release: 0.2.2

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>

.gitea/workflows/release.yml

@@ -8,7 +8,23 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    container:
+      image: node:16-bookworm-slim
     steps:
+      - name: Get dependencies
+        run: >-
+          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
+          apt-get update &&
+          apt-get install -y
+          git
+          gcc
+          pkg-config
+          libwayland-dev
+          wayland-protocols/bookworm-backports
+          libxcb1-dev
+          libacl1-dev
+        if: ${{ runner.os == 'Linux' }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -19,14 +35,9 @@ jobs:
         with:
           go-version: '>=1.23.0'
 
-      - name: Get dependencies
+      - name: Go generate
         run: >-
-          apt-get update &&
+          go generate ./...
-          apt-get install -y
-          gcc
-          pkg-config
-          libacl1-dev
-        if: ${{ runner.os == 'Linux' }}
 
       - name: Build for Linux
         run: >-

.gitea/workflows/test.yml

@@ -7,7 +7,23 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
+    container:
+      image: node:16-bookworm-slim
     steps:
+      - name: Get dependencies
+        run: >-
+          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
+          apt-get update &&
+          apt-get install -y
+          git
+          gcc
+          pkg-config
+          libwayland-dev
+          wayland-protocols/bookworm-backports
+          libxcb1-dev
+          libacl1-dev
+        if: ${{ runner.os == 'Linux' }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -18,14 +34,9 @@ jobs:
         with:
           go-version: '>=1.23.0'
 
-      - name: Get dependencies
+      - name: Go generate
         run: >-
-          apt-get update &&
+          go generate ./...
-          apt-get install -y
-          gcc
-          pkg-config
-          libacl1-dev
-        if: ${{ runner.os == 'Linux' }}
 
       - name: Run tests
         run: >-

.gitignore

@@ -23,3 +23,6 @@ go.work.sum
 .env
 .idea
 .vscode
+
+# go generate
+security-context-v1-protocol.*

README.md

@@ -15,19 +15,10 @@ Why would you want this?
 
 - It provides UID isolation on top of the standard application sandbox.
 
-There are a few different things to set up for this to work:
-
-- A set of users, each for a group of applications that should be allowed access to each other
-
-- A tool to switch users, currently sudo and machinectl are supported.
-
-- If you are running NixOS, the module in this repository can take care of launchers and desktop files in the privileged
-  user's environment, as well as packages and extra home-manager configuration for target users.
-
 If you have a flakes-enabled nix environment, you can try out the tool by running:
 
 ```shell
-nix run git+https://git.ophivana.moe/security/fortify -- -h
+nix run git+https://git.ophivana.moe/security/fortify -- help
 ```
 
 ## Module usage
@@ -97,7 +88,6 @@ This adds the `environment.fortify` option:
             f:
             f {
               talk = [
-                "org.freedesktop.DBus"
                 "org.freedesktop.FileManager1"
                 "org.freedesktop.Notifications"
                 "org.freedesktop.ScreenSaver"

cmd/finit/ipc/payload.go

@@ -7,8 +7,6 @@ type Payload struct {
 	Argv0 string
 	// child full argv
 	Argv []string
-	// wayland fd, -1 to disable
-	WL int
 
 	// verbosity pass through
 	Verbose bool

cmd/finit/main.go

@@ -92,14 +92,6 @@ func main() {
 	cmd.Args = payload.Argv
 	cmd.Env = os.Environ()
 
-	// pass wayland fd
-	if payload.WL != -1 {
-		if f := os.NewFile(uintptr(payload.WL), "wayland"); f != nil {
-			cmd.Env = append(cmd.Env, "WAYLAND_SOCKET="+strconv.Itoa(3+len(cmd.ExtraFiles)))
-			cmd.ExtraFiles = append(cmd.ExtraFiles, f)
-		}
-	}
-
 	if err := cmd.Start(); err != nil {
 		fmsg.Fatalf("cannot start %q: %v", payload.Argv0, err)
 	}

cmd/fshim/ipc/payload.go

@@ -2,7 +2,6 @@ package shim0
 
 import (
 	"encoding/gob"
-	"errors"
 	"net"
 
 	"git.ophivana.moe/security/fortify/helper/bwrap"
@@ -18,25 +17,19 @@ type Payload struct {
 	Exec [2]string
 	// bwrap config
 	Bwrap *bwrap.Config
-	// whether to pass wayland fd
+	// sync fd
-	WL bool
+	Sync *uintptr
 
 	// verbosity pass through
 	Verbose bool
 }
 
-func (p *Payload) Serve(conn *net.UnixConn, wl *Wayland) error {
+func (p *Payload) Serve(conn *net.UnixConn) error {
 	if err := gob.NewEncoder(conn).Encode(*p); err != nil {
 		return fmsg.WrapErrorSuffix(err,
 			"cannot stream shim payload:")
 	}
 
-	if wl != nil {
-		if err := wl.WriteUnix(conn); err != nil {
-			return errors.Join(err, conn.Close())
-		}
-	}
-
 	return fmsg.WrapErrorSuffix(conn.Close(),
 		"cannot close setup connection:")
 }

cmd/fshim/ipc/shim/shim.go

@@ -16,6 +16,7 @@ import (
 	shim0 "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
 	"git.ophivana.moe/security/fortify/internal"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.ophivana.moe/security/fortify/internal/proc"
 )
 
 const shimSetupTimeout = 5 * time.Second
@@ -39,14 +40,12 @@ type Shim struct {
 	abortOnce sync.Once
 	// fallback exit notifier with error returned killing the process
 	killFallback chan error
-	// wayland mediation, nil if disabled
-	wl *shim0.Wayland
 	// shim setup payload
 	payload *shim0.Payload
 }
 
-func New(uid uint32, aid string, supp []string, socket string, wl *shim0.Wayland, payload *shim0.Payload) *Shim {
+func New(uid uint32, aid string, supp []string, socket string, payload *shim0.Payload) *Shim {
-	return &Shim{uid: uid, aid: aid, supp: supp, socket: socket, wl: wl, payload: payload}
+	return &Shim{uid: uid, aid: aid, supp: supp, socket: socket, payload: payload}
 }
 
 func (s *Shim) String() string {
@@ -112,6 +111,13 @@ func (s *Shim) Start() (*time.Time, error) {
 	}
 	s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	s.cmd.Dir = "/"
+
+	// pass sync fd if set
+	if s.payload.Bwrap.Sync() != nil {
+		fd := proc.ExtraFile(s.cmd, s.payload.Bwrap.Sync())
+		s.payload.Sync = &fd
+	}
+
 	fmsg.VPrintln("starting shim via fsu:", s.cmd)
 	fmsg.Suspend() // withhold messages to stderr
 	if err := s.cmd.Start(); err != nil {
@@ -172,9 +178,9 @@ func (s *Shim) Start() (*time.Time, error) {
 		return &startTime, err
 	}
 
-	// serve payload and wayland fd if enabled
+	// serve payload
 	// this also closes the connection
-	err := s.payload.Serve(conn, s.wl)
+	err := s.payload.Serve(conn)
 	if err == nil {
 		killShim = func() {}
 	}

cmd/fshim/ipc/wayland.go

@@ -1,75 +0,0 @@
-package shim0
-
-import (
-	"fmt"
-	"net"
-	"sync"
-	"syscall"
-
-	"git.ophivana.moe/security/fortify/internal/fmsg"
-)
-
-// Wayland implements wayland mediation.
-type Wayland struct {
-	// wayland socket path
-	Path string
-
-	// wayland connection
-	conn *net.UnixConn
-
-	connErr error
-	sync.Once
-	// wait for wayland client to exit
-	done chan struct{}
-}
-
-func (wl *Wayland) WriteUnix(conn *net.UnixConn) error {
-	// connect to host wayland socket
-	if f, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: wl.Path, Net: "unix"}); err != nil {
-		return fmsg.WrapErrorSuffix(err,
-			fmt.Sprintf("cannot connect to wayland at %q:", wl.Path))
-	} else {
-		fmsg.VPrintf("connected to wayland at %q", wl.Path)
-		wl.conn = f
-	}
-
-	// set up for passing wayland socket
-	if rc, err := wl.conn.SyscallConn(); err != nil {
-		return fmsg.WrapErrorSuffix(err, "cannot obtain raw wayland connection:")
-	} else {
-		ec := make(chan error)
-		go func() {
-			// pass wayland connection fd
-			if err = rc.Control(func(fd uintptr) {
-				if _, _, err = conn.WriteMsgUnix(nil, syscall.UnixRights(int(fd)), nil); err != nil {
-					ec <- fmsg.WrapErrorSuffix(err, "cannot pass wayland connection to shim:")
-					return
-				}
-				ec <- nil
-
-				// block until shim exits
-				<-wl.done
-				fmsg.VPrintln("releasing wayland connection")
-			}); err != nil {
-				ec <- fmsg.WrapErrorSuffix(err, "cannot obtain wayland connection fd:")
-				return
-			}
-		}()
-		return <-ec
-	}
-}
-
-func (wl *Wayland) Close() error {
-	wl.Do(func() {
-		close(wl.done)
-		wl.connErr = wl.conn.Close()
-	})
-
-	return wl.connErr
-}
-
-func NewWayland() *Wayland {
-	wl := new(Wayland)
-	wl.done = make(chan struct{})
-	return wl
-}

cmd/fshim/main.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"encoding/gob"
-	"errors"
 	"net"
 	"os"
 	"path"
@@ -76,14 +75,9 @@ func main() {
 		fmsg.Fatal("bwrap config not supplied")
 	}
 
-	// receive wayland fd over socket
+	// restore bwrap sync fd
-	wfd := -1
+	if payload.Sync != nil {
-	if payload.WL {
+		payload.Bwrap.SetSync(os.NewFile(*payload.Sync, "sync"))
-		if fd, err := receiveWLfd(conn); err != nil {
-			fmsg.Fatalf("cannot receive wayland fd: %v", err)
-		} else {
-			wfd = fd
-		}
 	}
 
 	// close setup socket
@@ -116,16 +110,6 @@ func main() {
 
 	var extraFiles []*os.File
 
-	// pass wayland fd
-	if wfd != -1 {
-		if f := os.NewFile(uintptr(wfd), "wayland"); f != nil {
-			ic.WL = 3 + len(extraFiles)
-			extraFiles = append(extraFiles, f)
-		}
-	} else {
-		ic.WL = -1
-	}
-
 	// share config pipe
 	if r, w, err := os.Pipe(); err != nil {
 		fmsg.Fatalf("cannot pipe: %v", err)
@@ -168,30 +152,3 @@ func main() {
 		}
 	}
 }
-
-func receiveWLfd(conn *net.UnixConn) (int, error) {
-	oob := make([]byte, syscall.CmsgSpace(4)) // single fd
-
-	if _, oobn, _, _, err := conn.ReadMsgUnix(nil, oob); err != nil {
-		return -1, err
-	} else if len(oob) != oobn {
-		return -1, errors.New("invalid message length")
-	}
-
-	var msg syscall.SocketControlMessage
-	if messages, err := syscall.ParseSocketControlMessage(oob); err != nil {
-		return -1, err
-	} else if len(messages) != 1 {
-		return -1, errors.New("unexpected message count")
-	} else {
-		msg = messages[0]
-	}
-
-	if fds, err := syscall.ParseUnixRights(&msg); err != nil {
-		return -1, err
-	} else if len(fds) != 1 {
-		return -1, errors.New("unexpected fd count")
-	} else {
-		return fds[0], nil
-	}
-}

cmd/fuserdb/main.go

@@ -54,7 +54,7 @@ func main() {
 			realName := fmt.Sprintf("Fortify subordinate user %d (%s)", aid, u.name)
 			var homeDirectory string
 			if *homeDir != varEmpty {
-				homeDirectory = path.Join(*homeDir, fidString, strconv.Itoa(aid))
+				homeDirectory = path.Join(*homeDir, "u"+fidString, "a"+strconv.Itoa(aid))
 			} else {
 				homeDirectory = varEmpty
 			}

