Compare commits
22 Commits
c109ac2653
...
9b206072fa
| Author | SHA1 | Date | |
|---|---|---|---|
9b206072fa
|
|||
|
b9e2003d5b
|
|||
|
66ec0d882f
|
|||
|
847b667489
|
|||
|
c70f0612ad
|
|||
|
85e5b097fd
|
|||
|
0107620d8c
|
|||
|
fc26659ea1
|
|||
|
1f173a469c
|
|||
|
2fdbd6a4dd
|
|||
|
aef847b5ae
|
|||
|
0a2aa5823b
|
|||
|
b956ce4052
|
|||
|
dc579dc610
|
|||
|
ade57c39af
|
|||
|
614ad86a5b
|
|||
|
831dc6a181
|
|||
|
c67b8ab9ac
|
|||
|
7c5aaa38e2
|
|||
|
b52b1a5f90
|
|||
|
9fc82d67b7
|
|||
|
70bffeaa1e
|
@ -13,6 +13,8 @@ type Payload struct {
|
||||
Exec [2]string
|
||||
// bwrap config
|
||||
Bwrap *bwrap.Config
|
||||
// path to outer home directory
|
||||
Home string
|
||||
// sync fd
|
||||
Sync *uintptr
|
||||
|
||||
|
||||
@ -9,6 +9,7 @@ import (
|
||||
|
||||
init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
|
||||
shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
|
||||
"git.gensokyo.uk/security/fortify/fst"
|
||||
"git.gensokyo.uk/security/fortify/helper"
|
||||
"git.gensokyo.uk/security/fortify/internal"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
@ -80,6 +81,21 @@ func main() {
|
||||
// not fatal
|
||||
}
|
||||
|
||||
// ensure home directory as target user
|
||||
if s, err := os.Stat(payload.Home); err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
if err = os.Mkdir(payload.Home, 0700); err != nil {
|
||||
fmsg.Fatalf("cannot create home directory: %v", err)
|
||||
}
|
||||
} else {
|
||||
fmsg.Fatalf("cannot access home directory: %v", err)
|
||||
}
|
||||
|
||||
// home directory is created, proceed
|
||||
} else if !s.IsDir() {
|
||||
fmsg.Fatalf("data path %q is not a directory", payload.Home)
|
||||
}
|
||||
|
||||
var ic init0.Payload
|
||||
|
||||
// resolve argv0
|
||||
@ -117,8 +133,12 @@ func main() {
|
||||
}()
|
||||
}
|
||||
|
||||
// bind finit inside sandbox
|
||||
finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
|
||||
conf.Bind(finitPath, finitInnerPath)
|
||||
|
||||
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
|
||||
if b, err := helper.NewBwrap(conf, nil, finitPath,
|
||||
if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
|
||||
func(int, int) []string { return make([]string, 0) }); err != nil {
|
||||
fmsg.Fatalf("malformed sandbox config: %v", err)
|
||||
} else {
|
||||
|
||||
@ -124,6 +124,8 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
|
||||
|
||||
t.Run("proxy for "+id, func(t *testing.T) {
|
||||
helper.InternalReplaceExecCommand(t)
|
||||
overridePath(t)
|
||||
|
||||
p := dbus.New(tc[0].bus, tc[1].bus)
|
||||
output := new(strings.Builder)
|
||||
|
||||
@ -174,7 +176,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
|
||||
|
||||
t.Run("sealed start of "+id, func(t *testing.T) {
|
||||
if err := p.Start(nil, output, sandbox); err != nil {
|
||||
t.Errorf("Start(nil, nil) error = %v",
|
||||
t.Fatalf("Start(nil, nil) error = %v",
|
||||
err)
|
||||
}
|
||||
|
||||
@ -213,3 +215,11 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func overridePath(t *testing.T) {
|
||||
proxyName := dbus.ProxyName
|
||||
dbus.ProxyName = "/nonexistent-xdg-dbus-proxy"
|
||||
t.Cleanup(func() {
|
||||
dbus.ProxyName = proxyName
|
||||
})
|
||||
}
|
||||
|
||||
@ -46,14 +46,16 @@ func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
|
||||
// look up absolute path if name is just a file name
|
||||
toolPath := p.name
|
||||
if filepath.Base(p.name) == p.name {
|
||||
if s, err := exec.LookPath(p.name); err == nil {
|
||||
if s, err := exec.LookPath(p.name); err != nil {
|
||||
return err
|
||||
} else {
|
||||
toolPath = s
|
||||
}
|
||||
}
|
||||
|
||||
// resolve libraries by parsing ldd output
|
||||
var proxyDeps []*ldd.Entry
|
||||
if path.IsAbs(toolPath) {
|
||||
if toolPath != "/nonexistent-xdg-dbus-proxy" {
|
||||
if l, err := ldd.Exec(toolPath); err != nil {
|
||||
return err
|
||||
} else {
|
||||
@ -91,6 +93,9 @@ func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
|
||||
if path.IsAbs(ent.Path) {
|
||||
roBindTarget[path.Dir(ent.Path)] = struct{}{}
|
||||
}
|
||||
if path.IsAbs(ent.Name) {
|
||||
roBindTarget[path.Dir(ent.Name)] = struct{}{}
|
||||
}
|
||||
}
|
||||
|
||||
// resolve upstream bus directories
|
||||
|
||||
6
dist/install.sh
vendored
6
dist/install.sh
vendored
@ -7,4 +7,8 @@ install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fini
|
||||
install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
|
||||
|
||||
install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"
|
||||
install -vDm0400 "fsurc.default" "${FORTIFY_INSTALL_PREFIX}/etc/fsurc"
|
||||
if [ ! -f "${FORTIFY_INSTALL_PREFIX}/etc/fsurc" ]; then
|
||||
install -vDm0400 "fsurc.default" "${FORTIFY_INSTALL_PREFIX}/etc/fsurc"
|
||||
fi
|
||||
|
||||
install -vDm0644 "comp/_fortify" "${FORTIFY_INSTALL_PREFIX}/usr/share/zsh/site-functions/_fortify"
|
||||
7
dist/release.sh
vendored
7
dist/release.sh
vendored
@ -5,9 +5,10 @@ pname="fortify-${VERSION}"
|
||||
out="dist/${pname}"
|
||||
|
||||
mkdir -p "${out}"
|
||||
cp "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
|
||||
cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
|
||||
cp -rv "comp" "${out}"
|
||||
|
||||
go build -v -o "${out}/bin/" -ldflags "-s -w
|
||||
go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
|
||||
-X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
|
||||
-X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
|
||||
-X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
|
||||
@ -16,4 +17,4 @@ go build -v -o "${out}/bin/" -ldflags "-s -w
|
||||
|
||||
rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
|
||||
rm -rf "./${out}"
|
||||
sha512sum "${out}.tar.gz" > "${out}.tar.gz.sha512"
|
||||
(cd dist && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
|
||||
@ -13,12 +13,11 @@ const Tmp = "/.fortify"
|
||||
|
||||
// Config is used to seal an *App
|
||||
type Config struct {
|
||||
// D-Bus application ID
|
||||
// application ID
|
||||
ID string `json:"id"`
|
||||
// value passed through to the child process as its argv
|
||||
Command []string `json:"command"`
|
||||
|
||||
// child confinement configuration
|
||||
Confinement ConfinementConfig `json:"confinement"`
|
||||
}
|
||||
|
||||
@ -28,7 +27,7 @@ type ConfinementConfig struct {
|
||||
AppID int `json:"app_id"`
|
||||
// list of supplementary groups to inherit
|
||||
Groups []string `json:"groups"`
|
||||
// passwd username in the sandbox, defaults to chronos
|
||||
// passwd username in the sandbox, defaults to passwd name of target uid or chronos
|
||||
Username string `json:"username,omitempty"`
|
||||
// home directory in sandbox, empty for outer
|
||||
Inner string `json:"home_inner"`
|
||||
@ -36,6 +35,8 @@ type ConfinementConfig struct {
|
||||
Outer string `json:"home"`
|
||||
// bwrap sandbox confinement configuration
|
||||
Sandbox *SandboxConfig `json:"sandbox"`
|
