app/instance: wrap internal implementation

This reduces the scope of the fst package, which was growing questionably large.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/fpkg/app.go

@@ -29,7 +29,7 @@ type appInfo struct {
 	// passed through to [fst.Config]
 	Net bool `json:"net,omitempty"`
 	// passed through to [fst.Config]
-	Dev bool `json:"dev,omitempty"`
+	Device bool `json:"dev,omitempty"`
 	// passed through to [fst.Config]
 	Tty bool `json:"tty,omitempty"`
 	// passed through to [fst.Config]
@@ -79,7 +79,7 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 				Devel:         app.Devel,
 				Userns:        app.Userns,
 				Net:           app.Net,
-				Dev:           app.Dev,
+				Device:        app.Device,
 				Tty:           app.Tty || flagDropShell,
 				MapRealUID:    app.MapRealUID,
 				DirectWayland: app.DirectWayland,
@@ -111,10 +111,10 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 		},
 	}
 	if app.Multiarch {
-		config.Confinement.Sandbox.Seccomp |= seccomp.FlagMultiarch
+		config.Confinement.Sandbox.Seccomp |= seccomp.FilterMultiarch
 	}
 	if app.Bluetooth {
-		config.Confinement.Sandbox.Seccomp |= seccomp.FlagBluetooth
+		config.Confinement.Sandbox.Seccomp |= seccomp.FilterBluetooth
 	}
 	return config
 }

cmd/fpkg/main.go

@@ -13,7 +13,7 @@ import (
 	"git.gensokyo.uk/security/fortify/command"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/app/instance"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/sys"
 	"git.gensokyo.uk/security/fortify/sandbox"
@@ -62,7 +62,7 @@ func main() {
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
 		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next fortify action")
 
-	c.Command("shim", command.UsageInternal, func([]string) error { app.ShimMain(); return errSuccess })
+	c.Command("shim", command.UsageInternal, func([]string) error { instance.ShimMain(); return errSuccess })
 
 	{
 		var (

cmd/fpkg/proc.go

@@ -6,23 +6,24 @@ import (
 
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/app/instance"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
 func mustRunApp(ctx context.Context, config *fst.Config, beforeFail func()) {
-	rs := new(fst.RunState)
-	a := app.MustNew(ctx, std)
+	rs := new(app.RunState)
+	a := instance.MustNew(instance.ISetuid, ctx, std)
 
+	var code int
 	if sa, err := a.Seal(config); err != nil {
 		fmsg.PrintBaseError(err, "cannot seal app:")
-		rs.ExitCode = 1
+		code = 1
 	} else {
-		// this updates ExitCode
-		app.PrintRunStateErr(rs, sa.Run(rs))
+		code = instance.PrintRunStateErr(instance.ISetuid, rs, sa.Run(rs))
 	}
 
-	if rs.ExitCode != 0 {
+	if code != 0 {
 		beforeFail()
-		os.Exit(rs.ExitCode)
+		os.Exit(code)
 	}
 }

cmd/fpkg/with.go

@@ -39,7 +39,7 @@ func withNixDaemon(
 				Hostname: formatHostname(app.Name) + "-" + action,
 				Userns:   true, // nix sandbox requires userns
 				Net:      net,
-				Seccomp:  seccomp.FlagMultiarch,
+				Seccomp:  seccomp.FilterMultiarch,
 				Tty:      dropShell,
 				Filesystem: []*fst.FilesystemConfig{
 					{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
@@ -76,7 +76,7 @@ func withCacheDir(
 			Shell:    shellPath,
 			Sandbox: &fst.SandboxConfig{
 				Hostname: formatHostname(app.Name) + "-" + action,
-				Seccomp:  seccomp.FlagMultiarch,
+				Seccomp:  seccomp.FilterMultiarch,
 				Tty:      dropShell,
 				Filesystem: []*fst.FilesystemConfig{
 					{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},

dbus/proc.go

@@ -63,7 +63,7 @@ func (p *Proxy) Start(ctx context.Context, output io.Writer, useSandbox bool) er
 			c, toolPath,
 			p.seal, true,
 			argF, func(container *sandbox.Container) {
-				container.Seccomp |= seccomp.FlagMultiarch
+				container.Seccomp |= seccomp.FilterMultiarch
 				container.Hostname = "fortify-dbus"
 				container.CommandContext = p.CommandContext
 				if output != nil {