comp/_fortify

@@ -0,0 +1,51 @@
+#compdef fortify
+
+_fortify_app() {
+  _path_files -g "*.(json|ftfy)"
+}
+
+_fortify_run() {
+  _arguments \
+    '--id[App ID, leave empty to disable security context app_id]:id' \
+    '-a[Fortify application ID]: :_numbers' \
+    '-g[Groups inherited by the app process]: :_groups' \
+    '-d[Application home directory]: :_files -/' \
+    '-u[Passwd name within sandbox]: :_users' \
+    '--wayland[Share Wayland socket]' \
+    '-X[Share X11 socket and allow connection]' \
+    '--dbus[Proxy D-Bus connection]' \
+    '--pulse[Share PulseAudio socket and cookie]' \
+    '--dbus-config[Path to D-Bus proxy config file]: :_files -g "*.json"' \
+    '--dbus-system[Path to system D-Bus proxy config file]: :_files -g "*.json"' \
+    '--mpris[Allow owning MPRIS D-Bus path]' \
+    '--dbus-log[Force logging in the D-Bus proxy]'
+}
+
+(( $+functions[_fortify_commands] )) || _fortify_commands()
+{
+  local -a _fortify_cmds
+  _fortify_cmds=(
+    "app:Launch app defined by the specified config file"
+    "run:Configure and start a permissive default sandbox"
+    "ps:List active apps and their state"
+    "version:Show fortify version"
+    "license:Show full license text"
+    "template:Produce a config template"
+    "help:Show help message"
+  )
+  if (( CURRENT == 1 )); then
+    _describe -t commands 'fortify command' _fortify_cmds || compadd "$@"
+  else
+    local curcontext="$curcontext"
+    cmd="${${_fortify_cmds[(r)$words[1]:*]%%:*}}"
+    if (( $+functions[_fortify_$cmd] )); then
+      _fortify_$cmd
+    else
+      _message "no more options"
+    fi
+  fi
+}
+
+_arguments -C \
+  '-v[Verbose output]' \
+  '*::fortify command:_fortify_commands'

flake.lock

@@ -2,16 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1725361206,
+        "lastModified": 1733348545,
-        "narHash": "sha256-/HTUg+kMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc=",
+        "narHash": "sha256-b4JrUmqT0vFNx42aEN9LTWOHomkTKL/ayLopflVf81U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2830c7c930311397d94c0b86a359c865c081c875",
+        "rev": "9ecb50d2fae8680be74c08bb0a995c5383747f89",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable-small",
+        "ref": "nixos-24.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,7 +2,7 @@
   description = "fortify sandbox tool and nixos module";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";
   };
 
   outputs =

helper/bwrap.go

@@ -3,11 +3,13 @@ package helper
 import (
 	"errors"
 	"io"
+	"os"
 	"os/exec"
 	"strconv"
 	"sync"
 
 	"git.ophivana.moe/security/fortify/helper/bwrap"
+	"git.ophivana.moe/security/fortify/internal/proc"
 )
 
 // BubblewrapName is the file name or path to bubblewrap.
@@ -19,6 +21,8 @@ type bubblewrap struct {
 
 	// bwrap pipes
 	p *pipes
+	// sync pipe
+	sync *os.File
 	// returns an array of arguments passed directly
 	// to the child process spawned by bwrap
 	argF func(argsFD, statFD int) []string
@@ -72,6 +76,10 @@ func (b *bubblewrap) StartNotify(ready chan error) error {
 		b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=-1")
 	}
 
+	if b.sync != nil {
+		b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(int(proc.ExtraFile(b.Cmd, b.sync))))
+	}
+
 	if err := b.Cmd.Start(); err != nil {
 		return err
 	}
@@ -131,6 +139,7 @@ func NewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD,
 		b.p = &pipes{args: args}
 	}
 
+	b.sync = conf.Sync()
 	b.argF = argF
 	b.name = name
 	if wt != nil {

helper/bwrap/config.go

@@ -68,13 +68,16 @@ type Config struct {
 	// (--as-pid-1)
 	AsInit bool `json:"as_init"`
 
+	// keep this fd open while sandbox is running
+	// (--sync-fd FD)
+	sync *os.File
+
 	/* unmapped options include:
 	    --unshare-user-try           Create new user namespace if possible else continue by skipping it
 	    --unshare-cgroup-try         Create new cgroup namespace if possible else continue by skipping it
 	    --userns FD                  Use this user namespace (cannot combine with --unshare-user)
 	    --userns2 FD                 After setup switch to this user namespace, only useful with --userns
 	    --pidns FD                   Use this pid namespace (as parent namespace if using --unshare-pid)
-		--sync-fd FD                 Keep this fd open while sandbox is running
 	    --exec-label LABEL           Exec label for the sandbox
 	    --file-label LABEL           File label for temporary sandbox content
 	    --file FD DEST               Copy from FD to destination DEST
@@ -92,6 +95,12 @@ type Config struct {
 	among which --args is used internally for passing arguments */
 }
 
+// Sync keep this fd open while sandbox is running
+// (--sync-fd FD)
+func (c *Config) Sync() *os.File {
+	return c.sync
+}
+
 type UnshareConfig struct {
 	// (--unshare-user)
 	// create new user namespace

helper/bwrap/config.set.go

@@ -136,3 +136,10 @@ func (c *Config) SetGID(gid int) *Config {
 	}
 	return c
 }
+
+// SetSync sets the sync pipe kept open while sandbox is running
+// (--sync-fd FD)
+func (c *Config) SetSync(s *os.File) *Config {
+	c.sync = s
+	return c
+}

helper/pipe.go

@@ -5,6 +5,8 @@ import (
 	"io"
 	"os"
 	"os/exec"
+
+	"git.ophivana.moe/security/fortify/internal/proc"
 )
 
 type pipes struct {
@@ -47,24 +49,21 @@ func (p *pipes) pipe() error {
 }
 
 // calls pipe to create pipes and sets them up as ExtraFiles, returning their fd
-func (p *pipes) prepareCmd(cmd *exec.Cmd) (int, int, error) {
+func (p *pipes) prepareCmd(cmd *exec.Cmd) (argsFd, statFd int, err error) {
-	if err := p.pipe(); err != nil {
+	argsFd, statFd = -1, -1
-		return -1, -1, err
+	if err = p.pipe(); err != nil {
+		return
 	}
 
 	// save a reference of cmd for future use
 	p.cmd = cmd
 
-	// ExtraFiles: If non-nil, entry i becomes file descriptor 3+i.
+	argsFd = int(proc.ExtraFile(cmd, p.argsP[0]))
-	argsFd := 3 + len(cmd.ExtraFiles)
-	cmd.ExtraFiles = append(cmd.ExtraFiles, p.argsP[0])
-
 	if p.ready != nil {
-		cmd.ExtraFiles = append(cmd.ExtraFiles, p.statP[1])
+		statFd = int(proc.ExtraFile(cmd, p.statP[1]))
-		return argsFd, argsFd + 1, nil
-	} else {
-		return argsFd, -1, nil
 	}
+
+	return
 }
 
 func (p *pipes) readyWriteArgs() error {

internal/app/app_nixos_test.go

@@ -1,287 +1,87 @@
 package app_test
 
 import (
-	"fmt"
-	"io"
-	"io/fs"
-	"os/user"
-	"strconv"
-
 	"git.ophivana.moe/security/fortify/acl"
 	"git.ophivana.moe/security/fortify/dbus"
 	"git.ophivana.moe/security/fortify/helper/bwrap"
 	"git.ophivana.moe/security/fortify/internal/app"
-	"git.ophivana.moe/security/fortify/internal/linux"
 	"git.ophivana.moe/security/fortify/internal/system"
 )
 