||||
// extra acl entries to append
|
||||
ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
|
||||
|
||||
// reference to a system D-Bus proxy configuration,
|
||||
// nil value disables system bus proxy
|
||||
@ -44,7 +45,7 @@ type ConfinementConfig struct {
|
||||
// nil value makes session bus proxy assume built-in defaults
|
||||
SessionBus *dbus.Config `json:"session_bus,omitempty"`
|
||||
|
||||
// child capability enablements
|
||||
// system resources to expose to the sandbox
|
||||
Enablements system.Enablements `json:"enablements"`
|
||||
}
|
||||
|
||||
@ -52,7 +53,7 @@ type ConfinementConfig struct {
|
||||
type SandboxConfig struct {
|
||||
// unix hostname within sandbox
|
||||
Hostname string `json:"hostname,omitempty"`
|
||||
// userns availability within sandbox
|
||||
// allow userns within sandbox
|
||||
UserNS bool `json:"userns,omitempty"`
|
||||
// share net namespace
|
||||
Net bool `json:"net,omitempty"`
|
||||
@ -71,12 +72,42 @@ type SandboxConfig struct {
|
||||
Filesystem []*FilesystemConfig `json:"filesystem"`
|
||||
// symlinks created inside the sandbox
|
||||
Link [][2]string `json:"symlink"`
|
||||
// read-only /etc directory
|
||||
Etc string `json:"etc,omitempty"`
|
||||
// automatically set up /etc symlinks
|
||||
AutoEtc bool `json:"auto_etc"`
|
||||
// paths to override by mounting tmpfs over them
|
||||
Override []string `json:"override"`
|
||||
}
|
||||
|
||||
type ExtraPermConfig struct {
|
||||
Ensure bool `json:"ensure,omitempty"`
|
||||
Path string `json:"path"`
|
||||
Read bool `json:"r,omitempty"`
|
||||
Write bool `json:"w,omitempty"`
|
||||
Execute bool `json:"x,omitempty"`
|
||||
}
|
||||
|
||||
func (e *ExtraPermConfig) String() string {
|
||||
buf := make([]byte, 0, 5+len(e.Path))
|
||||
buf = append(buf, '-', '-', '-')
|
||||
if e.Ensure {
|
||||
buf = append(buf, '+')
|
||||
}
|
||||
buf = append(buf, ':')
|
||||
buf = append(buf, []byte(e.Path)...)
|
||||
if e.Read {
|
||||
buf[0] = 'r'
|
||||
}
|
||||
if e.Write {
|
||||
buf[1] = 'w'
|
||||
}
|
||||
if e.Execute {
|
||||
buf[2] = 'x'
|
||||
}
|
||||
return string(buf)
|
||||
}
|
||||
|
||||
type FilesystemConfig struct {
|
||||
// mount point in sandbox, same as src if empty
|
||||
Dst string `json:"dst,omitempty"`
|
||||
@ -86,7 +117,7 @@ type FilesystemConfig struct {
|
||||
Write bool `json:"write,omitempty"`
|
||||
// device access
|
||||
Device bool `json:"dev,omitempty"`
|
||||
// exit if unable to share
|
||||
// fail if mount fails
|
||||
Must bool `json:"require,omitempty"`
|
||||
}
|
||||
|
||||
@ -128,7 +159,11 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
|
||||
}
|
||||
|
||||
if !s.AutoEtc {
|
||||
conf.Dir("/etc")
|
||||
if s.Etc == "" {
|
||||
conf.Dir("/etc")
|
||||
} else {
|
||||
conf.Bind(s.Etc, "/etc")
|
||||
}
|
||||
}
|
||||
|
||||
for _, c := range s.Filesystem {
|
||||
@ -148,10 +183,14 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
|
||||
}
|
||||
|
||||
if s.AutoEtc {
|
||||
conf.Bind("/etc", Tmp+"/etc")
|
||||
etc := s.Etc
|
||||
if etc == "" {
|
||||
etc = "/etc"
|
||||
}
|
||||
conf.Bind(etc, Tmp+"/etc")
|
||||
|
||||
// link host /etc contents to prevent passwd/group from being overwritten
|
||||
if d, err := os.ReadDir("/etc"); err != nil {
|
||||
if d, err := os.ReadDir(etc); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
for _, ent := range d {
|
||||
@ -213,6 +252,7 @@ func Template() *Config {
|
||||
{Src: "/dev/dri", Device: true},
|
||||
},
|
||||
Link: [][2]string{{"/run/user/65534", "/run/user/150"}},
|
||||
Etc: "/etc",
|
||||
AutoEtc: true,
|
||||
Override: []string{"/var/run/nscd"},
|
||||
},
|
||||
|
||||
@ -106,7 +106,7 @@ func (c *Config) Mqueue(dest string) *Config {
|
||||
// Dir create dir in sandbox
|
||||
// (--dir DEST)
|
||||
func (c *Config) Dir(dest string) *Config {
|
||||
c.Filesystem = append(c.Filesystem, &stringF{stringArgs[Dir], dest})
|
||||
c.Filesystem = append(c.Filesystem, &stringF{awkwardArgs[Dir], dest})
|
||||
return c
|
||||
}
|
||||
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"regexp"
|
||||
"strconv"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/acl"
|
||||
"git.gensokyo.uk/security/fortify/dbus"
|
||||
"git.gensokyo.uk/security/fortify/fst"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
@ -48,6 +49,8 @@ type appSeal struct {
|
||||
et system.Enablements
|
||||
// wayland socket direct access
|
||||
directWayland bool
|
||||
// extra UpdatePerm ops
|
||||
extraPerms []*sealedExtraPerm
|
||||
|
||||
// prevents sharing from happening twice
|
||||
shared bool
|
||||
@ -59,6 +62,12 @@ type appSeal struct {
|
||||
// protected by upstream mutex
|
||||
}
|
||||
|
||||
type sealedExtraPerm struct {
|
||||
name string
|
||||
perms acl.Perms
|
||||
ensure bool
|
||||
}
|
||||
|
||||
// Seal seals the app launch context
|
||||
func (a *app) Seal(config *fst.Config) error {
|
||||
a.lock.Lock()
|
||||
@ -100,47 +109,68 @@ func (a *app) Seal(config *fst.Config) error {
|
||||
if config.Confinement.AppID < 0 || config.Confinement.AppID > 9999 {
|
||||
return fmsg.WrapError(ErrUser,
|
||||
fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
|
||||
}
|
||||
seal.sys.user = appUser{
|
||||
aid: config.Confinement.AppID,
|
||||
as: strconv.Itoa(config.Confinement.AppID),
|
||||
data: config.Confinement.Outer,
|
||||
home: config.Confinement.Inner,
|
||||
username: config.Confinement.Username,
|
||||
}
|
||||
if seal.sys.user.username == "" {
|
||||
seal.sys.user.username = "chronos"
|
||||
} else if !posixUsername.MatchString(seal.sys.user.username) {
|
||||
return fmsg.WrapError(ErrName,
|
||||
fmt.Sprintf("invalid user name %q", seal.sys.user.username))
|
||||
}
|
||||
if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
|
||||
return fmsg.WrapError(ErrHome,
|
||||
fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
|
||||
}
|
||||
if seal.sys.user.home == "" {
|
||||
seal.sys.user.home = seal.sys.user.data
|
||||
}
|
||||
|
||||
// invoke fsu for full uid
|
||||
if u, err := a.os.Uid(seal.sys.user.aid); err != nil {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
"cannot obtain uid from fsu:")
|
||||
} else {
|
||||
seal.sys.user = appUser{
|
||||
aid: config.Confinement.AppID,
|
||||
as: strconv.Itoa(config.Confinement.AppID),
|
||||
data: config.Confinement.Outer,
|
||||
home: config.Confinement.Inner,
|
||||
username: config.Confinement.Username,
|
||||
}
|
||||
if seal.sys.user.username == "" {
|
||||
seal.sys.user.username = "chronos"
|
||||
} else if !posixUsername.MatchString(seal.sys.user.username) {
|
||||
return fmsg.WrapError(ErrName,
|
||||
fmt.Sprintf("invalid user name %q", seal.sys.user.username))
|
||||
}
|
||||
if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
|
||||
return fmsg.WrapError(ErrHome,
|
||||
fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
|
||||
}
|
||||