fst/app.go

@@ -1,47 +0,0 @@
-// Package fst exports shared fortify types.
-package fst
-
-import (
-	"time"
-)
-
-type App interface {
-	// ID returns a copy of [fst.ID] held by App.
-	ID() ID
-
-	// Seal determines the outcome of config as a [SealedApp].
-	// The value of config might be overwritten and must not be used again.
-	Seal(config *Config) (SealedApp, error)
-
-	String() string
-}
-
-type SealedApp interface {
-	// Run commits sealed system setup and starts the app process.
-	Run(rs *RunState) error
-}
-
-// RunState stores the outcome of a call to [SealedApp.Run].
-type RunState struct {
-	// Time is the exact point in time where the process was created.
-	// Location must be set to UTC.
-	//
-	// Time is nil if no process was ever created.
-	Time *time.Time
-	// ExitCode is the value returned by shim.
-	ExitCode int
-	// RevertErr is stored by the deferred revert call.
-	RevertErr error
-	// WaitErr is error returned by the underlying wait syscall.
-	WaitErr error
-}
-
-// Paths contains environment-dependent paths used by fortify.
-type Paths struct {
-	// path to shared directory (usually `/tmp/fortify.%d`)
-	SharePath string `json:"share_path"`
-	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
-	RuntimePath string `json:"runtime_path"`
-	// application runtime directory (usually `/run/user/%d/fortify`)
-	RunDirPath string `json:"run_dir_path"`
-}

fst/config.go

@@ -1,3 +1,4 @@
+// Package fst exports shared fortify types.
 package fst
 
 import (
@@ -105,8 +106,8 @@ func Template() *Config {
 				Devel:         true,
 				Userns:        true,
 				Net:           true,
-				Dev:           true,
-				Seccomp:       seccomp.FlagMultiarch,
+				Device:        true,
+				Seccomp:       seccomp.FilterMultiarch,
 				Tty:           true,
 				Multiarch:     true,
 				MapRealUID:    true,

fst/sandbox.go

@@ -1,16 +1,6 @@
 package fst
 
 import (
-	"errors"
-	"fmt"
-	"io/fs"
-	"maps"
-	"path"
-	"slices"
-	"syscall"
-
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/sandbox"
 	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 )
 
@@ -21,7 +11,7 @@ type (
 		Hostname string `json:"hostname,omitempty"`
 
 		// extra seccomp flags
-		Seccomp seccomp.SyscallOpts `json:"seccomp"`
+		Seccomp seccomp.FilterOpts `json:"seccomp"`
 		// allow ptrace and friends
 		Devel bool `json:"devel,omitempty"`
 		// allow userns creation in container
@@ -39,7 +29,7 @@ type (
 		MapRealUID bool `json:"map_real_uid"`
 
 		// expose all devices
-		Dev bool `json:"dev,omitempty"`
+		Device bool `json:"device,omitempty"`
 		// container host filesystem bind mounts
 		Filesystem []*FilesystemConfig `json:"filesystem"`
 		// create symlinks inside container filesystem
@@ -57,18 +47,6 @@ type (
 		Cover []string `json:"cover"`
 	}
 