 var testCasesNixos = []sealTestCase{
 	{
-		"nixos permissive defaults no enablements", new(stubNixOS),
+		"nixos chromium direct wayland", new(stubNixOS),
-		&app.Config{
-			Command: make([]string, 0),
-			Confinement: app.ConfinementConfig{
-				AppID:    0,
-				Username: "chronos",
-				Outer:    "/home/chronos",
-			},
-		},
-		app.ID{
-			0x4a, 0x45, 0x0b, 0x65,
-			0x96, 0xd7, 0xbc, 0x15,
-			0xbd, 0x01, 0x78, 0x0e,
-			0xb9, 0xa6, 0x07, 0xac,
-		},
-		system.New(1000000).
-			Ensure("/tmp/fortify.1971", 0711).
-			Ephemeral(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac", 0711).
-			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute).
-			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
-			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute).
-			WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
-			WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "fortify:x:65534:\n"),
-		(&bwrap.Config{
-			Net:      true,
-			UserNS:   true,
-			Clearenv: true,
-			Chdir:    "/home/chronos",
-			SetEnv: map[string]string{
-				"HOME":              "/home/chronos",
-				"SHELL":             "/run/current-system/sw/bin/zsh",
-				"TERM":              "xterm-256color",
-				"USER":              "chronos",
-				"XDG_RUNTIME_DIR":   "/run/user/65534",
-				"XDG_SESSION_CLASS": "user",
-				"XDG_SESSION_TYPE":  "tty"},
-			Chmod:         make(bwrap.ChmodConfig),
-			DieWithParent: true,
-			AsInit:        true,
-		}).SetUID(65534).SetGID(65534).
-			Procfs("/proc").
-			Tmpfs("/fortify", 4096).
-			DevTmpfs("/dev").Mqueue("/dev/mqueue").
-			Bind("/bin", "/bin", false, true).
-			Bind("/boot", "/boot", false, true).
-			Bind("/home", "/home", false, true).
-			Bind("/lib", "/lib", false, true).
-			Bind("/lib64", "/lib64", false, true).
-			Bind("/nix", "/nix", false, true).
-			Bind("/root", "/root", false, true).
-			Bind("/srv", "/srv", false, true).
-			Bind("/sys", "/sys", false, true).
-			Bind("/usr", "/usr", false, true).
-			Bind("/var", "/var", false, true).
-			Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
-			Bind("/run/binfmt", "/run/binfmt", false, true).
-			Bind("/run/booted-system", "/run/booted-system", false, true).
-			Bind("/run/credentials", "/run/credentials", false, true).
-			Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
-			Bind("/run/current-system", "/run/current-system", false, true).
-			Bind("/run/host", "/run/host", false, true).
-			Bind("/run/keys", "/run/keys", false, true).
-			Bind("/run/libvirt", "/run/libvirt", false, true).
-			Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
-			Bind("/run/lock", "/run/lock", false, true).
-			Bind("/run/log", "/run/log", false, true).
-			Bind("/run/lvm", "/run/lvm", false, true).
-			Bind("/run/mount", "/run/mount", false, true).
-			Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
-			Bind("/run/nginx", "/run/nginx", false, true).
-			Bind("/run/nixos", "/run/nixos", false, true).
-			Bind("/run/nscd", "/run/nscd", false, true).
-			Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
-			Bind("/run/pppd", "/run/pppd", false, true).
-			Bind("/run/resolvconf", "/run/resolvconf", false, true).
-			Bind("/run/sddm", "/run/sddm", false, true).
-			Bind("/run/store", "/run/store", false, true).
-			Bind("/run/syncoid", "/run/syncoid", false, true).
-			Bind("/run/system", "/run/system", false, true).
-			Bind("/run/systemd", "/run/systemd", false, true).
-			Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
-			Bind("/run/udev", "/run/udev", false, true).
-			Bind("/run/udisks2", "/run/udisks2", false, true).
-			Bind("/run/utmp", "/run/utmp", false, true).
-			Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
-			Bind("/run/wrappers", "/run/wrappers", false, true).
-			Bind("/run/zed.pid", "/run/zed.pid", false, true).
-			Bind("/run/zed.state", "/run/zed.state", false, true).
-			Bind("/etc", "/fortify/etc").
-			Symlink("/fortify/etc/alsa", "/etc/alsa").
-			Symlink("/fortify/etc/bashrc", "/etc/bashrc").
-			Symlink("/fortify/etc/binfmt.d", "/etc/binfmt.d").
-			Symlink("/fortify/etc/dbus-1", "/etc/dbus-1").
-			Symlink("/fortify/etc/default", "/etc/default").
-			Symlink("/fortify/etc/ethertypes", "/etc/ethertypes").
-			Symlink("/fortify/etc/fonts", "/etc/fonts").
-			Symlink("/fortify/etc/fstab", "/etc/fstab").
-			Symlink("/fortify/etc/fuse.conf", "/etc/fuse.conf").
-			Symlink("/fortify/etc/host.conf", "/etc/host.conf").
-			Symlink("/fortify/etc/hostid", "/etc/hostid").
-			Symlink("/fortify/etc/hostname", "/etc/hostname").
-			Symlink("/fortify/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-			Symlink("/fortify/etc/hosts", "/etc/hosts").
-			Symlink("/fortify/etc/inputrc", "/etc/inputrc").
-			Symlink("/fortify/etc/ipsec.d", "/etc/ipsec.d").
-			Symlink("/fortify/etc/issue", "/etc/issue").
-			Symlink("/fortify/etc/kbd", "/etc/kbd").
-			Symlink("/fortify/etc/libblockdev", "/etc/libblockdev").
-			Symlink("/fortify/etc/locale.conf", "/etc/locale.conf").
-			Symlink("/fortify/etc/localtime", "/etc/localtime").
-			Symlink("/fortify/etc/login.defs", "/etc/login.defs").
-			Symlink("/fortify/etc/lsb-release", "/etc/lsb-release").
-			Symlink("/fortify/etc/lvm", "/etc/lvm").
-			Symlink("/fortify/etc/machine-id", "/etc/machine-id").
-			Symlink("/fortify/etc/man_db.conf", "/etc/man_db.conf").
-			Symlink("/fortify/etc/modprobe.d", "/etc/modprobe.d").
-			Symlink("/fortify/etc/modules-load.d", "/etc/modules-load.d").
-			Symlink("/proc/mounts", "/etc/mtab").
-			Symlink("/fortify/etc/nanorc", "/etc/nanorc").
-			Symlink("/fortify/etc/netgroup", "/etc/netgroup").
-			Symlink("/fortify/etc/NetworkManager", "/etc/NetworkManager").
-			Symlink("/fortify/etc/nix", "/etc/nix").
-			Symlink("/fortify/etc/nixos", "/etc/nixos").
-			Symlink("/fortify/etc/NIXOS", "/etc/NIXOS").
-			Symlink("/fortify/etc/nscd.conf", "/etc/nscd.conf").
-			Symlink("/fortify/etc/nsswitch.conf", "/etc/nsswitch.conf").
-			Symlink("/fortify/etc/opensnitchd", "/etc/opensnitchd").
-			Symlink("/fortify/etc/os-release", "/etc/os-release").
-			Symlink("/fortify/etc/pam", "/etc/pam").
-			Symlink("/fortify/etc/pam.d", "/etc/pam.d").
-			Symlink("/fortify/etc/pipewire", "/etc/pipewire").
-			Symlink("/fortify/etc/pki", "/etc/pki").
-			Symlink("/fortify/etc/polkit-1", "/etc/polkit-1").
-			Symlink("/fortify/etc/profile", "/etc/profile").
-			Symlink("/fortify/etc/protocols", "/etc/protocols").
-			Symlink("/fortify/etc/qemu", "/etc/qemu").
-			Symlink("/fortify/etc/resolv.conf", "/etc/resolv.conf").
-			Symlink("/fortify/etc/resolvconf.conf", "/etc/resolvconf.conf").
-			Symlink("/fortify/etc/rpc", "/etc/rpc").
-			Symlink("/fortify/etc/samba", "/etc/samba").
-			Symlink("/fortify/etc/sddm.conf", "/etc/sddm.conf").
-			Symlink("/fortify/etc/secureboot", "/etc/secureboot").
-			Symlink("/fortify/etc/services", "/etc/services").
-			Symlink("/fortify/etc/set-environment", "/etc/set-environment").
-			Symlink("/fortify/etc/shadow", "/etc/shadow").
-			Symlink("/fortify/etc/shells", "/etc/shells").
-			Symlink("/fortify/etc/ssh", "/etc/ssh").
-			Symlink("/fortify/etc/ssl", "/etc/ssl").
-			Symlink("/fortify/etc/static", "/etc/static").
-			Symlink("/fortify/etc/subgid", "/etc/subgid").
-			Symlink("/fortify/etc/subuid", "/etc/subuid").
-			Symlink("/fortify/etc/sudoers", "/etc/sudoers").
-			Symlink("/fortify/etc/sysctl.d", "/etc/sysctl.d").
-			Symlink("/fortify/etc/systemd", "/etc/systemd").
-			Symlink("/fortify/etc/terminfo", "/etc/terminfo").
-			Symlink("/fortify/etc/tmpfiles.d", "/etc/tmpfiles.d").
-			Symlink("/fortify/etc/udev", "/etc/udev").
-			Symlink("/fortify/etc/udisks2", "/etc/udisks2").
-			Symlink("/fortify/etc/UPower", "/etc/UPower").
-			Symlink("/fortify/etc/vconsole.conf", "/etc/vconsole.conf").
-			Symlink("/fortify/etc/X11", "/etc/X11").
-			Symlink("/fortify/etc/zfs", "/etc/zfs").
-			Symlink("/fortify/etc/zinputrc", "/etc/zinputrc").
-			Symlink("/fortify/etc/zoneinfo", "/etc/zoneinfo").
-			Symlink("/fortify/etc/zprofile", "/etc/zprofile").
-			Symlink("/fortify/etc/zshenv", "/etc/zshenv").
-			Symlink("/fortify/etc/zshrc", "/etc/zshrc").
-			Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", false, true).
-			Tmpfs("/tmp/fortify.1971", 1048576).
-			Tmpfs("/run/user", 1048576).
-			Tmpfs("/run/user/65534", 8388608).
-			Bind("/home/chronos", "/home/chronos", false, true).
-			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
-			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
-			Tmpfs("/var/run/nscd", 8192),
-	},
-	{
-		"nixos permissive defaults chromium", new(stubNixOS),
 		&app.Config{
 			ID:      "org.chromium.Chromium",
-			Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "},
+			Command: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
 			Confinement: app.ConfinementConfig{
-				AppID:    9,
+				AppID: 1, Groups: []string{}, Username: "u0_a1",
-				Groups:   []string{"video"},
+				Outer: "/var/lib/persist/module/fortify/0/1",
-				Username: "chronos",
+				Sandbox: &app.SandboxConfig{
-				Outer:    "/home/chronos",
+					UserNS: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil,
+					Filesystem: []*app.FilesystemConfig{
+						{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
+						{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
+						{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
+						{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
+					}, AutoEtc: true,
+					Override: []string{"/var/run/nscd"},
+				},
+				SystemBus: &dbus.Config{
+					Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
+					Filter: true,
+				},
 				SessionBus: &dbus.Config{
 					Talk: []string{
-						"org.freedesktop.Notifications",
+						"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
-						"org.freedesktop.FileManager1",
+						"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
-						"org.freedesktop.ScreenSaver",
+						"org.kde.kwalletd5", "org.kde.kwalletd6",
-						"org.freedesktop.secrets",
-						"org.kde.kwalletd5",
-						"org.kde.kwalletd6",
-						"org.gnome.SessionManager",
 					},
 					Own: []string{
 						"org.chromium.Chromium.*",
 						"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
 						"org.mpris.MediaPlayer2.chromium.*",
 					},
-					Call: map[string]string{
+					Call: map[string]string{}, Broadcast: map[string]string{},
-						"org.freedesktop.portal.*": "*",
-					},
-					Broadcast: map[string]string{
-						"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
-					},
-					Filter: true,
-				},
-				SystemBus: &dbus.Config{
-					Talk: []string{
-						"org.bluez",
-						"org.freedesktop.Avahi",
-						"org.freedesktop.UPower",
-					},
 					Filter: true,
 				},
 				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
 			},
 		},
 		app.ID{
-			0xeb, 0xf0, 0x83, 0xd1,
+			0x8e, 0x2c, 0x76, 0xb0,
-			0xb1, 0x75, 0x91, 0x17,
+			0x66, 0xda, 0xbe, 0x57,
-			0x82, 0xd4, 0x13, 0x36,
+			0x4c, 0xf0, 0x73, 0xbd,
-			0x9b, 0x64, 0xce, 0x7c,
+			0xb4, 0x6e, 0xb5, 0xc1,
 		},
-		system.New(1000009).
+		system.New(1000001).
 			Ensure("/tmp/fortify.1971", 0711).
-			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
+			Ephemeral(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
+			Ensure("/tmp/fortify.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
+			Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
-			WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
+			WriteType(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd", "u0_a1:x:1971:1971:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n").
-			WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "fortify:x:65534:\n").
+			WriteType(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "fortify:x:1971:\n").
-			Link("/run/user/1971/wayland-0", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland").
+			Link("/run/user/1971/wayland-0", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland").
 			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
-			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
+			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