if seal.sys.user.home == "" {
|
||||
seal.sys.user.home = seal.sys.user.data
|
||||
}
|
||||
seal.sys.user.uid = u
|
||||
seal.sys.user.us = strconv.Itoa(u)
|
||||
}
|
||||
|
||||
// invoke fsu for full uid
|
||||
if u, err := a.os.Uid(seal.sys.user.aid); err != nil {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
"cannot obtain uid from fsu:")
|
||||
// resolve supplementary group ids from names
|
||||
seal.sys.user.supp = make([]string, len(config.Confinement.Groups))
|
||||
for i, name := range config.Confinement.Groups {
|
||||
if g, err := a.os.LookupGroup(name); err != nil {
|
||||
return fmsg.WrapError(err,
|
||||
fmt.Sprintf("unknown group %q", name))
|
||||
} else {
|
||||
seal.sys.user.uid = u
|
||||
seal.sys.user.us = strconv.Itoa(u)
|
||||
seal.sys.user.supp[i] = g.Gid
|
||||
}
|
||||
}
|
||||
|
||||
// build extra perms
|
||||
seal.extraPerms = make([]*sealedExtraPerm, len(config.Confinement.ExtraPerms))
|
||||
for i, p := range config.Confinement.ExtraPerms {
|
||||
if p == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
// resolve supplementary group ids from names
|
||||
seal.sys.user.supp = make([]string, len(config.Confinement.Groups))
|
||||
for i, name := range config.Confinement.Groups {
|
||||
if g, err := a.os.LookupGroup(name); err != nil {
|
||||
return fmsg.WrapError(err,
|
||||
fmt.Sprintf("unknown group %q", name))
|
||||
} else {
|
||||
seal.sys.user.supp[i] = g.Gid
|
||||
}
|
||||
seal.extraPerms[i] = new(sealedExtraPerm)
|
||||
seal.extraPerms[i].name = p.Path
|
||||
seal.extraPerms[i].perms = make(acl.Perms, 0, 3)
|
||||
if p.Read {
|
||||
seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Read)
|
||||
}
|
||||
if p.Write {
|
||||
seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Write)
|
||||
}
|
||||
if p.Execute {
|
||||
seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
|
||||
}
|
||||
seal.extraPerms[i].ensure = p.Ensure
|
||||
}
|
||||
|
||||
// map sandbox config to bwrap
|
||||
@ -229,7 +259,7 @@ func (a *app) Seal(config *fst.Config) error {
|
||||
seal.et = config.Confinement.Enablements
|
||||
|
||||
// this method calls all share methods in sequence
|
||||
if err := seal.shareAll([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
|
||||
if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
||||
@ -1,44 +0,0 @@
|
||||
package app
|
||||
|
||||
import (
|
||||
"path"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/acl"
|
||||
"git.gensokyo.uk/security/fortify/dbus"
|
||||
"git.gensokyo.uk/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
|
||||
dbusSystemBusAddress = "DBUS_SYSTEM_BUS_ADDRESS"
|
||||
)
|
||||
|
||||
func (seal *appSeal) shareDBus(config [2]*dbus.Config) error {
|
||||
if !seal.et.Has(system.EDBus) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// downstream socket paths
|
||||
sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
|
||||
|
||||
// configure dbus proxy
|
||||
if f, err := seal.sys.ProxyDBus(config[0], config[1], sessionPath, systemPath); err != nil {
|
||||
return err
|
||||
} else {
|
||||
seal.dbusMsg = f
|
||||
}
|
||||
|
||||
// share proxy sockets
|
||||
sessionInner := path.Join(seal.sys.runtime, "bus")
|
||||
seal.sys.bwrap.SetEnv[dbusSessionBusAddress] = "unix:path=" + sessionInner
|
||||
seal.sys.bwrap.Bind(sessionPath, sessionInner)
|
||||
seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
|
||||
if config[1] != nil {
|
||||
systemInner := "/run/dbus/system_bus_socket"
|
||||
seal.sys.bwrap.SetEnv[dbusSystemBusAddress] = "unix:path=" + systemInner
|
||||
seal.sys.bwrap.Bind(systemPath, systemInner)
|
||||
seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@ -1,81 +0,0 @@
|
||||
package app
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"path"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/acl"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
"git.gensokyo.uk/security/fortify/internal/linux"
|
||||
"git.gensokyo.uk/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
term = "TERM"
|
||||
display = "DISPLAY"
|
||||
|
||||
// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html
|
||||
waylandDisplay = "WAYLAND_DISPLAY"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrWayland = errors.New(waylandDisplay + " unset")
|
||||
ErrXDisplay = errors.New(display + " unset")
|
||||
)
|
||||
|
||||
func (seal *appSeal) shareDisplay(os linux.System) error {
|
||||
// pass $TERM to launcher
|
||||
if t, ok := os.LookupEnv(term); ok {
|
||||
seal.sys.bwrap.SetEnv[term] = t
|
||||
}
|
||||
|
||||
// set up wayland
|
||||
if seal.et.Has(system.EWayland) {
|
||||
var wp string
|
||||
if wd, ok := os.LookupEnv(waylandDisplay); !ok {
|
||||
return fmsg.WrapError(ErrWayland,
|
||||
"WAYLAND_DISPLAY is not set")
|
||||
} else {
|
||||
wp = path.Join(seal.RuntimePath, wd)
|
||||
}
|
||||
|
||||
w := path.Join(seal.sys.runtime, "wayland-0")
|
||||
seal.sys.bwrap.SetEnv[waylandDisplay] = w
|
||||
|
||||
if seal.directWayland {
|
||||
// hardlink wayland socket
|
||||
wpi := path.Join(seal.shareLocal, "wayland")
|
||||
seal.sys.Link(wp, wpi)
|
||||
seal.sys.bwrap.Bind(wpi, w)
|
||||
|
||||
// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
|
||||
seal.sys.UpdatePermType(system.EWayland, wp, acl.Read, acl.Write, acl.Execute)
|
||||
} else {
|
||||
wc := path.Join(seal.SharePath, "wayland")
|
||||
wt := path.Join(wc, seal.id)
|
||||
seal.sys.Ensure(wc, 0711)
|
||||
appID := seal.fid
|
||||
if appID == "" {
|
||||
// use instance ID in case app id is not set
|
||||
appID = "moe.ophivana.fortify." + seal.id
|
||||
}
|
||||
seal.sys.Wayland(wt, wp, appID, seal.id)
|
||||
seal.sys.bwrap.Bind(wt, w)
|
||||
}
|
||||
}
|
||||
|
||||
// set up X11
|
||||
if seal.et.Has(system.EX11) {
|
||||
// discover X11 and grant user permission via the `ChangeHosts` command
|
||||
if d, ok := os.LookupEnv(display); !ok {
|
||||
return fmsg.WrapError(ErrXDisplay,
|
||||
"DISPLAY is not set")
|
||||
} else {
|
||||
seal.sys.ChangeHosts("#" + seal.sys.user.us)
|
||||
seal.sys.bwrap.SetEnv[display] = d
|
||||
seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
346
internal/app/share.go
Normal file
346
internal/app/share.go
Normal file
@ -0,0 +1,346 @@
|
||||
package app
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"path"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/acl"
|
||||
"git.gensokyo.uk/security/fortify/dbus"
|
||||
"git.gensokyo.uk/security/fortify/fst"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
"git.gensokyo.uk/security/fortify/internal/linux"
|
||||
"git.gensokyo.uk/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
home = "HOME"
|
||||
shell = "SHELL"
|
||||
|
||||
xdgConfigHome = "XDG_CONFIG_HOME"
|
||||
xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
||||
xdgSessionClass = "XDG_SESSION_CLASS"
|
||||
xdgSessionType = "XDG_SESSION_TYPE"
|
||||
|
||||
term = "TERM"
|
||||
