket = errors.New("pulse socket not present")
+	ErrPulseMode   = errors.New("unexpected pulse socket mode")
+)
+
+func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
+	if seal.shared {
+		panic("seal shared twice")
+	}
+	seal.shared = true
+
+	/*
+		Tmpdir-based share directory
+	*/
+
+	// ensure Share (e.g. `/tmp/fortify.%d`)
+	// acl is unnecessary as this directory is world executable
+	seal.sys.Ensure(seal.SharePath, 0711)
+
+	// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
+	// acl is unnecessary as this directory is world executable
+	seal.share = path.Join(seal.SharePath, seal.id)
+	seal.sys.Ephemeral(system.Process, seal.share, 0711)
+
+	// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
+	targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
+	seal.sys.Ensure(targetTmpdirParent, 0700)
+	seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
+
+	// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
+	targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.as)
+	seal.sys.Ensure(targetTmpdir, 01700)
+	seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
+	seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
+
+	/*
+		XDG runtime directory
+	*/
+
+	// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
+	seal.sys.bwrap.Tmpfs("/run/user", 1*1024*1024)
+	seal.sys.bwrap.Tmpfs(seal.sys.runtime, 8*1024*1024)
+
+	// point to inner runtime path `/run/user/%d`
+	seal.sys.bwrap.SetEnv[xdgRuntimeDir] = seal.sys.runtime
+	seal.sys.bwrap.SetEnv[xdgSessionClass] = "user"
+	seal.sys.bwrap.SetEnv[xdgSessionType] = "tty"
+
+	// ensure RunDir (e.g. `/run/user/%d/fortify`)
+	seal.sys.Ensure(seal.RunDirPath, 0700)
+	seal.sys.UpdatePermType(system.User, seal.RunDirPath, acl.Execute)
+
+	// ensure runtime directory ACL (e.g. `/run/user/%d`)
+	seal.sys.Ensure(seal.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
+	seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
+
+	// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
+	seal.shareLocal = path.Join(seal.RunDirPath, seal.id)
+	seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
+	seal.sys.UpdatePerm(seal.shareLocal, acl.Execute)
+
+	/*
+		Inner passwd database
+	*/
+
+	// look up shell
+	sh := "/bin/sh"
+	if s, ok := os.LookupEnv(shell); ok {
+		seal.sys.bwrap.SetEnv[shell] = s
+		sh = s
+	}
+
+	// generate /etc/passwd
+	passwdPath := path.Join(seal.share, "passwd")
+	username := "chronos"
+	if seal.sys.user.username != "" {
+		username = seal.sys.user.username
+	}
+	homeDir := "/var/empty"
+	if seal.sys.user.home != "" {
+		homeDir = seal.sys.user.home
+	}
+
+	// bind home directory
+	seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
+	seal.sys.bwrap.Chdir = homeDir
+
+	seal.sys.bwrap.SetEnv["USER"] = username
+	seal.sys.bwrap.SetEnv["HOME"] = homeDir
+
+	passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
+	seal.sys.Write(passwdPath, passwd)
+
+	// write /etc/group
+	groupPath := path.Join(seal.share, "group")
+	seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")
+
+	// bind /etc/passwd and /etc/group
+	seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
+	seal.sys.bwrap.Bind(groupPath, "/etc/group")
+
+	/*
+		Display servers
+	*/
+
+	// pass $TERM to launcher
+	if t, ok := os.LookupEnv(term); ok {
+		seal.sys.bwrap.SetEnv[term] = t
+	}
+
+	// set up wayland
+	if seal.et.Has(system.EWayland) {
+		var wp string
+		if wd, ok := os.LookupEnv(waylandDisplay); !ok {
+			return fmsg.WrapError(ErrWayland,
+				"WAYLAND_DISPLAY is not set")
+		} else {
+			wp = path.Join(seal.RuntimePath, wd)
+		}
+
+		w := path.Join(seal.sys.runtime, "wayland-0")
+		seal.sys.bwrap.SetEnv[waylandDisplay] = w
+
+		if !seal.directWayland { // set up security-context-v1
+			wc := path.Join(seal.SharePath, "wayland")
+			wt := path.Join(wc, seal.id)
+			seal.sys.Ensure(wc, 0711)
+			appID := seal.fid
+			if appID == "" {
+				// use instance ID in case app id is not set
+				appID = "moe.ophivana.fortify." + seal.id
+			}
+			seal.sys.Wayland(wt, wp, appID, seal.id)
+			seal.sys.bwrap.Bind(wt, w)
+		} else { // bind mount wayland socket (insecure)
+			// hardlink wayland socket
+			wpi := path.Join(seal.shareLocal, "wayland")
+			seal.sys.Link(wp, wpi)
+			seal.sys.bwrap.Bind(wpi, w)
+
+			// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
+			seal.sys.UpdatePermType(system.EWayland, wp, acl.Read, acl.Write, acl.Execute)
+		}
+	}
+
+	// set up X11
+	if seal.et.Has(system.EX11) {
+		// discover X11 and grant user permission via the `ChangeHosts` command