-			CopyFile("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie").
+			CopyFile("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie").
-			MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
+			MustProxyDBus("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", &dbus.Config{
 				Talk: []string{
-					"org.freedesktop.Notifications",
+					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
-					"org.freedesktop.FileManager1",
+					"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
-					"org.freedesktop.ScreenSaver",
+					"org.kde.kwalletd5", "org.kde.kwalletd6",
-					"org.freedesktop.secrets",
-					"org.kde.kwalletd5",
-					"org.kde.kwalletd6",
-					"org.gnome.SessionManager",
 				},
 				Own: []string{
 					"org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.chromium.*",
 				},
-				Call: map[string]string{
+				Call: map[string]string{}, Broadcast: map[string]string{},
-					"org.freedesktop.portal.*": "*",
-				},
-				Broadcast: map[string]string{
-					"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
-				},
 				Filter: true,
-			}, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", &dbus.Config{
+			}, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", &dbus.Config{
 				Talk: []string{
 					"org.bluez",
 					"org.freedesktop.Avahi",
@@ -289,79 +89,45 @@ var testCasesNixos = []sealTestCase{
 				},
 				Filter: true,
 			}).
-			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
+			UpdatePerm("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
-			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
+			UpdatePerm("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
 		(&bwrap.Config{
 			Net:      true,
 			UserNS:   true,
-			Chdir:    "/home/chronos",
+			Chdir:    "/var/lib/persist/module/fortify/0/1",
 			Clearenv: true,
 			SetEnv: map[string]string{
-				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
+				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/1971/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS":  "unix:path=/run/dbus/system_bus_socket",
-				"HOME":                     "/home/chronos",
+				"HOME":                     "/var/lib/persist/module/fortify/0/1",
-				"PULSE_COOKIE":             "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
+				"PULSE_COOKIE":             "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie",
-				"PULSE_SERVER":             "unix:/run/user/65534/pulse/native",
+				"PULSE_SERVER":             "unix:/run/user/1971/pulse/native",
 				"SHELL":                    "/run/current-system/sw/bin/zsh",
 				"TERM":                     "xterm-256color",
-				"USER":                     "chronos",
+				"USER":                     "u0_a1",
-				"WAYLAND_DISPLAY":          "/run/user/65534/wayland-0",
+				"WAYLAND_DISPLAY":          "/run/user/1971/wayland-0",
-				"XDG_RUNTIME_DIR":          "/run/user/65534",
+				"XDG_RUNTIME_DIR":          "/run/user/1971",
 				"XDG_SESSION_CLASS":        "user",
 				"XDG_SESSION_TYPE":         "tty",
 			},
 			Chmod:         make(bwrap.ChmodConfig),
+			NewSession:    true,
 			DieWithParent: true,
 			AsInit:        true,
-		}).SetUID(65534).SetGID(65534).
+		}).SetUID(1971).SetGID(1971).
 			Procfs("/proc").
 			Tmpfs("/fortify", 4096).
 			DevTmpfs("/dev").Mqueue("/dev/mqueue").
-			Bind("/bin", "/bin", false, true).
+			Bind("/bin", "/bin").
-			Bind("/boot", "/boot", false, true).
+			Bind("/usr/bin", "/usr/bin").
-			Bind("/home", "/home", false, true).
+			Bind("/nix/store", "/nix/store").
-			Bind("/lib", "/lib", false, true).
+			Bind("/run/current-system", "/run/current-system").
-			Bind("/lib64", "/lib64", false, true).
+			Bind("/sys/block", "/sys/block", true).
-			Bind("/nix", "/nix", false, true).
+			Bind("/sys/bus", "/sys/bus", true).
-			Bind("/root", "/root", false, true).
+			Bind("/sys/class", "/sys/class", true).
-			Bind("/srv", "/srv", false, true).
+			Bind("/sys/dev", "/sys/dev", true).
-			Bind("/sys", "/sys", false, true).
+			Bind("/sys/devices", "/sys/devices", true).
-			Bind("/usr", "/usr", false, true).
+			Bind("/run/opengl-driver", "/run/opengl-driver").
-			Bind("/var", "/var", false, true).
-			Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
-			Bind("/run/binfmt", "/run/binfmt", false, true).
-			Bind("/run/booted-system", "/run/booted-system", false, true).
-			Bind("/run/credentials", "/run/credentials", false, true).
-			Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
-			Bind("/run/current-system", "/run/current-system", false, true).
-			Bind("/run/host", "/run/host", false, true).
-			Bind("/run/keys", "/run/keys", false, true).
-			Bind("/run/libvirt", "/run/libvirt", false, true).
-			Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
-			Bind("/run/lock", "/run/lock", false, true).
-			Bind("/run/log", "/run/log", false, true).
-			Bind("/run/lvm", "/run/lvm", false, true).
-			Bind("/run/mount", "/run/mount", false, true).
-			Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
-			Bind("/run/nginx", "/run/nginx", false, true).
-			Bind("/run/nixos", "/run/nixos", false, true).
-			Bind("/run/nscd", "/run/nscd", false, true).
-			Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
-			Bind("/run/pppd", "/run/pppd", false, true).
-			Bind("/run/resolvconf", "/run/resolvconf", false, true).
-			Bind("/run/sddm", "/run/sddm", false, true).
-			Bind("/run/store", "/run/store", false, true).
-			Bind("/run/syncoid", "/run/syncoid", false, true).
-			Bind("/run/system", "/run/system", false, true).
-			Bind("/run/systemd", "/run/systemd", false, true).
-			Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
-			Bind("/run/udev", "/run/udev", false, true).
-			Bind("/run/udisks2", "/run/udisks2", false, true).
-			Bind("/run/utmp", "/run/utmp", false, true).
-			Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
-			Bind("/run/wrappers", "/run/wrappers", false, true).
-			Bind("/run/zed.pid", "/run/zed.pid", false, true).
-			Bind("/run/zed.state", "/run/zed.state", false, true).
 			Bind("/dev/dri", "/dev/dri", true, true, true).
 			Bind("/etc", "/fortify/etc").
 			Symlink("/fortify/etc/alsa", "/etc/alsa").
@@ -442,160 +208,18 @@ var testCasesNixos = []sealTestCase{
 			Symlink("/fortify/etc/zprofile", "/etc/zprofile").
 			Symlink("/fortify/etc/zshenv", "/etc/zshenv").
 			Symlink("/fortify/etc/zshrc", "/etc/zshrc").
-			Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", false, true).
+			Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", false, true).
 			Tmpfs("/tmp/fortify.1971", 1048576).
 			Tmpfs("/run/user", 1048576).
-			Tmpfs("/run/user/65534", 8388608).
+			Tmpfs("/run/user/1971", 8388608).
-			Bind("/home/chronos", "/home/chronos", false, true).
+			Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", false, true).
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
+			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd", "/etc/passwd").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
+			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "/etc/group").
-			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0").
+			Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland", "/run/user/1971/wayland-0").
-			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
+			Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
+			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
+			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
+			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket").
 			Tmpfs("/var/run/nscd", 8192),
 	},
 }
-
-// fs methods are not implemented using a real FS
-// to help better understand filesystem access behaviour
-type stubNixOS struct {
-	lookPathErr map[string]error
-	usernameErr map[string]error
-}
-
-func (s *stubNixOS) Geteuid() int {
-	return 1971
-}
-
-func (s *stubNixOS) LookupEnv(key string) (string, bool) {
-	switch key {
-	case "SHELL":
-		return "/run/current-system/sw/bin/zsh", true
-	case "TERM":
-		return "xterm-256color", true
-	case "WAYLAND_DISPLAY":
-		return "wayland-0", true
-	case "PULSE_COOKIE":
-		return "", false
-	case "HOME":
-		return "/home/ophestra", true
-	case "XDG_CONFIG_HOME":
-		return "/home/ophestra/xdg/config", true
-	default:
-		panic(fmt.Sprintf("attempted to access unexpected environment variable %q", key))
-	}
-}
-
-func (s *stubNixOS) TempDir() string {
-	return "/tmp"
-}
-
-func (s *stubNixOS) LookPath(file string) (string, error) {
-	if s.lookPathErr != nil {
-		if err, ok := s.lookPathErr[file]; ok {
-			return "", err
-		}
-	}
-
-	switch file {
-	case "sudo":
-		return "/run/wrappers/bin/sudo", nil
-	case "machinectl":
-		return "/home/ophestra/.nix-profile/bin/machinectl", nil
-	default:
-		panic(fmt.Sprintf("attempted to look up unexpected executable %q", file))
-	}
-}
-
-func (s *stubNixOS) Executable() (string, error) {
-	return "/home/ophestra/.nix-profile/bin/fortify", nil
-}
-
-func (s *stubNixOS) LookupGroup(name string) (*user.Group, error) {
-	switch name {
-	case "video":
-		return &user.Group{Gid: "26", Name: "video"}, nil
-	default:
-		return nil, user.UnknownGroupError(name)
-	}
-}
-
-func (s *stubNixOS) ReadDir(name string) ([]fs.DirEntry, error) {
-	switch name {
-	case "/":
-		return stubDirEntries("bin", "boot", "dev", "etc", "home", "lib",
-			"lib64", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var")
-	case "/run":
-		return stubDirEntries("agetty.reload", "binfmt", "booted-system",
-			"credentials", "cryptsetup", "current-system", "dbus", "host", "keys",
-			"libvirt", "libvirtd.pid", "lock", "log", "lvm", "mount", "NetworkManager",
-			"nginx", "nixos", "nscd", "opengl-driver", "pppd", "resolvconf", "sddm",
-			"store", "syncoid", "system", "systemd", "tmpfiles.d", "udev", "udisks2",
-			"user", "utmp", "virtlogd.pid", "wrappers", "zed.pid", "zed.state")
-	case "/etc":
-		return stubDirEntries("alsa", "bashrc", "binfmt.d", "dbus-1", "default",
-			"ethertypes", "fonts", "fstab", "fuse.conf", "group", "host.conf", "hostid",
-			"hostname", "hostname.CHECKSUM", "hosts", "inputrc", "ipsec.d", "issue", "kbd",
-			"libblockdev", "locale.conf", "localtime", "login.defs", "lsb-release", "lvm",
-			"machine-id", "man_db.conf", "modprobe.d", "modules-load.d", "mtab", "nanorc",
-			"netgroup", "NetworkManager", "nix", "nixos", "NIXOS", "nscd.conf", "nsswitch.conf",
-			"opensnitchd", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1",
-			"profile", "protocols", "qemu", "resolv.conf", "resolvconf.conf", "rpc", "samba",
-			"sddm.conf", "secureboot", "services", "set-environment", "shadow", "shells", "ssh",
-			"ssl", "static", "subgid", "subuid", "sudoers", "sysctl.d", "systemd", "terminfo",
-			"tmpfiles.d", "udev", "udisks2", "UPower", "vconsole.conf", "X11", "zfs", "zinputrc",
-			"zoneinfo", "zprofile", "zshenv", "zshrc")
-	default:
-		panic(fmt.Sprintf("attempted to read unexpected directory %q", name))
-	}
-}
-
-func (s *stubNixOS) Stat(name string) (fs.FileInfo, error) {
-	switch name {
-	case "/var/run/nscd":
-		return nil, nil
-	case "/run/user/1971/pulse":
-		return nil, nil
-	case "/run/user/1971/pulse/native":
-		return stubFileInfoMode(0666), nil
-	case "/home/ophestra/.pulse-cookie":
-		return stubFileInfoIsDir(true), nil
-	case "/home/ophestra/xdg/config/pulse/cookie":
-		return stubFileInfoIsDir(false), nil
-	default:
-		panic(fmt.Sprintf("attempted to stat unexpected path %q", name))
-	}
-}
-
-func (s *stubNixOS) Open(name string) (fs.File, error) {
-	switch name {
-	default:
-		panic(fmt.Sprintf("attempted to open unexpected file %q", name))
-	}
-}
-
-func (s *stubNixOS) Exit(code int) {
-	panic("called exit on stub with code " + strconv.Itoa(code))
-}
-
-func (s *stubNixOS) Stdout() io.Writer {
-	panic("requested stdout")
-}
-
-func (s *stubNixOS) Paths() linux.Paths {
-	return linux.Paths{
-		SharePath:   "/tmp/fortify.1971",
-		RuntimePath: "/run/user/1971",
-		RunDirPath:  "/run/user/1971/fortify",
-	}
-}
-
-func (s *stubNixOS) Uid(aid int) (int, error) {
-	return 1000000 + 0*10000 + aid, nil
-}
-
-func (s *stubNixOS) SdBooted() bool {
-	return true
-}