display = "DISPLAY"
|
||||
|
||||
// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html
|
||||
waylandDisplay = "WAYLAND_DISPLAY"
|
||||
|
||||
pulseServer = "PULSE_SERVER"
|
||||
pulseCookie = "PULSE_COOKIE"
|
||||
|
||||
dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
|
||||
dbusSystemBusAddress = "DBUS_SYSTEM_BUS_ADDRESS"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrWayland = errors.New(waylandDisplay + " unset")
|
||||
ErrXDisplay = errors.New(display + " unset")
|
||||
|
||||
ErrPulseCookie = errors.New("pulse cookie not present")
|
||||
ErrPulseSocket = errors.New("pulse socket not present")
|
||||
ErrPulseMode = errors.New("unexpected pulse socket mode")
|
||||
)
|
||||
|
||||
func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
|
||||
if seal.shared {
|
||||
panic("seal shared twice")
|
||||
}
|
||||
seal.shared = true
|
||||
|
||||
/*
|
||||
Tmpdir-based share directory
|
||||
*/
|
||||
|
||||
// ensure Share (e.g. `/tmp/fortify.%d`)
|
||||
// acl is unnecessary as this directory is world executable
|
||||
seal.sys.Ensure(seal.SharePath, 0711)
|
||||
|
||||
// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
|
||||
// acl is unnecessary as this directory is world executable
|
||||
seal.share = path.Join(seal.SharePath, seal.id)
|
||||
seal.sys.Ephemeral(system.Process, seal.share, 0711)
|
||||
|
||||
// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
|
||||
targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
|
||||
seal.sys.Ensure(targetTmpdirParent, 0700)
|
||||
seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
|
||||
|
||||
// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
|
||||
targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.as)
|
||||
seal.sys.Ensure(targetTmpdir, 01700)
|
||||
seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
|
||||
seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
|
||||
|
||||
/*
|
||||
XDG runtime directory
|
||||
*/
|
||||
|
||||
// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
|
||||
seal.sys.bwrap.Tmpfs("/run/user", 1*1024*1024)
|
||||
seal.sys.bwrap.Tmpfs(seal.sys.runtime, 8*1024*1024)
|
||||
|
||||
// point to inner runtime path `/run/user/%d`
|
||||
seal.sys.bwrap.SetEnv[xdgRuntimeDir] = seal.sys.runtime
|
||||
seal.sys.bwrap.SetEnv[xdgSessionClass] = "user"
|
||||
seal.sys.bwrap.SetEnv[xdgSessionType] = "tty"
|
||||
|
||||
// ensure RunDir (e.g. `/run/user/%d/fortify`)
|
||||
seal.sys.Ensure(seal.RunDirPath, 0700)
|
||||
seal.sys.UpdatePermType(system.User, seal.RunDirPath, acl.Execute)
|
||||
|
||||
// ensure runtime directory ACL (e.g. `/run/user/%d`)
|
||||
seal.sys.Ensure(seal.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
|
||||
seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
|
||||
|
||||
// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
|
||||
seal.shareLocal = path.Join(seal.RunDirPath, seal.id)
|
||||
seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
|
||||
seal.sys.UpdatePerm(seal.shareLocal, acl.Execute)
|
||||
|
||||
/*
|
||||
Inner passwd database
|
||||
*/
|
||||
|
||||
// look up shell
|
||||
sh := "/bin/sh"
|
||||
if s, ok := os.LookupEnv(shell); ok {
|
||||
seal.sys.bwrap.SetEnv[shell] = s
|
||||
sh = s
|
||||
}
|
||||
|
||||
// generate /etc/passwd
|
||||
passwdPath := path.Join(seal.share, "passwd")
|
||||
username := "chronos"
|
||||
if seal.sys.user.username != "" {
|
||||
username = seal.sys.user.username
|
||||
}
|
||||
homeDir := "/var/empty"
|
||||
if seal.sys.user.home != "" {
|
||||
homeDir = seal.sys.user.home
|
||||
}
|
||||
|
||||
// bind home directory
|
||||
seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
|
||||
seal.sys.bwrap.Chdir = homeDir
|
||||
|
||||
seal.sys.bwrap.SetEnv["USER"] = username
|
||||
seal.sys.bwrap.SetEnv["HOME"] = homeDir
|
||||
|
||||
passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
|
||||
seal.sys.Write(passwdPath, passwd)
|
||||
|
||||
// write /etc/group
|
||||
groupPath := path.Join(seal.share, "group")
|
||||
seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")
|
||||
|
||||
// bind /etc/passwd and /etc/group
|
||||
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
||||
seal.sys.bwrap.Bind(groupPath, "/etc/group")
|
||||
|
||||
/*
|
||||
Display servers
|
||||
*/
|
||||
|
||||
// pass $TERM to launcher
|
||||
if t, ok := os.LookupEnv(term); ok {
|
||||
seal.sys.bwrap.SetEnv[term] = t
|
||||
}
|
||||
|
||||
// set up wayland
|
||||
if seal.et.Has(system.EWayland) {
|
||||
var wp string
|
||||
if wd, ok := os.LookupEnv(waylandDisplay); !ok {
|
||||
return fmsg.WrapError(ErrWayland,
|
||||
"WAYLAND_DISPLAY is not set")
|
||||
} else {
|
||||
wp = path.Join(seal.RuntimePath, wd)
|
||||
}
|
||||
|
||||
w := path.Join(seal.sys.runtime, "wayland-0")
|
||||
seal.sys.bwrap.SetEnv[waylandDisplay] = w
|
||||
|
||||
if !seal.directWayland { // set up security-context-v1
|
||||
wc := path.Join(seal.SharePath, "wayland")
|
||||
wt := path.Join(wc, seal.id)
|
||||
seal.sys.Ensure(wc, 0711)
|
||||
appID := seal.fid
|
||||
if appID == "" {
|
||||
// use instance ID in case app id is not set
|
||||
appID = "moe.ophivana.fortify." + seal.id
|
||||
}
|
||||
seal.sys.Wayland(wt, wp, appID, seal.id)
|
||||
seal.sys.bwrap.Bind(wt, w)
|
||||
} else { // bind mount wayland socket (insecure)
|
||||
// hardlink wayland socket
|
||||
wpi := path.Join(seal.shareLocal, "wayland")
|
||||
seal.sys.Link(wp, wpi)
|
||||
seal.sys.bwrap.Bind(wpi, w)
|
||||
|
||||
// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
|
||||
seal.sys.UpdatePermType(system.EWayland, wp, acl.Read, acl.Write, acl.Execute)
|
||||
}
|
||||
}
|
||||
|
||||
// set up X11
|
||||
if seal.et.Has(system.EX11) {
|
||||
// discover X11 and grant user permission via the `ChangeHosts` command
|
||||
if d, ok := os.LookupEnv(display); !ok {
|
||||
return fmsg.WrapError(ErrXDisplay,
|
||||
"DISPLAY is not set")
|
||||
} else {
|
||||
seal.sys.ChangeHosts("#" + seal.sys.user.us)
|
||||
seal.sys.bwrap.SetEnv[display] = d
|
||||
seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
PulseAudio server and authentication
|
||||
*/
|
||||
|
||||
if seal.et.Has(system.EPulse) {
|
||||
// check PulseAudio directory presence (e.g. `/run/user/%d/pulse`)
|
||||
pd := path.Join(seal.RuntimePath, "pulse")
|
||||
ps := path.Join(pd, "native")
|
||||
if _, err := os.Stat(pd); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio directory %q:", pd))
|
||||
}
|
||||
return fmsg.WrapError(ErrPulseSocket,
|
||||
fmt.Sprintf("PulseAudio directory %q not found", pd))
|
||||
}
|
||||
|
||||
// check PulseAudio socket permission (e.g. `/run/user/%d/pulse/native`)
|
||||
if s, err := os.Stat(ps); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio socket %q:", ps))
|
||||
}
|
||||
return fmsg.WrapError(ErrPulseSocket,
|
||||
fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pd))