+		if d, ok := os.LookupEnv(display); !ok {
+			return fmsg.WrapError(ErrXDisplay,
+				"DISPLAY is not set")
+		} else {
+			seal.sys.ChangeHosts("#" + seal.sys.user.us)
+			seal.sys.bwrap.SetEnv[display] = d
+			seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
+		}
+	}
+
+	/*
+		PulseAudio server and authentication
+	*/
+
+	if seal.et.Has(system.EPulse) {
+		// check PulseAudio directory presence (e.g. `/run/user/%d/pulse`)
+		pd := path.Join(seal.RuntimePath, "pulse")
+		ps := path.Join(pd, "native")
+		if _, err := os.Stat(pd); err != nil {
+			if !errors.Is(err, fs.ErrNotExist) {
+				return fmsg.WrapErrorSuffix(err,
+					fmt.Sprintf("cannot access PulseAudio directory %q:", pd))
+			}
+			return fmsg.WrapError(ErrPulseSocket,
+				fmt.Sprintf("PulseAudio directory %q not found", pd))
+		}
+
+		// check PulseAudio socket permission (e.g. `/run/user/%d/pulse/native`)
+		if s, err := os.Stat(ps); err != nil {
+			if !errors.Is(err, fs.ErrNotExist) {
+				return fmsg.WrapErrorSuffix(err,
+					fmt.Sprintf("cannot access PulseAudio socket %q:", ps))
+			}
+			return fmsg.WrapError(ErrPulseSocket,
+				fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pd))
+		} else {
+			if m := s.Mode(); m&0o006 != 0o006 {
+				return fmsg.WrapError(ErrPulseMode,
+					fmt.Sprintf("unexpected permissions on %q:", ps), m)
+			}
+		}
+
+		// hard link pulse socket into target-executable share
+		psi := path.Join(seal.shareLocal, "pulse")
+		p := path.Join(seal.sys.runtime, "pulse", "native")
+		seal.sys.Link(ps, psi)
+		seal.sys.bwrap.Bind(psi, p)
+		seal.sys.bwrap.SetEnv[pulseServer] = "unix:" + p
+
+		// publish current user's pulse cookie for target user
+		if src, err := discoverPulseCookie(os); err != nil {
+			// not fatal
+			fmsg.VPrintln(err.(*fmsg.BaseError).Message())
+		} else {
+			dst := path.Join(seal.share, "pulse-cookie")
+			innerDst := fst.Tmp + "/pulse-cookie"
+			seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
+			seal.sys.CopyFile(dst, src)
+			seal.sys.bwrap.Bind(dst, innerDst)
+		}
+	}
+
+	/*
+		D-Bus proxy
+	*/
+
+	if seal.et.Has(system.EDBus) {
+		// ensure dbus session bus defaults
+		if bus[0] == nil {
+			bus[0] = dbus.NewConfig(seal.fid, true, true)
+		}
+
+		// downstream socket paths
+		sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
+
+		// configure dbus proxy
+		if f, err := seal.sys.ProxyDBus(bus[0], bus[1], sessionPath, systemPath); err != nil {
+			return err
+		} else {
+			seal.dbusMsg = f
+		}
+
+		// share proxy sockets
+		sessionInner := path.Join(seal.sys.runtime, "bus")
+		seal.sys.bwrap.SetEnv[dbusSessionBusAddress] = "unix:path=" + sessionInner
+		seal.sys.bwrap.Bind(sessionPath, sessionInner)
+		seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
+		if bus[1] != nil {
+			systemInner := "/run/dbus/system_bus_socket"
+			seal.sys.bwrap.SetEnv[dbusSystemBusAddress] = "unix:path=" + systemInner
+			seal.sys.bwrap.Bind(systemPath, systemInner)
+			seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
+		}
+	}
+
+	/*
+		Miscellaneous
+	*/
+
+	// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
+	for _, dest := range seal.sys.override {
+		seal.sys.bwrap.Tmpfs(dest, 8*1024)
+	}
+
+	// append extra perms
+	for _, p := range seal.extraPerms {
+		if p == nil {
+			continue
+		}
+		if p.ensure {
+			seal.sys.Ensure(p.name, 0700)
+		}
+		seal.sys.UpdatePermType(system.User, p.name, p.perms...)
+	}
+
+	return nil
+}
+
+// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
+func discoverPulseCookie(os linux.System) (string, error) {
+	if p, ok := os.LookupEnv(pulseCookie); ok {
+		return p, nil
+	}
+
+	// dotfile $HOME/.pulse-cookie
+	if p, ok := os.LookupEnv(home); ok {
+		p = path.Join(p, ".pulse-cookie")
+		if s, err := os.Stat(p); err != nil {
+			if !errors.Is(err, fs.ErrNotExist) {
+				return p, fmsg.WrapErrorSuffix(err,
+					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
+			}
+			// not found, try next method
+		} else if !s.IsDir() {
+			return p, nil
+		}
+	}
+
+	// $XDG_CONFIG_HOME/pulse/cookie
+	if p, ok := os.LookupEnv(xdgConfigHome); ok {
+		p = path.Join(p, "pulse", "cookie")
+		if s, err := os.Stat(p); err != nil {
+			if !errors.Is(err, fs.ErrNotExist) {
+				return p, fmsg.WrapErrorSuffix(err,
+					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
+			}
+			// not found, try next method
+		} else if !s.IsDir() {
+			return p, nil
+		}
+	}
+
+	return "", fmsg.WrapError(ErrPulseCookie,
+		fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
+			pulseCookie, xdgConfigHome, home))
+}