internal/app/app_pd_test.go

@@ -0,0 +1,452 @@
+package app_test
+
+import (
+	"git.ophivana.moe/security/fortify/acl"
+	"git.ophivana.moe/security/fortify/dbus"
+	"git.ophivana.moe/security/fortify/helper/bwrap"
+	"git.ophivana.moe/security/fortify/internal/app"
+	"git.ophivana.moe/security/fortify/internal/system"
+)
+
+var testCasesPd = []sealTestCase{
+	{
+		"nixos permissive defaults no enablements", new(stubNixOS),
+		&app.Config{
+			Command: make([]string, 0),
+			Confinement: app.ConfinementConfig{
+				AppID:    0,
+				Username: "chronos",
+				Outer:    "/home/chronos",
+			},
+		},
+		app.ID{
+			0x4a, 0x45, 0x0b, 0x65,
+			0x96, 0xd7, 0xbc, 0x15,
+			0xbd, 0x01, 0x78, 0x0e,
+			0xb9, 0xa6, 0x07, 0xac,
+		},
+		system.New(1000000).
+			Ensure("/tmp/fortify.1971", 0711).
+			Ephemeral(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac", 0711).
+			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
+			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute).
+			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
+			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute).
+			WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
+			WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "fortify:x:65534:\n"),
+		(&bwrap.Config{
+			Net:      true,
+			UserNS:   true,
+			Clearenv: true,
+			Chdir:    "/home/chronos",
+			SetEnv: map[string]string{
+				"HOME":              "/home/chronos",
+				"SHELL":             "/run/current-system/sw/bin/zsh",
+				"TERM":              "xterm-256color",
+				"USER":              "chronos",
+				"XDG_RUNTIME_DIR":   "/run/user/65534",
+				"XDG_SESSION_CLASS": "user",
+				"XDG_SESSION_TYPE":  "tty"},
+			Chmod:         make(bwrap.ChmodConfig),
+			DieWithParent: true,
+			AsInit:        true,
+		}).SetUID(65534).SetGID(65534).
+			Procfs("/proc").
+			Tmpfs("/fortify", 4096).
+			DevTmpfs("/dev").Mqueue("/dev/mqueue").
+			Bind("/bin", "/bin", false, true).
+			Bind("/boot", "/boot", false, true).
+			Bind("/home", "/home", false, true).
+			Bind("/lib", "/lib", false, true).
+			Bind("/lib64", "/lib64", false, true).
+			Bind("/nix", "/nix", false, true).
+			Bind("/root", "/root", false, true).
+			Bind("/srv", "/srv", false, true).
+			Bind("/sys", "/sys", false, true).
+			Bind("/usr", "/usr", false, true).
+			Bind("/var", "/var", false, true).
+			Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
+			Bind("/run/binfmt", "/run/binfmt", false, true).
+			Bind("/run/booted-system", "/run/booted-system", false, true).
+			Bind("/run/credentials", "/run/credentials", false, true).
+			Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
+			Bind("/run/current-system", "/run/current-system", false, true).
+			Bind("/run/host", "/run/host", false, true).
+			Bind("/run/keys", "/run/keys", false, true).
+			Bind("/run/libvirt", "/run/libvirt", false, true).
+			Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
+			Bind("/run/lock", "/run/lock", false, true).
+			Bind("/run/log", "/run/log", false, true).
+			Bind("/run/lvm", "/run/lvm", false, true).
+			Bind("/run/mount", "/run/mount", false, true).
+			Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
+			Bind("/run/nginx", "/run/nginx", false, true).
+			Bind("/run/nixos", "/run/nixos", false, true).
+			Bind("/run/nscd", "/run/nscd", false, true).
+			Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
+			Bind("/run/pppd", "/run/pppd", false, true).
+			Bind("/run/resolvconf", "/run/resolvconf", false, true).
+			Bind("/run/sddm", "/run/sddm", false, true).
+			Bind("/run/store", "/run/store", false, true).
+			Bind("/run/syncoid", "/run/syncoid", false, true).
+			Bind("/run/system", "/run/system", false, true).
+			Bind("/run/systemd", "/run/systemd", false, true).
+			Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
+			Bind("/run/udev", "/run/udev", false, true).
+			Bind("/run/udisks2", "/run/udisks2", false, true).
+			Bind("/run/utmp", "/run/utmp", false, true).
+			Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
+			Bind("/run/wrappers", "/run/wrappers", false, true).
+			Bind("/run/zed.pid", "/run/zed.pid", false, true).
+			Bind("/run/zed.state", "/run/zed.state", false, true).
+			Bind("/etc", "/fortify/etc").
+			Symlink("/fortify/etc/alsa", "/etc/alsa").
+			Symlink("/fortify/etc/bashrc", "/etc/bashrc").
+			Symlink("/fortify/etc/binfmt.d", "/etc/binfmt.d").
+			Symlink("/fortify/etc/dbus-1", "/etc/dbus-1").
+			Symlink("/fortify/etc/default", "/etc/default").
+			Symlink("/fortify/etc/ethertypes", "/etc/ethertypes").
+			Symlink("/fortify/etc/fonts", "/etc/fonts").
+			Symlink("/fortify/etc/fstab", "/etc/fstab").
+			Symlink("/fortify/etc/fuse.conf", "/etc/fuse.conf").
+			Symlink("/fortify/etc/host.conf", "/etc/host.conf").
+			Symlink("/fortify/etc/hostid", "/etc/hostid").
+			Symlink("/fortify/etc/hostname", "/etc/hostname").
+			Symlink("/fortify/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
+			Symlink("/fortify/etc/hosts", "/etc/hosts").
+			Symlink("/fortify/etc/inputrc", "/etc/inputrc").
+			Symlink("/fortify/etc/ipsec.d", "/etc/ipsec.d").
+			Symlink("/fortify/etc/issue", "/etc/issue").
+			Symlink("/fortify/etc/kbd", "/etc/kbd").
+			Symlink("/fortify/etc/libblockdev", "/etc/libblockdev").
+			Symlink("/fortify/etc/locale.conf", "/etc/locale.conf").
+			Symlink("/fortify/etc/localtime", "/etc/localtime").
+			Symlink("/fortify/etc/login.defs", "/etc/login.defs").
+			Symlink("/fortify/etc/lsb-release", "/etc/lsb-release").
+			Symlink("/fortify/etc/lvm", "/etc/lvm").
+			Symlink("/fortify/etc/machine-id", "/etc/machine-id").
+			Symlink("/fortify/etc/man_db.conf", "/etc/man_db.conf").
+			Symlink("/fortify/etc/modprobe.d", "/etc/modprobe.d").
+			Symlink("/fortify/etc/modules-load.d", "/etc/modules-load.d").
+			Symlink("/proc/mounts", "/etc/mtab").
+			Symlink("/fortify/etc/nanorc", "/etc/nanorc").
+			Symlink("/fortify/etc/netgroup", "/etc/netgroup").
+			Symlink("/fortify/etc/NetworkManager", "/etc/NetworkManager").
+			Symlink("/fortify/etc/nix", "/etc/nix").
+			Symlink("/fortify/etc/nixos", "/etc/nixos").
+			Symlink("/fortify/etc/NIXOS", "/etc/NIXOS").
+			Symlink("/fortify/etc/nscd.conf", "/etc/nscd.conf").
+			Symlink("/fortify/etc/nsswitch.conf", "/etc/nsswitch.conf").
+			Symlink("/fortify/etc/opensnitchd", "/etc/opensnitchd").
+			Symlink("/fortify/etc/os-release", "/etc/os-release").
+			Symlink("/fortify/etc/pam", "/etc/pam").
+			Symlink("/fortify/etc/pam.d", "/etc/pam.d").
+			Symlink("/fortify/etc/pipewire", "/etc/pipewire").
+			Symlink("/fortify/etc/pki", "/etc/pki").
+			Symlink("/fortify/etc/polkit-1", "/etc/polkit-1").
+			Symlink("/fortify/etc/profile", "/etc/profile").
+			Symlink("/fortify/etc/protocols", "/etc/protocols").
+			Symlink("/fortify/etc/qemu", "/etc/qemu").
+			Symlink("/fortify/etc/resolv.conf", "/etc/resolv.conf").
+			Symlink("/fortify/etc/resolvconf.conf", "/etc/resolvconf.conf").
+			Symlink("/fortify/etc/rpc", "/etc/rpc").
+			Symlink("/fortify/etc/samba", "/etc/samba").
+			Symlink("/fortify/etc/sddm.conf", "/etc/sddm.conf").
+			Symlink("/fortify/etc/secureboot", "/etc/secureboot").
+			Symlink("/fortify/etc/services", "/etc/services").
+			Symlink("/fortify/etc/set-environment", "/etc/set-environment").
+			Symlink("/fortify/etc/shadow", "/etc/shadow").
+			Symlink("/fortify/etc/shells", "/etc/shells").
+			Symlink("/fortify/etc/ssh", "/etc/ssh").
+			Symlink("/fortify/etc/ssl", "/etc/ssl").
+			Symlink("/fortify/etc/static", "/etc/static").
+			Symlink("/fortify/etc/subgid", "/etc/subgid").
+			Symlink("/fortify/etc/subuid", "/etc/subuid").
+			Symlink("/fortify/etc/sudoers", "/etc/sudoers").
+			Symlink("/fortify/etc/sysctl.d", "/etc/sysctl.d").
+			Symlink("/fortify/etc/systemd", "/etc/systemd").
+			Symlink("/fortify/etc/terminfo", "/etc/terminfo").
+			Symlink("/fortify/etc/tmpfiles.d", "/etc/tmpfiles.d").
+			Symlink("/fortify/etc/udev", "/etc/udev").
+			Symlink("/fortify/etc/udisks2", "/etc/udisks2").
+			Symlink("/fortify/etc/UPower", "/etc/UPower").
+			Symlink("/fortify/etc/vconsole.conf", "/etc/vconsole.conf").
+			Symlink("/fortify/etc/X11", "/etc/X11").
+			Symlink("/fortify/etc/zfs", "/etc/zfs").
+			Symlink("/fortify/etc/zinputrc", "/etc/zinputrc").
+			Symlink("/fortify/etc/zoneinfo", "/etc/zoneinfo").
+			Symlink("/fortify/etc/zprofile", "/etc/zprofile").
+			Symlink("/fortify/etc/zshenv", "/etc/zshenv").
+			Symlink("/fortify/etc/zshrc", "/etc/zshrc").
+			Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", false, true).
+			Tmpfs("/tmp/fortify.1971", 1048576).
+			Tmpfs("/run/user", 1048576).
+			Tmpfs("/run/user/65534", 8388608).
+			Bind("/home/chronos", "/home/chronos", false, true).
+			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
+			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
+			Tmpfs("/var/run/nscd", 8192),
+	},
+	{
+		"nixos permissive defaults chromium", new(stubNixOS),
+		&app.Config{
+			ID:      "org.chromium.Chromium",
+			Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "},
+			Confinement: app.ConfinementConfig{
+				AppID:    9,
+				Groups:   []string{"video"},
+				Username: "chronos",
+				Outer:    "/home/chronos",
+				SessionBus: &dbus.Config{
+					Talk: []string{
+						"org.freedesktop.Notifications",
+						"org.freedesktop.FileManager1",
+						"org.freedesktop.ScreenSaver",
+						"org.freedesktop.secrets",
+						"org.kde.kwalletd5",
+						"org.kde.kwalletd6",
+						"org.gnome.SessionManager",
+					},
+					Own: []string{
+						"org.chromium.Chromium.*",
+						"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+						"org.mpris.MediaPlayer2.chromium.*",
+					},
+					Call: map[string]string{
+						"org.freedesktop.portal.*": "*",
+					},
+					Broadcast: map[string]string{
+						"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
+					},
+					Filter: true,
+				},
+				SystemBus: &dbus.Config{
+					Talk: []string{
+						"org.bluez",
+						"org.freedesktop.Avahi",
+						"org.freedesktop.UPower",
+					},
+					Filter: true,
+				},
+				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
+			},
+		},
+		app.ID{
+			0xeb, 0xf0, 0x83, 0xd1,
+			0xb1, 0x75, 0x91, 0x17,
+			0x82, 0xd4, 0x13, 0x36,
+			0x9b, 0x64, 0xce, 0x7c,
+		},
+		system.New(1000009).
+			Ensure("/tmp/fortify.1971", 0711).
+			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
+			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
+			Ensure("/tmp/fortify.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
+			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
+			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
+			WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
+			WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "fortify:x:65534:\n").
+			Ensure("/tmp/fortify.1971/wayland", 0711).
+			Wayland("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
+			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
+			CopyFile("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie").
+			MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
+				Talk: []string{
+					"org.freedesktop.Notifications",
+					"org.freedesktop.FileManager1",
+					"org.freedesktop.ScreenSaver",
+					"org.freedesktop.secrets",
+					"org.kde.kwalletd5",
+					"org.kde.kwalletd6",
+					"org.gnome.SessionManager",
+				},
+				Own: []string{
+					"org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.chromium.*",
+				},
+				Call: map[string]string{
+					"org.freedesktop.portal.*": "*",
+				},
+				Broadcast: map[string]string{
+					"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
+				},
+				Filter: true,
+			}, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", &dbus.Config{
+				Talk: []string{
+					"org.bluez",
+					"org.freedesktop.Avahi",
+					"org.freedesktop.UPower",
+				},
+				Filter: true,
+			}).
+			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
+			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
+		(&bwrap.Config{
+			Net:      true,
+			UserNS:   true,
+			Chdir:    "/home/chronos",
+			Clearenv: true,
+			SetEnv: map[string]string{
+				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
+				"DBUS_SYSTEM_BUS_ADDRESS":  "unix:path=/run/dbus/system_bus_socket",
+				"HOME":                     "/home/chronos",
+				"PULSE_COOKIE":             "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
+				"PULSE_SERVER":             "unix:/run/user/65534/pulse/native",
+				"SHELL":                    "/run/current-system/sw/bin/zsh",
+				"TERM":                     "xterm-256color",
+				"USER":                     "chronos",
+				"WAYLAND_DISPLAY":          "/run/user/65534/wayland-0",
+				"XDG_RUNTIME_DIR":          "/run/user/65534",
+				"XDG_SESSION_CLASS":        "user",
+				"XDG_SESSION_TYPE":         "tty",
+			},
+			Chmod:         make(bwrap.ChmodConfig),
+			DieWithParent: true,
+			AsInit:        true,
+		}).SetUID(65534).SetGID(65534).
+			Procfs("/proc").
+			Tmpfs("/fortify", 4096).
+			DevTmpfs("/dev").Mqueue("/dev/mqueue").
+			Bind("/bin", "/bin", false, true).
+			Bind("/boot", "/boot", false, true).
+			Bind("/home", "/home", false, true).
+			Bind("/lib", "/lib", false, true).
+			Bind("/lib64", "/lib64", false, true).
+			Bind("/nix", "/nix", false, true).
+			Bind("/root", "/root", false, true).
+			Bind("/srv", "/srv", false, true).
+			Bind("/sys", "/sys", false, true).
+			Bind("/usr", "/usr", false, true).
+			Bind("/var", "/var", false, true).
+			Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
+			Bind("/run/binfmt", "/run/binfmt", false, true).
+			Bind("/run/booted-system", "/run/booted-system", false, true).
+			Bind("/run/credentials", "/run/credentials", false, true).
+			Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
+			Bind("/run/current-system", "/run/current-system", false, true).
+			Bind("/run/host", "/run/host", false, true).
+			Bind("/run/keys", "/run/keys", false, true).
+			Bind("/run/libvirt", "/run/libvirt", false, true).
+			Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
+			Bind("/run/lock", "/run/lock", false, true).
+			Bind("/run/log", "/run/log", false, true).
+			Bind("/run/lvm", "/run/lvm", false, true).
+			Bind("/run/mount", "/run/mount", false, true).
+			Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
+			Bind("/run/nginx", "/run/nginx", false, true).
+			Bind("/run/nixos", "/run/nixos", false, true).
+			Bind("/run/nscd", "/run/nscd", false, true).
+			Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
+			Bind("/run/pppd", "/run/pppd", false, true).
+			Bind("/run/resolvconf", "/run/resolvconf", false, true).
+			Bind("/run/sddm", "/run/sddm", false, true).
+			Bind("/run/store", "/run/store", false, true).
+			Bind("/run/syncoid", "/run/syncoid", false, true).
+			Bind("/run/system", "/run/system", false, true).
+			Bind("/run/systemd", "/run/systemd", false, true).
+			Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
+			Bind("/run/udev", "/run/udev", false, true).
+			Bind("/run/udisks2", "/run/udisks2", false, true).
+			Bind("/run/utmp", "/run/utmp", false, true).
+			Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
+			Bind("/run/wrappers", "/run/wrappers", false, true).
+			Bind("/run/zed.pid", "/run/zed.pid", false, true).
+			Bind("/run/zed.state", "/run/zed.state", false, true).
+			Bind("/dev/dri", "/dev/dri", true, true, true).
+			Bind("/etc", "/fortify/etc").
+			Symlink("/fortify/etc/alsa", "/etc/alsa").
+			Symlink("/fortify/etc/bashrc", "/etc/bashrc").
+			Symlink("/fortify/etc/binfmt.d", "/etc/binfmt.d").
+			Symlink("/fortify/etc/dbus-1", "/etc/dbus-1").
+			Symlink("/fortify/etc/default", "/etc/default").
+			Symlink("/fortify/etc/ethertypes", "/etc/ethertypes").
+			Symlink("/fortify/etc/fonts", "/etc/fonts").
+			Symlink("/fortify/etc/fstab", "/etc/fstab").
+			Symlink("/fortify/etc/fuse.conf", "/etc/fuse.conf").
+			Symlink("/fortify/etc/host.conf", "/etc/host.conf").
+			Symlink("/fortify/etc/hostid", "/etc/hostid").
+			Symlink("/fortify/etc/hostname", "/etc/hostname").
+			Symlink("/fortify/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
+			Symlink("/fortify/etc/hosts", "/etc/hosts").
+			Symlink("/fortify/etc/inputrc", "/etc/inputrc").
+			Symlink("/fortify/etc/ipsec.d", "/etc/ipsec.d").
+			Symlink("/fortify/etc/issue", "/etc/issue").
+			Symlink("/fortify/etc/kbd", "/etc/kbd").
+			Symlink("/fortify/etc/libblockdev", "/etc/libblockdev").
+			Symlink("/fortify/etc/locale.conf", "/etc/locale.conf").
+			Symlink("/fortify/etc/localtime", "/etc/localtime").
+			Symlink("/fortify/etc/login.defs", "/etc/login.defs").
+			Symlink("/fortify/etc/lsb-release", "/etc/lsb-release").
+			Symlink("/fortify/etc/lvm", "/etc/lvm").
+			Symlink("/fortify/etc/machine-id", "/etc/machine-id").
+			Symlink("/fortify/etc/man_db.conf", "/etc/man_db.conf").
+			Symlink("/fortify/etc/modprobe.d", "/etc/modprobe.d").
+			Symlink("/fortify/etc/modules-load.d", "/etc/modules-load.d").
+			Symlink("/proc/mounts", "/etc/mtab").
+			Symlink("/fortify/etc/nanorc", "/etc/nanorc").
+			Symlink("/fortify/etc/netgroup", "/etc/netgroup").
+			Symlink("/fortify/etc/NetworkManager", "/etc/NetworkManager").
+			Symlink("/fortify/etc/nix", "/etc/nix").
+			Symlink("/fortify/etc/nixos", "/etc/nixos").
+			Symlink("/fortify/etc/NIXOS", "/etc/NIXOS").
+			Symlink("/fortify/etc/nscd.conf", "/etc/nscd.conf").
+			Symlink("/fortify/etc/nsswitch.conf", "/etc/nsswitch.conf").
+			Symlink("/fortify/etc/opensnitchd", "/etc/opensnitchd").
+			Symlink("/fortify/etc/os-release", "/etc/os-release").
+			Symlink("/fortify/etc/pam", "/etc/pam").
+			Symlink("/fortify/etc/pam.d", "/etc/pam.d").
+			Symlink("/fortify/etc/pipewire", "/etc/pipewire").
+			Symlink("/fortify/etc/pki", "/etc/pki").
+			Symlink("/fortify/etc/polkit-1", "/etc/polkit-1").
+			Symlink("/fortify/etc/profile", "/etc/profile").
+			Symlink("/fortify/etc/protocols", "/etc/protocols").
+			Symlink("/fortify/etc/qemu", "/etc/qemu").
+			Symlink("/fortify/etc/resolv.conf", "/etc/resolv.conf").
+			Symlink("/fortify/etc/resolvconf.conf", "/etc/resolvconf.conf").
+			Symlink("/fortify/etc/rpc", "/etc/rpc").
+			Symlink("/fortify/etc/samba", "/etc/samba").
+			Symlink("/fortify/etc/sddm.conf", "/etc/sddm.conf").
+			Symlink("/fortify/etc/secureboot", "/etc/secureboot").
+			Symlink("/fortify/etc/services", "/etc/services").
+			Symlink("/fortify/etc/set-environment", "/etc/set-environment").
+			Symlink("/fortify/etc/shadow", "/etc/shadow").
+			Symlink("/fortify/etc/shells", "/etc/shells").
+			Symlink("/fortify/etc/ssh", "/etc/ssh").
+			Symlink("/fortify/etc/ssl", "/etc/ssl").
+			Symlink("/fortify/etc/static", "/etc/static").
+			Symlink("/fortify/etc/subgid", "/etc/subgid").
+			Symlink("/fortify/etc/subuid", "/etc/subuid").
+			Symlink("/fortify/etc/sudoers", "/etc/sudoers").
+			Symlink("/fortify/etc/sysctl.d", "/etc/sysctl.d").
+			Symlink("/fortify/etc/systemd", "/etc/systemd").
+			Symlink("/fortify/etc/terminfo", "/etc/terminfo").
+			Symlink("/fortify/etc/tmpfiles.d", "/etc/tmpfiles.d").
+			Symlink("/fortify/etc/udev", "/etc/udev").
+			Symlink("/fortify/etc/udisks2", "/etc/udisks2").
+			Symlink("/fortify/etc/UPower", "/etc/UPower").
+			Symlink("/fortify/etc/vconsole.conf", "/etc/vconsole.conf").
+			Symlink("/fortify/etc/X11", "/etc/X11").
+			Symlink("/fortify/etc/zfs", "/etc/zfs").
+			Symlink("/fortify/etc/zinputrc", "/etc/zinputrc").
+			Symlink("/fortify/etc/zoneinfo", "/etc/zoneinfo").
+			Symlink("/fortify/etc/zprofile", "/etc/zprofile").
+			Symlink("/fortify/etc/zshenv", "/etc/zshenv").
+			Symlink("/fortify/etc/zshrc", "/etc/zshrc").
+			Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", false, true).
+			Tmpfs("/tmp/fortify.1971", 1048576).
+			Tmpfs("/run/user", 1048576).
+			Tmpfs("/run/user/65534", 8388608).
+			Bind("/home/chronos", "/home/chronos", false, true).
+			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
+			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
+			Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0").
+			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
+			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
+			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
+			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
+			Tmpfs("/var/run/nscd", 8192),
+	},
+}