|
||||
} else {
|
||||
if m := s.Mode(); m&0o006 != 0o006 {
|
||||
return fmsg.WrapError(ErrPulseMode,
|
||||
fmt.Sprintf("unexpected permissions on %q:", ps), m)
|
||||
}
|
||||
}
|
||||
|
||||
// hard link pulse socket into target-executable share
|
||||
psi := path.Join(seal.shareLocal, "pulse")
|
||||
p := path.Join(seal.sys.runtime, "pulse", "native")
|
||||
seal.sys.Link(ps, psi)
|
||||
seal.sys.bwrap.Bind(psi, p)
|
||||
seal.sys.bwrap.SetEnv[pulseServer] = "unix:" + p
|
||||
|
||||
// publish current user's pulse cookie for target user
|
||||
if src, err := discoverPulseCookie(os); err != nil {
|
||||
// not fatal
|
||||
fmsg.VPrintln(err.(*fmsg.BaseError).Message())
|
||||
} else {
|
||||
dst := path.Join(seal.share, "pulse-cookie")
|
||||
innerDst := fst.Tmp + "/pulse-cookie"
|
||||
seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
|
||||
seal.sys.CopyFile(dst, src)
|
||||
seal.sys.bwrap.Bind(dst, innerDst)
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
D-Bus proxy
|
||||
*/
|
||||
|
||||
if seal.et.Has(system.EDBus) {
|
||||
// ensure dbus session bus defaults
|
||||
if bus[0] == nil {
|
||||
bus[0] = dbus.NewConfig(seal.fid, true, true)
|
||||
}
|
||||
|
||||
// downstream socket paths
|
||||
sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
|
||||
|
||||
// configure dbus proxy
|
||||
if f, err := seal.sys.ProxyDBus(bus[0], bus[1], sessionPath, systemPath); err != nil {
|
||||
return err
|
||||
} else {
|
||||
seal.dbusMsg = f
|
||||
}
|
||||
|
||||
// share proxy sockets
|
||||
sessionInner := path.Join(seal.sys.runtime, "bus")
|
||||
seal.sys.bwrap.SetEnv[dbusSessionBusAddress] = "unix:path=" + sessionInner
|
||||
seal.sys.bwrap.Bind(sessionPath, sessionInner)
|
||||
seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
|
||||
if bus[1] != nil {
|
||||
systemInner := "/run/dbus/system_bus_socket"
|
||||
seal.sys.bwrap.SetEnv[dbusSystemBusAddress] = "unix:path=" + systemInner
|
||||
seal.sys.bwrap.Bind(systemPath, systemInner)
|
||||
seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
Miscellaneous
|
||||
*/
|
||||
|
||||
// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
|
||||
for _, dest := range seal.sys.override {
|
||||
seal.sys.bwrap.Tmpfs(dest, 8*1024)
|
||||
}
|
||||
|
||||
// append extra perms
|
||||
for _, p := range seal.extraPerms {
|
||||
if p == nil {
|
||||
continue
|
||||
}
|
||||
if p.ensure {
|
||||
seal.sys.Ensure(p.name, 0700)
|
||||
}
|
||||
seal.sys.UpdatePermType(system.User, p.name, p.perms...)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
|
||||
func discoverPulseCookie(os linux.System) (string, error) {
|
||||
if p, ok := os.LookupEnv(pulseCookie); ok {
|
||||
return p, nil
|
||||
}
|
||||
|
||||
// dotfile $HOME/.pulse-cookie
|
||||
if p, ok := os.LookupEnv(home); ok {
|
||||
p = path.Join(p, ".pulse-cookie")
|
||||
if s, err := os.Stat(p); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return p, fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
|
||||
}
|
||||
// not found, try next method
|
||||
} else if !s.IsDir() {
|
||||
return p, nil
|
||||
}
|
||||
}
|
||||
|
||||
// $XDG_CONFIG_HOME/pulse/cookie
|
||||
if p, ok := os.LookupEnv(xdgConfigHome); ok {
|
||||
p = path.Join(p, "pulse", "cookie")
|
||||
if s, err := os.Stat(p); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return p, fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
|
||||
}
|
||||
// not found, try next method
|
||||
} else if !s.IsDir() {
|
||||
return p, nil
|
||||
}
|
||||
}
|
||||
|
||||
return "", fmsg.WrapError(ErrPulseCookie,
|
||||
fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
|
||||
pulseCookie, xdgConfigHome, home))
|
||||
}
|
||||
@ -1,119 +0,0 @@
|
||||
package app
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"path"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/fst"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
"git.gensokyo.uk/security/fortify/internal/linux"
|
||||
"git.gensokyo.uk/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
pulseServer = "PULSE_SERVER"
|
||||
pulseCookie = "PULSE_COOKIE"
|
||||
|
||||
home = "HOME"
|
||||
xdgConfigHome = "XDG_CONFIG_HOME"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrPulseCookie = errors.New("pulse cookie not present")
|
||||
ErrPulseSocket = errors.New("pulse socket not present")
|
||||
ErrPulseMode = errors.New("unexpected pulse socket mode")
|
||||
)
|
||||
|
||||
func (seal *appSeal) sharePulse(os linux.System) error {
|
||||
if !seal.et.Has(system.EPulse) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// check PulseAudio directory presence (e.g. `/run/user/%d/pulse`)
|
||||
pd := path.Join(seal.RuntimePath, "pulse")
|
||||
ps := path.Join(pd, "native")
|
||||
if _, err := os.Stat(pd); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio directory %q:", pd))
|
||||
}
|
||||
return fmsg.WrapError(ErrPulseSocket,
|
||||
fmt.Sprintf("PulseAudio directory %q not found", pd))
|
||||
}
|
||||
|
||||
// check PulseAudio socket permission (e.g. `/run/user/%d/pulse/native`)
|
||||
if s, err := os.Stat(ps); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio socket %q:", ps))
|
||||
}
|
||||
return fmsg.WrapError(ErrPulseSocket,
|
||||
fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pd))
|
||||
} else {
|
||||
if m := s.Mode(); m&0o006 != 0o006 {
|
||||
return fmsg.WrapError(ErrPulseMode,
|
||||
fmt.Sprintf("unexpected permissions on %q:", ps), m)
|
||||
}
|
||||
}
|
||||
|
||||
// hard link pulse socket into target-executable share
|
||||
psi := path.Join(seal.shareLocal, "pulse")
|
||||
p := path.Join(seal.sys.runtime, "pulse", "native")
|
||||
seal.sys.Link(ps, psi)
|
||||
seal.sys.bwrap.Bind(psi, p)
|
||||
seal.sys.bwrap.SetEnv[pulseServer] = "unix:" + p
|
||||
|
||||
// publish current user's pulse cookie for target user
|
||||
if src, err := discoverPulseCookie(os); err != nil {
|
||||
fmsg.VPrintln(err.(*fmsg.BaseError).Message())
|
||||
} else {
|
||||
dst := path.Join(seal.share, "pulse-cookie")
|
||||
innerDst := fst.Tmp + "/pulse-cookie"
|
||||
seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
|
||||
seal.sys.CopyFile(dst, src)
|
||||
seal.sys.bwrap.Bind(dst, innerDst)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
|
||||
func discoverPulseCookie(os linux.System) (string, error) {
|
||||
if p, ok := os.LookupEnv(pulseCookie); ok {
|
||||
return p, nil
|
||||
}
|
||||
|
||||
// dotfile $HOME/.pulse-cookie
|
||||
if p, ok := os.LookupEnv(home); ok {
|
||||
p = path.Join(p, ".pulse-cookie")
|
||||
if s, err := os.Stat(p); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return p, fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
|
||||
}
|
||||
// not found, try next method
|
||||
} else if !s.IsDir() {
|
||||
return p, nil
|
||||
}
|
||||
}
|
||||
|
||||
// $XDG_CONFIG_HOME/pulse/cookie
|
||||
if p, ok := os.LookupEnv(xdgConfigHome); ok {