internal/app/share.pulse.go

@@ -1,119 +0,0 @@
-package app
-
-import (
-	"errors"
-	"fmt"
-	"io/fs"
-	"path"
-
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/linux"
-	"git.gensokyo.uk/security/fortify/internal/system"
-)
-
-const (
-	pulseServer = "PULSE_SERVER"
-	pulseCookie = "PULSE_COOKIE"
-
-	home          = "HOME"
-	xdgConfigHome = "XDG_CONFIG_HOME"
-)
-
-var (
-	ErrPulseCookie = errors.New("pulse cookie not present")
-	ErrPulseSocket = errors.New("pulse socket not present")
-	ErrPulseMode   = errors.New("unexpected pulse socket mode")
-)
-
-func (seal *appSeal) sharePulse(os linux.System) error {
-	if !seal.et.Has(system.EPulse) {
-		return nil
-	}
-
-	// check PulseAudio directory presence (e.g. `/run/user/%d/pulse`)
-	pd := path.Join(seal.RuntimePath, "pulse")
-	ps := path.Join(pd, "native")
-	if _, err := os.Stat(pd); err != nil {
-		if !errors.Is(err, fs.ErrNotExist) {
-			return fmsg.WrapErrorSuffix(err,
-				fmt.Sprintf("cannot access PulseAudio directory %q:", pd))
-		}
-		return fmsg.WrapError(ErrPulseSocket,
-			fmt.Sprintf("PulseAudio directory %q not found", pd))
-	}
-
-	// check PulseAudio socket permission (e.g. `/run/user/%d/pulse/native`)
-	if s, err := os.Stat(ps); err != nil {
-		if !errors.Is(err, fs.ErrNotExist) {
-			return fmsg.WrapErrorSuffix(err,
-				fmt.Sprintf("cannot access PulseAudio socket %q:", ps))
-		}
-		return fmsg.WrapError(ErrPulseSocket,
-			fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pd))
-	} else {
-		if m := s.Mode(); m&0o006 != 0o006 {
-			return fmsg.WrapError(ErrPulseMode,
-				fmt.Sprintf("unexpected permissions on %q:", ps), m)
-		}
-	}
-
-	// hard link pulse socket into target-executable share
-	psi := path.Join(seal.shareLocal, "pulse")
-	p := path.Join(seal.sys.runtime, "pulse", "native")
-	seal.sys.Link(ps, psi)
-	seal.sys.bwrap.Bind(psi, p)
-	seal.sys.bwrap.SetEnv[pulseServer] = "unix:" + p
-
-	// publish current user's pulse cookie for target user
-	if src, err := discoverPulseCookie(os); err != nil {
-		fmsg.VPrintln(err.(*fmsg.BaseError).Message())
-	} else {
-		dst := path.Join(seal.share, "pulse-cookie")
-		innerDst := fst.Tmp + "/pulse-cookie"
-		seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
-		seal.sys.CopyFile(dst, src)
-		seal.sys.bwrap.Bind(dst, innerDst)
-	}
-
-	return nil
-}
-
-// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
-func discoverPulseCookie(os linux.System) (string, error) {
-	if p, ok := os.LookupEnv(pulseCookie); ok {
-		return p, nil
-	}
-
-	// dotfile $HOME/.pulse-cookie
-	if p, ok := os.LookupEnv(home); ok {
-		p = path.Join(p, ".pulse-cookie")
-		if s, err := os.Stat(p); err != nil {
-			if !errors.Is(err, fs.ErrNotExist) {
-				return p, fmsg.WrapErrorSuffix(err,
-					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
-			}
-			// not found, try next method
-		} else if !s.IsDir() {
-			return p, nil
-		}
-	}
-
-	// $XDG_CONFIG_HOME/pulse/cookie
-	if p, ok := os.LookupEnv(xdgConfigHome); ok {
-		p = path.Join(p, "pulse", "cookie")
-		if s, err := os.Stat(p); err != nil {
-			if !errors.Is(err, fs.ErrNotExist) {
-				return p, fmsg.WrapErrorSuffix(err,
-					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
-			}
-			// not found, try next method
-		} else if !s.IsDir() {
-			return p, nil
-		}
-	}
-
-	return "", fmsg.WrapError(ErrPulseCookie,
-		fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
-			pulseCookie, xdgConfigHome, home))
-}