internal/app/app_stub_test.go

@@ -0,0 +1,153 @@
+package app_test
+
+import (
+	"fmt"
+	"io"
+	"io/fs"
+	"os/user"
+	"strconv"
+
+	"git.ophivana.moe/security/fortify/internal/linux"
+)
+
+// fs methods are not implemented using a real FS
+// to help better understand filesystem access behaviour
+type stubNixOS struct {
+	lookPathErr map[string]error
+	usernameErr map[string]error
+}
+
+func (s *stubNixOS) Geteuid() int {
+	return 1971
+}
+
+func (s *stubNixOS) LookupEnv(key string) (string, bool) {
+	switch key {
+	case "SHELL":
+		return "/run/current-system/sw/bin/zsh", true
+	case "TERM":
+		return "xterm-256color", true
+	case "WAYLAND_DISPLAY":
+		return "wayland-0", true
+	case "PULSE_COOKIE":
+		return "", false
+	case "HOME":
+		return "/home/ophestra", true
+	case "XDG_CONFIG_HOME":
+		return "/home/ophestra/xdg/config", true
+	default:
+		panic(fmt.Sprintf("attempted to access unexpected environment variable %q", key))
+	}
+}
+
+func (s *stubNixOS) TempDir() string {
+	return "/tmp"
+}
+
+func (s *stubNixOS) LookPath(file string) (string, error) {
+	if s.lookPathErr != nil {
+		if err, ok := s.lookPathErr[file]; ok {
+			return "", err
+		}
+	}
+
+	switch file {
+	case "sudo":
+		return "/run/wrappers/bin/sudo", nil
+	case "machinectl":
+		return "/home/ophestra/.nix-profile/bin/machinectl", nil
+	default:
+		panic(fmt.Sprintf("attempted to look up unexpected executable %q", file))
+	}
+}
+
+func (s *stubNixOS) Executable() (string, error) {
+	return "/home/ophestra/.nix-profile/bin/fortify", nil
+}
+
+func (s *stubNixOS) LookupGroup(name string) (*user.Group, error) {
+	switch name {
+	case "video":
+		return &user.Group{Gid: "26", Name: "video"}, nil
+	default:
+		return nil, user.UnknownGroupError(name)
+	}
+}
+
+func (s *stubNixOS) ReadDir(name string) ([]fs.DirEntry, error) {
+	switch name {
+	case "/":
+		return stubDirEntries("bin", "boot", "dev", "etc", "home", "lib",
+			"lib64", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var")
+	case "/run":
+		return stubDirEntries("agetty.reload", "binfmt", "booted-system",
+			"credentials", "cryptsetup", "current-system", "dbus", "host", "keys",
+			"libvirt", "libvirtd.pid", "lock", "log", "lvm", "mount", "NetworkManager",
+			"nginx", "nixos", "nscd", "opengl-driver", "pppd", "resolvconf", "sddm",
+			"store", "syncoid", "system", "systemd", "tmpfiles.d", "udev", "udisks2",
+			"user", "utmp", "virtlogd.pid", "wrappers", "zed.pid", "zed.state")
+	case "/etc":
+		return stubDirEntries("alsa", "bashrc", "binfmt.d", "dbus-1", "default",
+			"ethertypes", "fonts", "fstab", "fuse.conf", "group", "host.conf", "hostid",
+			"hostname", "hostname.CHECKSUM", "hosts", "inputrc", "ipsec.d", "issue", "kbd",
+			"libblockdev", "locale.conf", "localtime", "login.defs", "lsb-release", "lvm",
+			"machine-id", "man_db.conf", "modprobe.d", "modules-load.d", "mtab", "nanorc",
+			"netgroup", "NetworkManager", "nix", "nixos", "NIXOS", "nscd.conf", "nsswitch.conf",
+			"opensnitchd", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1",
+			"profile", "protocols", "qemu", "resolv.conf", "resolvconf.conf", "rpc", "samba",
+			"sddm.conf", "secureboot", "services", "set-environment", "shadow", "shells", "ssh",
+			"ssl", "static", "subgid", "subuid", "sudoers", "sysctl.d", "systemd", "terminfo",
+			"tmpfiles.d", "udev", "udisks2", "UPower", "vconsole.conf", "X11", "zfs", "zinputrc",
+			"zoneinfo", "zprofile", "zshenv", "zshrc")
+	default:
+		panic(fmt.Sprintf("attempted to read unexpected directory %q", name))
+	}
+}
+
+func (s *stubNixOS) Stat(name string) (fs.FileInfo, error) {
+	switch name {
+	case "/var/run/nscd":
+		return nil, nil
+	case "/run/user/1971/pulse":
+		return nil, nil
+	case "/run/user/1971/pulse/native":
+		return stubFileInfoMode(0666), nil
+	case "/home/ophestra/.pulse-cookie":
+		return stubFileInfoIsDir(true), nil
+	case "/home/ophestra/xdg/config/pulse/cookie":
+		return stubFileInfoIsDir(false), nil
+	default:
+		panic(fmt.Sprintf("attempted to stat unexpected path %q", name))
+	}
+}
+
+func (s *stubNixOS) Open(name string) (fs.File, error) {
+	switch name {
+	default:
+		panic(fmt.Sprintf("attempted to open unexpected file %q", name))
+	}
+}
+
+func (s *stubNixOS) Exit(code int) {
+	panic("called exit on stub with code " + strconv.Itoa(code))
+}
+
+func (s *stubNixOS) Stdout() io.Writer {
+	panic("requested stdout")
+}
+
+func (s *stubNixOS) Paths() linux.Paths {
+	return linux.Paths{
+		SharePath:   "/tmp/fortify.1971",
+		RuntimePath: "/run/user/1971",
+		RunDirPath:  "/run/user/1971/fortify",
+	}
+}
+
+func (s *stubNixOS) Uid(aid int) (int, error) {
+	return 1000000 + 0*10000 + aid, nil
+}
+
+func (s *stubNixOS) SdBooted() bool {
+	return true
+}