|
||||
p = path.Join(p, "pulse", "cookie")
|
||||
if s, err := os.Stat(p); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return p, fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
|
||||
}
|
||||
// not found, try next method
|
||||
} else if !s.IsDir() {
|
||||
return p, nil
|
||||
}
|
||||
}
|
||||
|
||||
return "", fmsg.WrapError(ErrPulseCookie,
|
||||
fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
|
||||
pulseCookie, xdgConfigHome, home))
|
||||
}
|
||||
@ -1,39 +0,0 @@
|
||||
package app
|
||||
|
||||
import (
|
||||
"path"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/acl"
|
||||
"git.gensokyo.uk/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
||||
xdgSessionClass = "XDG_SESSION_CLASS"
|
||||
xdgSessionType = "XDG_SESSION_TYPE"
|
||||
)
|
||||
|
||||
// shareRuntime queues actions for sharing/ensuring the runtime and share directories
|
||||
func (seal *appSeal) shareRuntime() {
|
||||
// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
|
||||
seal.sys.bwrap.Tmpfs("/run/user", 1*1024*1024)
|
||||
seal.sys.bwrap.Tmpfs(seal.sys.runtime, 8*1024*1024)
|
||||
|
||||
// point to inner runtime path `/run/user/%d`
|
||||
seal.sys.bwrap.SetEnv[xdgRuntimeDir] = seal.sys.runtime
|
||||
seal.sys.bwrap.SetEnv[xdgSessionClass] = "user"
|
||||
seal.sys.bwrap.SetEnv[xdgSessionType] = "tty"
|
||||
|
||||
// ensure RunDir (e.g. `/run/user/%d/fortify`)
|
||||
seal.sys.Ensure(seal.RunDirPath, 0700)
|
||||
seal.sys.UpdatePermType(system.User, seal.RunDirPath, acl.Execute)
|
||||
|
||||
// ensure runtime directory ACL (e.g. `/run/user/%d`)
|
||||
seal.sys.Ensure(seal.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
|
||||
seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
|
||||
|
||||
// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
|
||||
seal.shareLocal = path.Join(seal.RunDirPath, seal.id)
|
||||
seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
|
||||
seal.sys.UpdatePerm(seal.shareLocal, acl.Execute)
|
||||
}
|
||||
@ -1,74 +0,0 @@
|
||||
package app
|
||||
|
||||
import (
|
||||
"path"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/acl"
|
||||
"git.gensokyo.uk/security/fortify/internal/linux"
|
||||
"git.gensokyo.uk/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
shell = "SHELL"
|
||||
)
|
||||
|
||||
// shareSystem queues various system-related actions
|
||||
func (seal *appSeal) shareSystem() {
|
||||
// ensure Share (e.g. `/tmp/fortify.%d`)
|
||||
// acl is unnecessary as this directory is world executable
|
||||
seal.sys.Ensure(seal.SharePath, 0711)
|
||||
|
||||
// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
|
||||
// acl is unnecessary as this directory is world executable
|
||||
seal.share = path.Join(seal.SharePath, seal.id)
|
||||
seal.sys.Ephemeral(system.Process, seal.share, 0711)
|
||||
|
||||
// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
|
||||
targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
|
||||
seal.sys.Ensure(targetTmpdirParent, 0700)
|
||||
seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
|
||||
|
||||
// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
|
||||
targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.as)
|
||||
seal.sys.Ensure(targetTmpdir, 01700)
|
||||
seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
|
||||
seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
|
||||
}
|
||||
|
||||
func (seal *appSeal) sharePasswd(os linux.System) {
|
||||
// look up shell
|
||||
sh := "/bin/sh"
|
||||
if s, ok := os.LookupEnv(shell); ok {
|
||||
seal.sys.bwrap.SetEnv[shell] = s
|
||||
sh = s
|
||||
}
|
||||
|
||||
// generate /etc/passwd
|
||||
passwdPath := path.Join(seal.share, "passwd")
|
||||
username := "chronos"
|
||||
if seal.sys.user.username != "" {
|
||||
username = seal.sys.user.username
|
||||
}
|
||||
homeDir := "/var/empty"
|
||||
if seal.sys.user.home != "" {
|
||||
homeDir = seal.sys.user.home
|
||||
}
|
||||
|
||||
// bind home directory
|
||||
seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
|
||||
seal.sys.bwrap.Chdir = homeDir
|
||||
|
||||
seal.sys.bwrap.SetEnv["USER"] = username
|
||||
seal.sys.bwrap.SetEnv["HOME"] = homeDir
|
||||
|
||||
passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
|
||||
seal.sys.Write(passwdPath, passwd)
|
||||
|
||||
// write /etc/group
|
||||
groupPath := path.Join(seal.share, "group")
|
||||
seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")
|
||||
|
||||
// bind /etc/passwd and /etc/group
|
||||
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
||||
seal.sys.bwrap.Bind(groupPath, "/etc/group")
|
||||
}
|
||||
@ -49,6 +49,7 @@ func (a *app) Start() error {
|
||||
Argv: a.seal.command,
|
||||
Exec: shimExec,
|
||||
Bwrap: a.seal.sys.bwrap,
|
||||
Home: a.seal.sys.user.data,
|
||||
|
||||
Verbose: fmsg.Verbose(),
|
||||
},
|
||||
|
||||
@ -1,9 +1,7 @@
|
||||
package app
|
||||
|
||||
import (
|
||||
"git.gensokyo.uk/security/fortify/dbus"
|
||||
"git.gensokyo.uk/security/fortify/helper/bwrap"
|
||||
"git.gensokyo.uk/security/fortify/internal/linux"
|
||||
"git.gensokyo.uk/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
@ -51,37 +49,3 @@ type appUser struct {
|
||||
// passwd database username
|
||||
username string
|
||||
}
|
||||
|
||||
// shareAll calls all share methods in sequence
|
||||
func (seal *appSeal) shareAll(bus [2]*dbus.Config, os linux.System) error {
|
||||
if seal.shared {
|
||||
panic("seal shared twice")
|
||||
}
|
||||
seal.shared = true
|
||||
|
||||
seal.shareSystem()
|
||||
seal.shareRuntime()
|
||||
seal.sharePasswd(os)
|
||||
if err := seal.shareDisplay(os); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := seal.sharePulse(os); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// ensure dbus session bus defaults
|
||||
if bus[0] == nil {
|
||||
bus[0] = dbus.NewConfig(seal.fid, true, true)
|
||||
}
|
||||
|
||||
if err := seal.shareDBus(bus); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
|
||||
for _, dest := range seal.sys.override {
|
||||
seal.sys.bwrap.Tmpfs(dest, 8*1024)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -36,7 +36,7 @@ func (sys *I) ProxyDBus(session, system *dbus.Config, sessionPath, systemPath st
|
||||
}
|
||||
|
||||
// system bus is optional
|
||||
d.system = system == nil
|
||||
d.system = system != nil
|
||||
|
||||
// upstream address, downstream socket path
|
||||
var sessionBus, systemBus [2]string
|
||||
|
||||
@ -32,7 +32,7 @@ func Parse(stdout fmt.Stringer) ([]*Entry, error) {
|
||||
switch len(segment) {
|
||||
case 2: // /lib/ld-musl-x86_64.so.1 (0x7f04d14ef000)
|
||||
iL = 1
|
||||
result[i] = &Entry{Name: segment[0]}
|
||||
result[i] = &Entry{Name: strings.TrimSpace(segment[0])}
|
||||
case 4: // libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f04d14ef000)
|
||||
iL = 3
|
||||
if segment[1] != "=>" {
|
||||