internal/app/share.runtime.go

@@ -1,39 +0,0 @@
-package app
-
-import (
-	"path"
-
-	"git.gensokyo.uk/security/fortify/acl"
-	"git.gensokyo.uk/security/fortify/internal/system"
-)
-
-const (
-	xdgRuntimeDir   = "XDG_RUNTIME_DIR"
-	xdgSessionClass = "XDG_SESSION_CLASS"
-	xdgSessionType  = "XDG_SESSION_TYPE"
-)
-
-// shareRuntime queues actions for sharing/ensuring the runtime and share directories
-func (seal *appSeal) shareRuntime() {
-	// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
-	seal.sys.bwrap.Tmpfs("/run/user", 1*1024*1024)
-	seal.sys.bwrap.Tmpfs(seal.sys.runtime, 8*1024*1024)
-
-	// point to inner runtime path `/run/user/%d`
-	seal.sys.bwrap.SetEnv[xdgRuntimeDir] = seal.sys.runtime
-	seal.sys.bwrap.SetEnv[xdgSessionClass] = "user"
-	seal.sys.bwrap.SetEnv[xdgSessionType] = "tty"
-
-	// ensure RunDir (e.g. `/run/user/%d/fortify`)
-	seal.sys.Ensure(seal.RunDirPath, 0700)
-	seal.sys.UpdatePermType(system.User, seal.RunDirPath, acl.Execute)
-
-	// ensure runtime directory ACL (e.g. `/run/user/%d`)
-	seal.sys.Ensure(seal.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
-	seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
-
-	// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
-	seal.shareLocal = path.Join(seal.RunDirPath, seal.id)
-	seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
-	seal.sys.UpdatePerm(seal.shareLocal, acl.Execute)
-}