internal/app/app_test.go

@@ -22,7 +22,7 @@ type sealTestCase struct {
 }
 
 func TestApp(t *testing.T) {
-	testCases := append(testCasesNixos)
+	testCases := append(testCasesPd, testCasesNixos...)
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {

internal/app/config.go

@@ -62,8 +62,8 @@ type SandboxConfig struct {
 	NoNewSession bool `json:"no_new_session,omitempty"`
 	// map target user uid to privileged user uid in the user namespace
 	MapRealUID bool `json:"map_real_uid"`
-	// mediated access to wayland socket
+	// direct access to wayland socket
-	Wayland bool `json:"wayland,omitempty"`
+	DirectWayland bool `json:"direct_wayland,omitempty"`
 
 	// final environment variables
 	Env map[string]string `json:"env"`
@@ -190,13 +190,13 @@ func Template() *Config {
 			Outer:    "/var/lib/persist/home/org.chromium.Chromium",
 			Inner:    "/var/lib/fortify",
 			Sandbox: &SandboxConfig{
-				Hostname:     "localhost",
+				Hostname:      "localhost",
-				UserNS:       true,
+				UserNS:        true,
-				Net:          true,
+				Net:           true,
-				NoNewSession: true,
+				NoNewSession:  true,
-				MapRealUID:   true,
+				MapRealUID:    true,
-				Dev:          true,
+				Dev:           true,
-				Wayland:      false,
+				DirectWayland: false,
 				// example API credentials pulled from Google Chrome
 				// DO NOT USE THESE IN A REAL BROWSER
 				Env: map[string]string{

internal/app/seal.go

@@ -8,7 +8,6 @@ import (
 	"regexp"
 	"strconv"
 
-	shim "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
 	"git.ophivana.moe/security/fortify/dbus"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
 	"git.ophivana.moe/security/fortify/internal/linux"
@@ -29,8 +28,6 @@ var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z
 type appSeal struct {
 	// app unique ID string representation
 	id string
-	// wayland mediation, disabled if nil
-	wl *shim.Wayland
 	// dbus proxy message buffer retriever
 	dbusMsg func(f func(msgbuf []string))
 
@@ -48,6 +45,8 @@ type appSeal struct {
 
 	// pass-through enablement tracking from config
 	et system.Enablements
+	// wayland socket direct access
+	directWayland bool
 
 	// prevents sharing from happening twice
 	shared bool
@@ -204,6 +203,7 @@ func (a *app) Seal(config *Config) error {
 
 		config.Confinement.Sandbox = conf
 	}
+	seal.directWayland = config.Confinement.Sandbox.DirectWayland
 	if b, err := config.Confinement.Sandbox.Bwrap(a.os); err != nil {
 		return err
 	} else {
@@ -214,12 +214,6 @@ func (a *app) Seal(config *Config) error {
 		seal.sys.bwrap.SetEnv = make(map[string]string)
 	}
 
-	// create wayland struct and client wait channel if mediated wayland is enabled
-	// this field being set enables mediated wayland setup later on
-	if config.Confinement.Sandbox.Wayland {
-		seal.wl = shim.NewWayland()
-	}
-
 	// open process state store
 	// the simple store only starts holding an open file after first action
 	// store activity begins after Start is called and must end before Wait

internal/app/share.display.go

@@ -31,23 +31,36 @@ func (seal *appSeal) shareDisplay(os linux.System) error {
 
 	// set up wayland
 	if seal.et.Has(system.EWayland) {
+		var wp string
 		if wd, ok := os.LookupEnv(waylandDisplay); !ok {
 			return fmsg.WrapError(ErrWayland,
 				"WAYLAND_DISPLAY is not set")
-		} else if seal.wl == nil {
+		} else {
+			wp = path.Join(seal.RuntimePath, wd)
+		}
+
+		w := path.Join(seal.sys.runtime, "wayland-0")
+		seal.sys.bwrap.SetEnv[waylandDisplay] = w
+
+		if seal.directWayland {
 			// hardlink wayland socket
-			wp := path.Join(seal.RuntimePath, wd)
 			wpi := path.Join(seal.shareLocal, "wayland")
-			w := path.Join(seal.sys.runtime, "wayland-0")
 			seal.sys.Link(wp, wpi)
-			seal.sys.bwrap.SetEnv[waylandDisplay] = w
 			seal.sys.bwrap.Bind(wpi, w)
 
 			// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
 			seal.sys.UpdatePermType(system.EWayland, wp, acl.Read, acl.Write, acl.Execute)
 		} else {
-			// set wayland socket path for mediation (e.g. `/run/user/%d/wayland-%d`)
+			wc := path.Join(seal.SharePath, "wayland")
-			seal.wl.Path = path.Join(seal.RuntimePath, wd)
+			wt := path.Join(wc, seal.id)
+			seal.sys.Ensure(wc, 0711)
+			appID := seal.fid
+			if appID == "" {
+				// use instance ID in case app id is not set
+				appID = "moe.ophivana.fortify." + seal.id
+			}
+			seal.sys.Wayland(wt, wp, appID, seal.id)
+			seal.sys.bwrap.Bind(wt, w)
 		}
 	}
 

internal/app/start.go

@@ -47,12 +47,10 @@ func (a *app) Start() error {
 		a.seal.sys.user.as,
 		a.seal.sys.user.supp,
 		path.Join(a.seal.share, "shim"),
-		a.seal.wl,
 		&shim0.Payload{
 			Argv:  a.seal.command,
 			Exec:  shimExec,
 			Bwrap: a.seal.sys.bwrap,
-			WL:    a.seal.wl != nil,
 
 			Verbose: fmsg.Verbose(),
 		},
@@ -64,6 +62,9 @@ func (a *app) Start() error {
 	}
 	a.seal.sys.needRevert = true
 
+	// export sync pipe from sys
+	a.seal.sys.bwrap.SetSync(a.seal.sys.Sync())
+
 	if startTime, err := a.shim.Start(); err != nil {
 		return err
 	} else {
@@ -199,13 +200,6 @@ func (a *app) Wait() (int, error) {
 		})
 	}
 
-	// close wayland connection
-	if a.seal.wl != nil {
-		if err := a.seal.wl.Close(); err != nil {
-			fmsg.Println("cannot close wayland connection:", err)
-		}
-	}
-
 	// update store and revert app setup transaction
 	e := new(StateStoreError)
 	e.Inner, e.DoErr = a.seal.store.Do(func(b state.Backend) {

internal/proc/files.go

@@ -0,0 +1,13 @@
+package proc
+
+import (
+	"os"
+	"os/exec"
+)
+
+func ExtraFile(cmd *exec.Cmd, f *os.File) (fd uintptr) {
+	// ExtraFiles: If non-nil, entry i becomes file descriptor 3+i.
+	fd = uintptr(3 + len(cmd.ExtraFiles))
+	cmd.ExtraFiles = append(cmd.ExtraFiles, f)
+	return
+}

internal/system/op.go

@@ -2,6 +2,7 @@ package system
 
 import (
 	"errors"
+	"os"
 	"sync"
 
 	"git.ophivana.moe/security/fortify/internal/fmsg"
@@ -56,6 +57,7 @@ func TypeString(e Enablement) string {
 type I struct {
 	uid int
 	ops []Op
+	sp  *os.File
 
 	state [2]bool
 	lock  sync.Mutex
@@ -65,6 +67,10 @@ func (sys *I) UID() int {
 	return sys.uid
 }
 
+func (sys *I) Sync() *os.File {
+	return sys.sp
+}
+
 func (sys *I) Equal(v *I) bool {
 	if v == nil || sys.uid != v.uid || len(sys.ops) != len(v.ops) {
 		return false

internal/system/wayland.go

@@ -0,0 +1,85 @@
+package system
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"git.ophivana.moe/security/fortify/acl"
+	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.ophivana.moe/security/fortify/wl"
+)
+
+// Wayland sets up a wayland socket with a security context attached.
+func (sys *I) Wayland(dst, src, appID, instanceID string) *I {
+	sys.lock.Lock()
+	defer sys.lock.Unlock()
+
+	sys.ops = append(sys.ops, Wayland{[2]string{dst, src}, new(wl.Conn), appID, instanceID})
+
+	return sys
+}
+
+type Wayland struct {
+	pair [2]string
+	conn *wl.Conn
+
+	appID, instanceID string
+}
+
+func (w Wayland) Type() Enablement {
+	return Process
+}
+
+func (w Wayland) apply(sys *I) error {
+	// the Wayland op is not repeatable
+	if sys.sp != nil {
+		return errors.New("attempted to attach multiple wayland sockets")
+	}
+
+	if err := w.conn.Attach(w.pair[1]); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			fmt.Sprintf("cannot attach to wayland on %q:", w.pair[1]))
+	} else {
+		fmsg.VPrintf("wayland attached on %q", w.pair[1])
+	}
+
+	if sp, err := w.conn.Bind(w.pair[0], w.appID, w.instanceID); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			fmt.Sprintf("cannot bind to socket on %q:", w.pair[0]))
+	} else {
+		sys.sp = sp
+		fmsg.VPrintf("wayland listening on %q", w.pair[0])
+		return fmsg.WrapErrorSuffix(errors.Join(os.Chmod(w.pair[0], 0), acl.UpdatePerm(w.pair[0], sys.uid, acl.Read, acl.Write, acl.Execute)),
+			fmt.Sprintf("cannot chmod socket on %q:", w.pair[0]))
+	}
+}
+
+func (w Wayland) revert(_ *I, ec *Criteria) error {
+	if ec.hasType(w) {
+		fmsg.VPrintf("removing wayland socket on %q", w.pair[0])
+		if err := os.Remove(w.pair[0]); err != nil && !errors.Is(err, os.ErrNotExist) {
+			return err
+		}
+
+		fmsg.VPrintf("detaching from wayland on %q", w.pair[1])
+		return fmsg.WrapErrorSuffix(w.conn.Close(),
+			fmt.Sprintf("cannot detach from wayland on %q:", w.pair[1]))
+	} else {
+		fmsg.VPrintf("skipping wayland cleanup on %q", w.pair[0])
+		return nil
+	}
+}
+
+func (w Wayland) Is(o Op) bool {
+	w0, ok := o.(Wayland)
+	return ok && w.pair == w0.pair
+}
+
+func (w Wayland) Path() string {
+	return w.pair[0]
+}
+
+func (w Wayland) String() string {
+	return fmt.Sprintf("wayland socket at %q", w.pair[0])
+}

main.go

@@ -149,10 +149,10 @@ func main() {
 		var (
 			dbusConfigSession string
 			dbusConfigSystem  string
-			dbusID            string
 			mpris             bool
 			dbusVerbose       bool
 