@ -42,7 +42,7 @@ func Parse(stdout fmt.Stringer) ([]*Entry, error) {
|
||||
return nil, ErrPathNotAbsolute
|
||||
}
|
||||
result[i] = &Entry{
|
||||
Name: segment[0],
|
||||
Name: strings.TrimSpace(segment[0]),
|
||||
Path: segment[2],
|
||||
}
|
||||
default:
|
||||
|
||||
@ -65,12 +65,12 @@ libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7ff71c0a4000)`,
|
||||
{"libc.musl-x86_64.so.1", "/lib/ld-musl-x86_64.so.1", 0x7ff71c0a4000},
|
||||
}},
|
||||
{"glibc /nix/store/rc3n2r3nffpib2gqpxlkjx36frw6n34z-kmod-31/bin/kmod", `
|
||||
linux-vdso.so.1 (0x00007ffed65be000)
|
||||
libzstd.so.1 => /nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1 (0x00007f3199cd1000)
|
||||
liblzma.so.5 => /nix/store/g78jna1i5qhh8gqs4mr64648f0szqgw4-xz-5.4.7/lib/liblzma.so.5 (0x00007f3199ca2000)
|
||||
libc.so.6 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libc.so.6 (0x00007f3199ab5000)
|
||||
libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0 (0x00007f3199ab0000)
|
||||
/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2 (0x00007f3199da5000)`,
|
||||
linux-vdso.so.1 (0x00007ffed65be000)
|
||||
libzstd.so.1 => /nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1 (0x00007f3199cd1000)
|
||||
liblzma.so.5 => /nix/store/g78jna1i5qhh8gqs4mr64648f0szqgw4-xz-5.4.7/lib/liblzma.so.5 (0x00007f3199ca2000)
|
||||
libc.so.6 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libc.so.6 (0x00007f3199ab5000)
|
||||
libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0 (0x00007f3199ab0000)
|
||||
/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2 (0x00007f3199da5000)`,
|
||||
[]*ldd.Entry{
|
||||
{"linux-vdso.so.1", "", 0x00007ffed65be000},
|
||||
{"libzstd.so.1", "/nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1", 0x00007f3199cd1000},
|
||||
@ -79,6 +79,35 @@ libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib
|
||||
{"libpthread.so.0", "/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0", 0x00007f3199ab0000},
|
||||
{"/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2", "/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2", 0x00007f3199da5000},
|
||||
}},
|
||||
{"glibc /usr/bin/xdg-dbus-proxy", `
|
||||
linux-vdso.so.1 (0x00007725f5772000)
|
||||
libglib-2.0.so.0 => /usr/lib/libglib-2.0.so.0 (0x00007725f55d5000)
|
||||
libgio-2.0.so.0 => /usr/lib/libgio-2.0.so.0 (0x00007725f5406000)
|
||||
libgobject-2.0.so.0 => /usr/lib/libgobject-2.0.so.0 (0x00007725f53a6000)
|
||||
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007725f5378000)
|
||||
libc.so.6 => /usr/lib/libc.so.6 (0x00007725f5187000)
|
||||
libpcre2-8.so.0 => /usr/lib/libpcre2-8.so.0 (0x00007725f50e8000)
|
||||
libgmodule-2.0.so.0 => /usr/lib/libgmodule-2.0.so.0 (0x00007725f50df000)
|
||||
libz.so.1 => /usr/lib/libz.so.1 (0x00007725f50c6000)
|
||||
libmount.so.1 => /usr/lib/libmount.so.1 (0x00007725f5076000)
|
||||
libffi.so.8 => /usr/lib/libffi.so.8 (0x00007725f506b000)
|
||||
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007725f5774000)
|
||||
libblkid.so.1 => /usr/lib/libblkid.so.1 (0x00007725f5032000)`,
|
||||
[]*ldd.Entry{
|
||||
{"linux-vdso.so.1", "", 0x00007725f5772000},
|
||||
{"libglib-2.0.so.0", "/usr/lib/libglib-2.0.so.0", 0x00007725f55d5000},
|
||||
{"libgio-2.0.so.0", "/usr/lib/libgio-2.0.so.0", 0x00007725f5406000},
|
||||
{"libgobject-2.0.so.0", "/usr/lib/libgobject-2.0.so.0", 0x00007725f53a6000},
|
||||
{"libgcc_s.so.1", "/usr/lib/libgcc_s.so.1", 0x00007725f5378000},
|
||||
{"libc.so.6", "/usr/lib/libc.so.6", 0x00007725f5187000},
|
||||
{"libpcre2-8.so.0", "/usr/lib/libpcre2-8.so.0", 0x00007725f50e8000},
|
||||
{"libgmodule-2.0.so.0", "/usr/lib/libgmodule-2.0.so.0", 0x00007725f50df000},
|
||||
{"libz.so.1", "/usr/lib/libz.so.1", 0x00007725f50c6000},
|
||||
{"libmount.so.1", "/usr/lib/libmount.so.1", 0x00007725f5076000},
|
||||
{"libffi.so.8", "/usr/lib/libffi.so.8", 0x00007725f506b000},
|
||||
{"/lib64/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2", 0x00007725f5774000},
|
||||
{"libblkid.so.1", "/usr/lib/libblkid.so.1", 0x00007725f5032000},
|
||||
}},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.file, func(t *testing.T) {
|
||||
|
||||
71
main.go
71
main.go
@ -2,7 +2,6 @@ package main
|
||||
|
||||
import (
|
||||
_ "embed"
|
||||
"encoding/json"
|
||||
"flag"
|
||||
"fmt"
|
||||
"os/user"
|
||||
@ -129,64 +128,21 @@ func main() {
|
||||
// Ignore errors; set is set for ExitOnError.
|
||||
_ = set.Parse(args[1:])
|
||||
|
||||
if len(set.Args()) != 1 {
|
||||
fmsg.Fatal("show requires 1 argument")
|
||||
}
|
||||
|
||||
likePrefix := false
|
||||
if len(set.Args()[0]) <= 32 {
|
||||
likePrefix = true
|
||||
for _, c := range set.Args()[0] {
|
||||
if c >= '0' && c <= '9' {
|
||||
continue
|
||||
}
|
||||
if c >= 'a' && c <= 'f' {
|
||||
continue
|
||||
}
|
||||
likePrefix = false
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
var (
|
||||
config *fst.Config
|
||||
instance *state.State
|
||||
name string
|
||||
)
|
||||
|
||||
// try to match from state store
|
||||
if likePrefix && len(set.Args()[0]) >= 8 {
|
||||
fmsg.VPrintln("argument looks like prefix")
|
||||
|
||||
s := state.NewMulti(os.Paths().RunDirPath)
|
||||
if entries, err := state.Join(s); err != nil {
|
||||
fmsg.Printf("cannot join store: %v", err)
|
||||
// drop to fetch from file
|
||||
} else {
|
||||
for id := range entries {
|
||||
v := id.String()
|
||||
if strings.HasPrefix(v, set.Args()[0]) {
|
||||
// match, use config from this state entry
|
||||
instance = entries[id]
|
||||
config = instance.Config
|
||||
break
|
||||
}
|
||||
|
||||
fmsg.VPrintf("instance %s skipped", v)
|
||||
}
|
||||
}
|
||||
if len(set.Args()) != 1 {
|
||||
fmsg.Fatal("show requires 1 argument")
|
||||
} else {
|
||||
name = set.Args()[0]
|
||||
config, instance = tryShort(name)
|
||||
}
|
||||
|
||||
if config == nil {
|
||||
fmsg.VPrintf("reading from file")
|
||||
|
||||
config = new(fst.Config)
|
||||
if f, err := os.Open(set.Args()[0]); err != nil {
|
||||
fmsg.Fatalf("cannot access config file %q: %s", set.Args()[0], err)
|
||||
panic("unreachable")
|
||||
} else if err = json.NewDecoder(f).Decode(&config); err != nil {
|
||||
fmsg.Fatalf("cannot parse config file %q: %s", set.Args()[0], err)
|
||||
panic("unreachable")
|
||||
}
|
||||
config = tryPath(name)
|
||||
}
|
||||
|
||||
printShow(instance, config, short)
|
||||
@ -196,20 +152,13 @@ func main() {
|
||||
fmsg.Fatal("app requires at least 1 argument")
|
||||
}
|
||||
|
||||
config := new(fst.Config)
|
||||
if f, err := os.Open(args[1]); err != nil {
|
||||
fmsg.Fatalf("cannot access config file %q: %s", args[1], err)
|
||||
panic("unreachable")
|
||||
} else if err = json.NewDecoder(f).Decode(&config); err != nil {
|
||||
fmsg.Fatalf("cannot parse config file %q: %s", args[1], err)
|
||||
panic("unreachable")
|
||||
}
|
||||
|
||||
// append extra args
|
||||
// config extraArgs...