internal/app/share.system.go

@@ -1,74 +0,0 @@
-package app
-
-import (
-	"path"
-
-	"git.gensokyo.uk/security/fortify/acl"
-	"git.gensokyo.uk/security/fortify/internal/linux"
-	"git.gensokyo.uk/security/fortify/internal/system"
-)
-
-const (
-	shell = "SHELL"
-)
-
-// shareSystem queues various system-related actions
-func (seal *appSeal) shareSystem() {
-	// ensure Share (e.g. `/tmp/fortify.%d`)
-	// acl is unnecessary as this directory is world executable
-	seal.sys.Ensure(seal.SharePath, 0711)
-
-	// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
-	// acl is unnecessary as this directory is world executable
-	seal.share = path.Join(seal.SharePath, seal.id)
-	seal.sys.Ephemeral(system.Process, seal.share, 0711)
-
-	// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
-	targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
-	seal.sys.Ensure(targetTmpdirParent, 0700)
-	seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
-
-	// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
-	targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.as)
-	seal.sys.Ensure(targetTmpdir, 01700)
-	seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
-	seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
-}
-
-func (seal *appSeal) sharePasswd(os linux.System) {
-	// look up shell
-	sh := "/bin/sh"
-	if s, ok := os.LookupEnv(shell); ok {
-		seal.sys.bwrap.SetEnv[shell] = s
-		sh = s
-	}
-
-	// generate /etc/passwd
-	passwdPath := path.Join(seal.share, "passwd")
-	username := "chronos"
-	if seal.sys.user.username != "" {
-		username = seal.sys.user.username
-	}
-	homeDir := "/var/empty"
-	if seal.sys.user.home != "" {
-		homeDir = seal.sys.user.home
-	}
-
-	// bind home directory
-	seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
-	seal.sys.bwrap.Chdir = homeDir
-
-	seal.sys.bwrap.SetEnv["USER"] = username
-	seal.sys.bwrap.SetEnv["HOME"] = homeDir
-
-	passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
-	seal.sys.Write(passwdPath, passwd)
-
-	// write /etc/group
-	groupPath := path.Join(seal.share, "group")
-	seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")
-
-	// bind /etc/passwd and /etc/group
-	seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
-	seal.sys.bwrap.Bind(groupPath, "/etc/group")
-}

internal/app/start.go

@@ -49,6 +49,7 @@ func (a *app) Start() error {
 			Argv:  a.seal.command,
 			Exec:  shimExec,
 			Bwrap: a.seal.sys.bwrap,
+			Home:  a.seal.sys.user.data,
 
 			Verbose: fmsg.Verbose(),
 		},

internal/app/system.go

@@ -1,9 +1,7 @@
 package app
 
 import (
-	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
-	"git.gensokyo.uk/security/fortify/internal/linux"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 
@@ -51,37 +49,3 @@ type appUser struct {
 	// passwd database username
 	username string
 }
-
-// shareAll calls all share methods in sequence
-func (seal *appSeal) shareAll(bus [2]*dbus.Config, os linux.System) error {
-	if seal.shared {
-		panic("seal shared twice")
-	}
-	seal.shared = true
-
-	seal.shareSystem()
-	seal.shareRuntime()
-	seal.sharePasswd(os)
-	if err := seal.shareDisplay(os); err != nil {
-		return err
-	}
-	if err := seal.sharePulse(os); err != nil {
-		return err
-	}
-
-	// ensure dbus session bus defaults
-	if bus[0] == nil {
-		bus[0] = dbus.NewConfig(seal.fid, true, true)
-	}
-
-	if err := seal.shareDBus(bus); err != nil {
-		return err
-	}
-
-	// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
-	for _, dest := range seal.sys.override {
-		seal.sys.bwrap.Tmpfs(dest, 8*1024)
-	}
-
-	return nil
-}

internal/system/dbus.go

@@ -36,7 +36,7 @@ func (sys *I) ProxyDBus(session, system *dbus.Config, sessionPath, systemPath st
 	}
 
 	// system bus is optional
-	d.system = system == nil
+	d.system = system != nil
 
 	// upstream address, downstream socket path
 	var sessionBus, systemBus [2]string

ldd/ldd.go

@@ -32,7 +32,7 @@ func Parse(stdout fmt.Stringer) ([]*Entry, error) {
 		switch len(segment) {
 		case 2: // /lib/ld-musl-x86_64.so.1 (0x7f04d14ef000)
 			iL = 1
-			result[i] = &Entry{Name: segment[0]}
+			result[i] = &Entry{Name: strings.TrimSpace(segment[0])}
 		case 4: // libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f04d14ef000)
 			iL = 3
 			if segment[1] != "=>" {
@@ -42,7 +42,7 @@ func Parse(stdout fmt.Stringer) ([]*Entry, error) {
 				return nil, ErrPathNotAbsolute
 			}
 			result[i] = &Entry{
-				Name: segment[0],
+				Name: strings.TrimSpace(segment[0]),
 				Path: segment[2],
 			}
 		default:

ldd/ldd_test.go

@@ -65,12 +65,12 @@ libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7ff71c0a4000)`,
 				{"libc.musl-x86_64.so.1", "/lib/ld-musl-x86_64.so.1", 0x7ff71c0a4000},
 			}},
 		{"glibc /nix/store/rc3n2r3nffpib2gqpxlkjx36frw6n34z-kmod-31/bin/kmod", `
-linux-vdso.so.1 (0x00007ffed65be000)
+	linux-vdso.so.1 (0x00007ffed65be000)
-libzstd.so.1 => /nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1 (0x00007f3199cd1000)
+	libzstd.so.1 => /nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1 (0x00007f3199cd1000)
-liblzma.so.5 => /nix/store/g78jna1i5qhh8gqs4mr64648f0szqgw4-xz-5.4.7/lib/liblzma.so.5 (0x00007f3199ca2000)
+	liblzma.so.5 => /nix/store/g78jna1i5qhh8gqs4mr64648f0szqgw4-xz-5.4.7/lib/liblzma.so.5 (0x00007f3199ca2000)
-libc.so.6 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libc.so.6 (0x00007f3199ab5000)
+	libc.so.6 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libc.so.6 (0x00007f3199ab5000)
-libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0 (0x00007f3199ab0000)
+	libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0 (0x00007f3199ab0000)
-/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2 (0x00007f3199da5000)`,
+	/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2 (0x00007f3199da5000)`,
 			[]*ldd.Entry{
 				{"linux-vdso.so.1", "", 0x00007ffed65be000},
 				{"libzstd.so.1", "/nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1", 0x00007f3199cd1000},
@@ -79,6 +79,35 @@ libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib
 				{"libpthread.so.0", "/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0", 0x00007f3199ab0000},
 				{"/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2", "/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2", 0x00007f3199da5000},
 			}},
+		{"glibc /usr/bin/xdg-dbus-proxy", `
+	linux-vdso.so.1 (0x00007725f5772000)
+	libglib-2.0.so.0 => /usr/lib/libglib-2.0.so.0 (0x00007725f55d5000)
+	libgio-2.0.so.0 => /usr/lib/libgio-2.0.so.0 (0x00007725f5406000)
+	libgobject-2.0.so.0 => /usr/lib/libgobject-2.0.so.0 (0x00007725f53a6000)
+	libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007725f5378000)
+	libc.so.6 => /usr/lib/libc.so.6 (0x00007725f5187000)
+	libpcre2-8.so.0 => /usr/lib/libpcre2-8.so.0 (0x00007725f50e8000)
+	libgmodule-2.0.so.0 => /usr/lib/libgmodule-2.0.so.0 (0x00007725f50df000)
+	libz.so.1 => /usr/lib/libz.so.1 (0x00007725f50c6000)
+	libmount.so.1 => /usr/lib/libmount.so.1 (0x00007725f5076000)
+	libffi.so.8 => /usr/lib/libffi.so.8 (0x00007725f506b000)
+	/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007725f5774000)
+	libblkid.so.1 => /usr/lib/libblkid.so.1 (0x00007725f5032000)`,
+			[]*ldd.Entry{
+				{"linux-vdso.so.1", "", 0x00007725f5772000},
+				{"libglib-2.0.so.0", "/usr/lib/libglib-2.0.so.0", 0x00007725f55d5000},
+				{"libgio-2.0.so.0", "/usr/lib/libgio-2.0.so.0", 0x00007725f5406000},
+				{"libgobject-2.0.so.0", "/usr/lib/libgobject-2.0.so.0", 0x00007725f53a6000},
+				{"libgcc_s.so.1", "/usr/lib/libgcc_s.so.1", 0x00007725f5378000},
+				{"libc.so.6", "/usr/lib/libc.so.6", 0x00007725f5187000},
+				{"libpcre2-8.so.0", "/usr/lib/libpcre2-8.so.0", 0x00007725f50e8000},
+				{"libgmodule-2.0.so.0", "/usr/lib/libgmodule-2.0.so.0", 0x00007725f50df000},
+				{"libz.so.1", "/usr/lib/libz.so.1", 0x00007725f50c6000},
+				{"libmount.so.1", "/usr/lib/libmount.so.1", 0x00007725f5076000},
+				{"libffi.so.8", "/usr/lib/libffi.so.8", 0x00007725f506b000},
+				{"/lib64/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2", 0x00007725f5774000},
+				{"libblkid.so.1", "/usr/lib/libblkid.so.1", 0x00007725f5032000},
+			}},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.file, func(t *testing.T) {

main.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	_ "embed"
-	"encoding/json"
 	"flag"
 	"fmt"
 	"os/user"
@@ -129,64 +128,21 @@ func main() {
 		// Ignore errors; set is set for ExitOnError.
 		_ = set.Parse(args[1:])
 