+			fid         string
 			aid         int
 			groups      gl
 			homeDir     string
@@ -162,15 +162,15 @@ func main() {
 
 		set.StringVar(&dbusConfigSession, "dbus-config", "builtin", "Path to D-Bus proxy config file, or \"builtin\" for defaults")
 		set.StringVar(&dbusConfigSystem, "dbus-system", "nil", "Path to system D-Bus proxy config file, or \"nil\" to disable")
-		set.StringVar(&dbusID, "dbus-id", "", "D-Bus ID of application, leave empty to disable own paths, has no effect if custom config is available")
 		set.BoolVar(&mpris, "mpris", false, "Allow owning MPRIS D-Bus path, has no effect if custom config is available")
 		set.BoolVar(&dbusVerbose, "dbus-log", false, "Force logging in the D-Bus proxy")
 
+		set.StringVar(&fid, "id", "", "App ID, leave empty to disable security context app_id")
 		set.IntVar(&aid, "a", 0, "Fortify application ID")
 		set.Var(&groups, "g", "Groups inherited by the app process")
 		set.StringVar(&homeDir, "d", "os", "Application home directory")
 		set.StringVar(&userName, "u", "chronos", "Passwd name within sandbox")
-		set.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket")
+		set.BoolVar(&enablements[system.EWayland], "wayland", false, "Allow Wayland connections")
 		set.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection")
 		set.BoolVar(&enablements[system.EDBus], "dbus", false, "Proxy D-Bus connection")
 		set.BoolVar(&enablements[system.EPulse], "pulse", false, "Share PulseAudio socket and cookie")
@@ -180,7 +180,7 @@ func main() {
 
 		// initialise config from flags
 		config := &app.Config{
-			ID:      dbusID,
+			ID:      fid,
 			Command: set.Args(),
 		}
 
@@ -241,7 +241,7 @@ func main() {
 		// parse D-Bus config file from flags if applicable
 		if enablements[system.EDBus] {
 			if dbusConfigSession == "builtin" {
-				config.Confinement.SessionBus = dbus.NewConfig(dbusID, true, mpris)
+				config.Confinement.SessionBus = dbus.NewConfig(fid, true, mpris)
 			} else {
 				if c, err := dbus.NewConfigFromFile(dbusConfigSession); err != nil {
 					fmsg.Fatalf("cannot load session bus proxy config from %q: %s", dbusConfigSession, err)

nixos.nix

@@ -53,6 +53,8 @@ in
       '';
     };
 
+    systemd.services.nix-daemon.unitConfig.RequiresMountsFor = [ "/etc/userdb" ];
+
     services.userdbd.enable = mkDefault true;
 
     home-manager =
@@ -114,7 +116,7 @@ in
                       app_id = aid;
                       inherit (app) groups;
                       username = "u${toString fid}_a${toString aid}";
-                      home = "${cfg.stateDir}/${toString fid}/${toString aid}";
+                      home = "${cfg.stateDir}/u${toString fid}/a${toString aid}";
                       sandbox = {
                         inherit (app)
                           userns
@@ -123,6 +125,7 @@ in
                           env
                           ;
                         map_real_uid = app.mapRealUid;
+                        no_new_session = app.tty;
                         filesystem =
                           [
                             { src = "/bin"; }

options.md

@@ -36,7 +36,7 @@ package
 
 
 *Default:*
-` <derivation fortify-0.1.0> `
+` <derivation fortify-0.2.1> `
 
 
 
@@ -478,6 +478,30 @@ null or package
 
 
 
+## environment\.fortify\.apps\.\*\.tty
+
+
+
+Whether to enable allow access to the controlling terminal\.
+
+
+
+*Type:*
+boolean
+
+
+
+*Default:*
+` false `
+
+
+
+*Example:*
+` true `
+
+
+
+
 ## environment\.fortify\.apps\.\*\.userns
 
 

options.nix

@@ -133,6 +133,7 @@ in
               userns = mkEnableOption "userns within the sandbox";
               mapRealUid = mkEnableOption "mapping to fortify's real UID within the sandbox";
               dev = mkEnableOption "access to all devices within the sandbox";
+              tty = mkEnableOption "allow access to the controlling terminal";
 
               net = mkEnableOption "network access within the sandbox" // {
                 default = true;

package.nix

@@ -4,13 +4,17 @@
   makeBinaryWrapper,
   xdg-dbus-proxy,
   bubblewrap,
+  pkg-config,
   acl,
+  wayland,
+  wayland-scanner,
+  wayland-protocols,
   xorg,
 }:
 
 buildGoModule rec {
   pname = "fortify";
-  version = "0.2.1";
+  version = "0.2.2";
 
   src = ./.;
   vendorHash = null;
@@ -41,12 +45,24 @@ buildGoModule rec {
 
   buildInputs = [
     acl
+    wayland
+    wayland-protocols
     xorg.libxcb
   ];
 
-  nativeBuildInputs = [ makeBinaryWrapper ];
+  nativeBuildInputs = [
+    pkg-config
+    wayland-scanner
+    makeBinaryWrapper
+  ];
+
+  preConfigure = ''
+    HOME=$(mktemp -d) go generate ./...
+  '';
 
   postInstall = ''
+    install -D --target-directory=$out/share/zsh/site-functions comp/*
+
     mkdir "$out/libexec"
     mv "$out"/bin/* "$out/libexec/"
 

wl/c.go

@@ -0,0 +1,111 @@
+package wl
+
+//go:generate sh -c "wayland-scanner client-header `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.h"
+//go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c"
+
+/*
+#cgo linux pkg-config: wayland-client
+#cgo freebsd openbsd LDFLAGS: -lwayland-client
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include <wayland-client.h>
+#include "security-context-v1-protocol.h"
+
+static void registry_handle_global(void *data, struct wl_registry *registry, uint32_t name, const char *interface, uint32_t version) {
+  struct wp_security_context_manager_v1 **out = data;
+
+  if (strcmp(interface, wp_security_context_manager_v1_interface.name) == 0)
+      *out = wl_registry_bind(registry, name, &wp_security_context_manager_v1_interface, 1);
+}
+
+static void registry_handle_global_remove(void *data, struct wl_registry *registry, uint32_t name) { } // no-op
+
+static const struct wl_registry_listener registry_listener = {
+  .global = registry_handle_global,
+  .global_remove = registry_handle_global_remove,
+};
+
+static int32_t bind_wayland_fd(char *socket_path, int fd, const char *app_id, const char *instance_id, int sync_fd) {
+  int32_t res = 0; // refer to resErr for meaning
+
+  struct wl_display *display;
+  display = wl_display_connect_to_fd(fd);
+  if (!display) {
+    res = 1;
+    goto out;
+  };
+
+  struct wl_registry *registry;
+  registry = wl_display_get_registry(display);
+
+  struct wp_security_context_manager_v1 *security_context_manager = NULL;
+  wl_registry_add_listener(registry, &registry_listener, &security_context_manager);
+  int ret;
+  ret = wl_display_roundtrip(display);
+  wl_registry_destroy(registry);
+  if (ret < 0)
+    goto out;
+
+  if (!security_context_manager) {
+    res = 2;
+    goto out;
+  }
+
+  int listen_fd = -1;
+  listen_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+  if (listen_fd < 0)
+    goto out;
+
+  struct sockaddr_un sockaddr = {0};
+  sockaddr.sun_family = AF_UNIX;
+  snprintf(sockaddr.sun_path, sizeof(sockaddr.sun_path), "%s", socket_path);
+  if (bind(listen_fd, (struct sockaddr *)&sockaddr, sizeof(sockaddr)) != 0)
+    goto out;
+
+  if (listen(listen_fd, 0) != 0)
+    goto out;
+
+  struct wp_security_context_v1 *security_context;
+  security_context = wp_security_context_manager_v1_create_listener(security_context_manager, listen_fd, sync_fd);
+  wp_security_context_v1_set_sandbox_engine(security_context, "moe.ophivana.fortify");
+  wp_security_context_v1_set_app_id(security_context, app_id);
+  wp_security_context_v1_set_instance_id(security_context, instance_id);
+  wp_security_context_v1_commit(security_context);
+  wp_security_context_v1_destroy(security_context);
+  if (wl_display_roundtrip(display) < 0)
+    goto out;
+
+out:
+  if (listen_fd >= 0)
+    close(listen_fd);
+  if (security_context_manager)
+    wp_security_context_manager_v1_destroy(security_context_manager);
+  if (display)
+    wl_display_disconnect(display);
+
+  free((void *)socket_path);
+  free((void *)app_id);
+  free((void *)instance_id);
+  return res;
+}
+*/
+import "C"
+import "errors"
+
+var resErr = [...]error{
+	0: nil,
+	1: errors.New("wl_display_connect_to_fd() failed"),
+	2: errors.New("wp_security_context_v1 not available"),
+}
+
+func bindWaylandFd(socketPath string, fd uintptr, appID, instanceID string, syncFD uintptr) error {
+	res := C.bind_wayland_fd(C.CString(socketPath), C.int(fd), C.CString(appID), C.CString(instanceID), C.int(syncFD))
+	return resErr[int32(res)]
+}

wl/conn.go

@@ -0,0 +1,120 @@
+// Package wl implements Wayland security_context_v1 protocol.
+package wl
+
+import (
+	"errors"
+	"net"
+	"os"
+	"runtime"
+	"sync"
+	"syscall"
+)
+
+type Conn struct {
+	conn *net.UnixConn
+
+	done     chan struct{}
+	doneOnce sync.Once
+
+	mu sync.Mutex
+}
+
+// Attach connects Conn to a wayland socket.
+func (c *Conn) Attach(p string) (err error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.conn != nil {
+		return errors.New("attached")
+	}
+
+	c.conn, err = net.DialUnix("unix", nil, &net.UnixAddr{Name: p, Net: "unix"})
+	return
+}
+
+// Close releases resources and closes the connection to the wayland compositor.
+func (c *Conn) Close() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.done == nil {
+		return errors.New("no socket bound")
+	}
+
+	c.doneOnce.Do(func() {
+		c.done <- struct{}{}
+		<-c.done
+	})
+
+	// closed by wayland
+	runtime.SetFinalizer(c.conn, nil)
+	return nil
+}
+
+func (c *Conn) Bind(p, appID, instanceID string) (*os.File, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.conn == nil {
+		return nil, errors.New("not attached")
+	}
+	if c.done != nil {
+		return nil, errors.New("bound")
+	}
+
+	if rc, err := c.conn.SyscallConn(); err != nil {
+		// unreachable
+		return nil, err
+	} else {
+		c.done = make(chan struct{})
+		return bindRawConn(c.done, rc, p, appID, instanceID)
+	}
+}
+
+func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID string) (*os.File, error) {
+	var syncPipe [2]*os.File
+
+	if r, w, err := os.Pipe(); err != nil {
+		return nil, err
+	} else {
+		syncPipe[0] = r
+		syncPipe[1] = w
+	}
+
+	setupDone := make(chan error, 1) // does not block with c.done
+
+	go func() {
+		if err := rc.Control(func(fd uintptr) {
+			// prevent runtime from closing the read end of sync fd
+			runtime.SetFinalizer(syncPipe[0], nil)
+
+			// allow the Bind method to return after setup
+			setupDone <- bind(fd, p, appID, instanceID, syncPipe[0].Fd())
+			close(setupDone)
+
+			// keep socket alive until done is requested
+			<-done
+		}); err != nil {
+			setupDone <- err
+		}
+
+		// notify Close that rc.Control has returned
+		close(done)
+	}()
+
+	// return write end of the pipe
+	return syncPipe[1], <-setupDone
+}
+
+func bind(fd uintptr, p, appID, instanceID string, syncFD uintptr) error {
+	// ensure p is available
+	if f, err := os.Create(p); err != nil {
+		return err
+	} else if err = f.Close(); err != nil {
+		return err
+	} else if err = os.Remove(p); err != nil {
+		return err
+	}
+
+	return bindWaylandFd(p, fd, appID, instanceID, syncFD)
+}