|
||||
config := tryPath(args[1])
|
||||
config.Command = append(config.Command, args[2:]...)
|
||||
|
||||
// invoke app
|
||||
runApp(config)
|
||||
panic("unreachable")
|
||||
case "run": // run app in permissive defaults usage pattern
|
||||
set := flag.NewFlagSet("run", flag.ExitOnError)
|
||||
|
||||
|
||||
108
parse.go
Normal file
108
parse.go
Normal file
@ -0,0 +1,108 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"io"
|
||||
direct "os"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/fst"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
"git.gensokyo.uk/security/fortify/internal/state"
|
||||
)
|
||||
|
||||
func tryPath(name string) (config *fst.Config) {
|
||||
var r io.Reader
|
||||
config = new(fst.Config)
|
||||
|
||||
if name != "-" {
|
||||
r = tryFd(name)
|
||||
if r == nil {
|
||||
fmsg.VPrintln("load configuration from file")
|
||||
|
||||
if f, err := os.Open(name); err != nil {
|
||||
fmsg.Fatalf("cannot access configuration file %q: %s", name, err)
|
||||
panic("unreachable")
|
||||
} else {
|
||||
// finalizer closes f
|
||||
r = f
|
||||
}
|
||||
} else {
|
||||
defer func() {
|
||||
if err := r.(io.ReadCloser).Close(); err != nil {
|
||||
fmsg.Printf("cannot close config fd: %v", err)
|
||||
}
|
||||
}()
|
||||
}
|
||||
} else {
|
||||
r = direct.Stdin
|
||||
}
|
||||
|
||||
if err := json.NewDecoder(r).Decode(&config); err != nil {
|
||||
fmsg.Fatalf("cannot load configuration: %v", err)
|
||||
panic("unreachable")
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func tryFd(name string) io.ReadCloser {
|
||||
if v, err := strconv.Atoi(name); err != nil {
|
||||
fmsg.VPrintf("name cannot be interpreted as int64: %v", err)
|
||||
return nil
|
||||
} else {
|
||||
fd := uintptr(v)
|
||||
if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
|
||||
if errors.Is(errno, syscall.EBADF) {
|
||||
return nil
|
||||
}
|
||||
fmsg.Fatalf("cannot get fd %d: %v", fd, errno)
|
||||
}
|
||||
return direct.NewFile(fd, strconv.Itoa(v))
|
||||
}
|
||||
}
|
||||
|
||||
func tryShort(name string) (config *fst.Config, instance *state.State) {
|
||||
likePrefix := false
|
||||
if len(name) <= 32 {
|
||||
likePrefix = true
|
||||
for _, c := range name {
|
||||
if c >= '0' && c <= '9' {
|
||||
continue
|
||||
}
|
||||
if c >= 'a' && c <= 'f' {
|
||||
continue
|
||||
}
|
||||
likePrefix = false
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// try to match from state store
|
||||
if likePrefix && len(name) >= 8 {
|
||||
fmsg.VPrintln("argument looks like prefix")
|
||||
|
||||
s := state.NewMulti(os.Paths().RunDirPath)
|
||||
if entries, err := state.Join(s); err != nil {
|
||||
fmsg.Printf("cannot join store: %v", err)
|
||||
// drop to fetch from file
|
||||
} else {
|
||||
for id := range entries {
|
||||
v := id.String()
|
||||
if strings.HasPrefix(v, name) {
|
||||
// match, use config from this state entry
|
||||
instance = entries[id]
|
||||
config = instance.Config
|
||||
break
|
||||
}
|
||||
|
||||
fmsg.VPrintf("instance %s skipped", v)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
71
print.go
71
print.go
@ -70,7 +70,16 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
|
||||
flags = append(flags, "none")
|
||||
}
|
||||
fmt.Fprintf(w, " Flags:\t%s\n", strings.Join(flags, " "))
|
||||
fmt.Fprintf(w, " Overrides:\t%s\n", strings.Join(sandbox.Override, " "))
|
||||
|
||||
etc := sandbox.Etc
|
||||
if etc == "" {
|
||||
etc = "/etc"
|
||||
}
|
||||
fmt.Fprintf(w, " Etc:\t%s\n", etc)
|
||||
|
||||
if len(sandbox.Override) > 0 {
|
||||
fmt.Fprintf(w, " Overrides:\t%s\n", strings.Join(sandbox.Override, " "))
|
||||
}
|
||||
|
||||
// Env map[string]string `json:"env"`
|
||||
// Link [][2]string `json:"symlink"`
|
||||
@ -81,29 +90,47 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
|
||||
fmt.Fprintf(w, " Command:\t%s\n", strings.Join(config.Command, " "))
|
||||
fmt.Fprintf(w, "\n")
|
||||
|
||||
if !short && config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
|
||||
fmt.Fprintf(w, "Filesystem:\n")
|
||||
for _, f := range config.Confinement.Sandbox.Filesystem {
|
||||
expr := new(strings.Builder)
|
||||
if f.Device {
|
||||
expr.WriteString(" d")
|
||||
} else if f.Write {
|
||||
expr.WriteString(" w")
|
||||
} else {
|
||||
expr.WriteString(" ")
|
||||
if !short {
|
||||
if config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
|
||||
fmt.Fprintf(w, "Filesystem\n")
|
||||
for _, f := range config.Confinement.Sandbox.Filesystem {
|
||||
if f == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
expr := new(strings.Builder)
|
||||
expr.Grow(3 + len(f.Src) + 1 + len(f.Dst))
|
||||
|
||||
if f.Device {
|
||||
expr.WriteString(" d")
|
||||
} else if f.Write {
|
||||
expr.WriteString(" w")
|
||||
} else {
|
||||
expr.WriteString(" ")
|
||||
}
|
||||
if f.Must {
|
||||
expr.WriteString("*")
|
||||
} else {
|
||||
expr.WriteString("+")
|
||||
}
|
||||
expr.WriteString(f.Src)
|
||||
if f.Dst != "" {
|
||||
expr.WriteString(":" + f.Dst)
|
||||
}
|
||||
fmt.Fprintf(w, "%s\n", expr.String())
|
||||
}
|
||||
if f.Must {
|
||||
expr.WriteString("*")
|
||||
} else {
|
||||
expr.WriteString("+")
|
||||
}
|
||||
expr.WriteString(f.Src)
|
||||
if f.Dst != "" {
|
||||
expr.WriteString(":" + f.Dst)
|
||||
}
|
||||
fmt.Fprintf(w, "%s\n", expr.String())
|
||||
fmt.Fprintf(w, "\n")
|
||||
}
|
||||
if len(config.Confinement.ExtraPerms) > 0 {
|
||||
fmt.Fprintf(w, "Extra ACL\n")
|
||||
for _, p := range config.Confinement.ExtraPerms {
|
||||
if p == nil {
|
||||
continue
|
||||
}
|
||||
fmt.Fprintf(w, " %s\n", p.String())
|
||||
}
|
||||
fmt.Fprintf(w, "\n")
|
||||
}
|
||||
fmt.Fprintf(w, "\n")
|
||||
}
|
||||
|
||||
printDBus := func(c *dbus.Config) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user