-		if len(set.Args()) != 1 {
-			fmsg.Fatal("show requires 1 argument")
-		}
-
-		likePrefix := false
-		if len(set.Args()[0]) <= 32 {
-			likePrefix = true
-			for _, c := range set.Args()[0] {
-				if c >= '0' && c <= '9' {
-					continue
-				}
-				if c >= 'a' && c <= 'f' {
-					continue
-				}
-				likePrefix = false
-				break
-			}
-		}
-
 		var (
 			config   *fst.Config
 			instance *state.State
+			name     string
 		)
 
-		// try to match from state store
+		if len(set.Args()) != 1 {
-		if likePrefix && len(set.Args()[0]) >= 8 {
+			fmsg.Fatal("show requires 1 argument")
-			fmsg.VPrintln("argument looks like prefix")
+		} else {
-
+			name = set.Args()[0]
-			s := state.NewMulti(os.Paths().RunDirPath)
+			config, instance = tryShort(name)
-			if entries, err := state.Join(s); err != nil {
-				fmsg.Printf("cannot join store: %v", err)
-				// drop to fetch from file
-			} else {
-				for id := range entries {
-					v := id.String()
-					if strings.HasPrefix(v, set.Args()[0]) {
-						// match, use config from this state entry
-						instance = entries[id]
-						config = instance.Config
-						break
-					}
-
-					fmsg.VPrintf("instance %s skipped", v)
-				}
-			}
 		}
 
 		if config == nil {
-			fmsg.VPrintf("reading from file")
+			config = tryPath(name)
-
-			config = new(fst.Config)
-			if f, err := os.Open(set.Args()[0]); err != nil {
-				fmsg.Fatalf("cannot access config file %q: %s", set.Args()[0], err)
-				panic("unreachable")
-			} else if err = json.NewDecoder(f).Decode(&config); err != nil {
-				fmsg.Fatalf("cannot parse config file %q: %s", set.Args()[0], err)
-				panic("unreachable")
-			}
 		}
 
 		printShow(instance, config, short)
@@ -196,20 +152,13 @@ func main() {
 			fmsg.Fatal("app requires at least 1 argument")
 		}
 
-		config := new(fst.Config)
+		// config extraArgs...
-		if f, err := os.Open(args[1]); err != nil {
+		config := tryPath(args[1])
-			fmsg.Fatalf("cannot access config file %q: %s", args[1], err)
-			panic("unreachable")
-		} else if err = json.NewDecoder(f).Decode(&config); err != nil {
-			fmsg.Fatalf("cannot parse config file %q: %s", args[1], err)
-			panic("unreachable")
-		}
-
-		// append extra args
 		config.Command = append(config.Command, args[2:]...)
 
 		// invoke app
 		runApp(config)
+		panic("unreachable")
 	case "run": // run app in permissive defaults usage pattern
 		set := flag.NewFlagSet("run", flag.ExitOnError)
 

parse.go

@@ -0,0 +1,108 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+	direct "os"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/state"
+)
+
+func tryPath(name string) (config *fst.Config) {
+	var r io.Reader
+	config = new(fst.Config)
+
+	if name != "-" {
+		r = tryFd(name)
+		if r == nil {
+			fmsg.VPrintln("load configuration from file")
+
+			if f, err := os.Open(name); err != nil {
+				fmsg.Fatalf("cannot access configuration file %q: %s", name, err)
+				panic("unreachable")
+			} else {
+				// finalizer closes f
+				r = f
+			}
+		} else {
+			defer func() {
+				if err := r.(io.ReadCloser).Close(); err != nil {
+					fmsg.Printf("cannot close config fd: %v", err)
+				}
+			}()
+		}
+	} else {
+		r = direct.Stdin
+	}
+
+	if err := json.NewDecoder(r).Decode(&config); err != nil {
+		fmsg.Fatalf("cannot load configuration: %v", err)
+		panic("unreachable")
+	}
+
+	return
+}
+
+func tryFd(name string) io.ReadCloser {
+	if v, err := strconv.Atoi(name); err != nil {
+		fmsg.VPrintf("name cannot be interpreted as int64: %v", err)
+		return nil
+	} else {
+		fd := uintptr(v)
+		if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
+			if errors.Is(errno, syscall.EBADF) {
+				return nil
+			}
+			fmsg.Fatalf("cannot get fd %d: %v", fd, errno)
+		}
+		return direct.NewFile(fd, strconv.Itoa(v))
+	}
+}
+
+func tryShort(name string) (config *fst.Config, instance *state.State) {
+	likePrefix := false
+	if len(name) <= 32 {
+		likePrefix = true
+		for _, c := range name {
+			if c >= '0' && c <= '9' {
+				continue
+			}
+			if c >= 'a' && c <= 'f' {
+				continue
+			}
+			likePrefix = false
+			break
+		}
+	}
+
+	// try to match from state store
+	if likePrefix && len(name) >= 8 {
+		fmsg.VPrintln("argument looks like prefix")
+
+		s := state.NewMulti(os.Paths().RunDirPath)
+		if entries, err := state.Join(s); err != nil {
+			fmsg.Printf("cannot join store: %v", err)
+			// drop to fetch from file
+		} else {
+			for id := range entries {
+				v := id.String()
+				if strings.HasPrefix(v, name) {
+					// match, use config from this state entry
+					instance = entries[id]
+					config = instance.Config
+					break
+				}
+
+				fmsg.VPrintf("instance %s skipped", v)
+			}
+		}
+	}
+
+	return
+}

print.go

@@ -70,7 +70,16 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
 			flags = append(flags, "none")
 		}
 		fmt.Fprintf(w, " Flags:\t%s\n", strings.Join(flags, " "))
-		fmt.Fprintf(w, " Overrides:\t%s\n", strings.Join(sandbox.Override, " "))
+
+		etc := sandbox.Etc
+		if etc == "" {
+			etc = "/etc"
+		}
+		fmt.Fprintf(w, " Etc:\t%s\n", etc)
+
+		if len(sandbox.Override) > 0 {
+			fmt.Fprintf(w, " Overrides:\t%s\n", strings.Join(sandbox.Override, " "))
+		}
 
 		// Env           map[string]string   `json:"env"`
 		// Link          [][2]string         `json:"symlink"`
@@ -81,29 +90,47 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
 	fmt.Fprintf(w, " Command:\t%s\n", strings.Join(config.Command, " "))
 	fmt.Fprintf(w, "\n")
 
-	if !short && config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
+	if !short {
-		fmt.Fprintf(w, "Filesystem:\n")
+		if config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
-		for _, f := range config.Confinement.Sandbox.Filesystem {
+			fmt.Fprintf(w, "Filesystem\n")
-			expr := new(strings.Builder)
+			for _, f := range config.Confinement.Sandbox.Filesystem {
-			if f.Device {
+				if f == nil {
-				expr.WriteString(" d")
+					continue
-			} else if f.Write {
+				}
-				expr.WriteString(" w")
+
-			} else {
+				expr := new(strings.Builder)
-				expr.WriteString(" ")
+				expr.Grow(3 + len(f.Src) + 1 + len(f.Dst))
+
+				if f.Device {
+					expr.WriteString(" d")
+				} else if f.Write {
+					expr.WriteString(" w")
+				} else {
+					expr.WriteString(" ")
+				}
+				if f.Must {
+					expr.WriteString("*")
+				} else {
+					expr.WriteString("+")
+				}
+				expr.WriteString(f.Src)
+				if f.Dst != "" {
+					expr.WriteString(":" + f.Dst)
+				}
+				fmt.Fprintf(w, "%s\n", expr.String())
 			}
-			if f.Must {
+			fmt.Fprintf(w, "\n")
-				expr.WriteString("*")
+		}
-			} else {
+		if len(config.Confinement.ExtraPerms) > 0 {
-				expr.WriteString("+")
+			fmt.Fprintf(w, "Extra ACL\n")
-			}
+			for _, p := range config.Confinement.ExtraPerms {
-			expr.WriteString(f.Src)
+				if p == nil {
-			if f.Dst != "" {
+					continue
-				expr.WriteString(":" + f.Dst)
+				}
-			}
+				fmt.Fprintf(w, " %s\n", p.String())
-			fmt.Fprintf(w, "%s\n", expr.String())
+			}
+			fmt.Fprintf(w, "\n")
 		}
-		fmt.Fprintf(w, "\n")
 	}
 
 	printDBus := func(c *dbus.Config) {