-	// SandboxSys encapsulates system functions used during [sandbox.Container] initialisation.
-	SandboxSys interface {
-		Getuid() int
-		Getgid() int
-		Paths() Paths
-		ReadDir(name string) ([]fs.DirEntry, error)
-		EvalSymlinks(path string) (string, error)
-
-		Println(v ...any)
-		Printf(format string, v ...any)
-	}
-
 	// FilesystemConfig is a representation of [sandbox.BindMount].
 	FilesystemConfig struct {
 		// mount point in container, same as src if empty
@@ -83,204 +61,3 @@ type (
 		Must bool `json:"require,omitempty"`
 	}
 )
-
-// ToContainer initialises [sandbox.Params] via [SandboxConfig].
-// Note that remaining container setup must be queued by the [App] implementation.
-func (s *SandboxConfig) ToContainer(sys SandboxSys, uid, gid *int) (*sandbox.Params, map[string]string, error) {
-	if s == nil {
-		return nil, nil, syscall.EBADE
-	}
-
-	container := &sandbox.Params{
-		Hostname: s.Hostname,
-		Ops:      new(sandbox.Ops),
-		Seccomp:  s.Seccomp,
-	}
-
-	if s.Multiarch {
-		container.Seccomp |= seccomp.FlagMultiarch
-	}
-
-	/* this is only 4 KiB of memory on a 64-bit system,
-	permissive defaults on NixOS results in around 100 entries
-	so this capacity should eliminate copies for most setups */
-	*container.Ops = slices.Grow(*container.Ops, 1<<8)
-
-	if s.Devel {
-		container.Flags |= sandbox.FAllowDevel
-	}
-	if s.Userns {
-		container.Flags |= sandbox.FAllowUserns
-	}
-	if s.Net {
-		container.Flags |= sandbox.FAllowNet
-	}
-	if s.Tty {
-		container.Flags |= sandbox.FAllowTTY
-	}
-
-	if s.MapRealUID {
-		/* some programs fail to connect to dbus session running as a different uid
-		so this workaround is introduced to map priv-side caller uid in container */
-		container.Uid = sys.Getuid()
-		*uid = container.Uid
-		container.Gid = sys.Getgid()
-		*gid = container.Gid
-	} else {
-		*uid = sandbox.OverflowUid()
-		*gid = sandbox.OverflowGid()
-	}
-
-	container.
-		Proc("/proc").
-		Tmpfs(Tmp, 1<<12, 0755)
-
-	if !s.Dev {
-		container.Dev("/dev").Mqueue("/dev/mqueue")
-	} else {
-		container.Bind("/dev", "/dev", sandbox.BindDevice)
-	}
-
-	/* retrieve paths and hide them if they're made available in the sandbox;
-	this feature tries to improve user experience of permissive defaults, and
-	to warn about issues in custom configuration; it is NOT a security feature
-	and should not be treated as such, ALWAYS be careful with what you bind */
-	var hidePaths []string
-	sc := sys.Paths()
-	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
-	_, systemBusAddr := dbus.Address()
-	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
-		return nil, nil, err
-	} else {
-		// there is usually only one, do not preallocate
-		for _, entry := range entries {
-			if entry.Method != "unix" {
-				continue
-			}
-			for _, pair := range entry.Values {
-				if pair[0] == "path" {
-					if path.IsAbs(pair[1]) {
-						// get parent dir of socket
-						dir := path.Dir(pair[1])
-						if dir == "." || dir == "/" {
-							sys.Printf("dbus socket %q is in an unusual location", pair[1])
-						}
-						hidePaths = append(hidePaths, dir)
-					} else {
-						sys.Printf("dbus socket %q is not absolute", pair[1])
-					}
-				}
-			}
-		}
-	}
-	hidePathMatch := make([]bool, len(hidePaths))
-	for i := range hidePaths {
-		if err := evalSymlinks(sys, &hidePaths[i]); err != nil {
-			return nil, nil, err
-		}
-	}
-
-	for _, c := range s.Filesystem {
-		if c == nil {
-			continue
-		}
-
-		if !path.IsAbs(c.Src) {
-			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
-		}
-
-		dest := c.Dst
-		if c.Dst == "" {
-			dest = c.Src
-		} else if !path.IsAbs(dest) {
-			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
-		}
-
-		srcH := c.Src
-		if err := evalSymlinks(sys, &srcH); err != nil {
-			return nil, nil, err
-		}
-
-		for i := range hidePaths {
-			// skip matched entries
-			if hidePathMatch[i] {
-				continue
-			}
-
-			if ok, err := deepContainsH(srcH, hidePaths[i]); err != nil {
-				return nil, nil, err
-			} else if ok {
-				hidePathMatch[i] = true
-				sys.Printf("hiding paths from %q", c.Src)
-			}
-		}
-
-		var flags int
-		if c.Write {
-			flags |= sandbox.BindWritable
-		}
-		if c.Device {
-			flags |= sandbox.BindDevice | sandbox.BindWritable
-		}
-		if !c.Must {
-			flags |= sandbox.BindOptional
-		}
-		container.Bind(c.Src, dest, flags)
-	}
-
-	// cover matched paths
-	for i, ok := range hidePathMatch {
-		if ok {
-			container.Tmpfs(hidePaths[i], 1<<13, 0755)
-		}
-	}
-
-	for _, l := range s.Link {
-		container.Link(l[0], l[1])
-	}
-
-	// perf: this might work better if implemented as a setup op in container init
-	if !s.AutoEtc {
-		if s.Etc != "" {
-			container.Bind(s.Etc, "/etc", 0)
-		}
-	} else {
-		etcPath := s.Etc
-		if etcPath == "" {
-			etcPath = "/etc"
-		}
-		container.Bind(etcPath, Tmp+"/etc", 0)
-
-		// link host /etc contents to prevent dropping passwd/group bind mounts
-		if d, err := sys.ReadDir(etcPath); err != nil {
-			return nil, nil, err
-		} else {
-			for _, ent := range d {
-				n := ent.Name()
-				switch n {
-				case "passwd":
-				case "group":
-
-				case "mtab":
-					container.Link("/proc/mounts", "/etc/"+n)
-				default:
-					container.Link(Tmp+"/etc/"+n, "/etc/"+n)
-				}
-			}
-		}
-	}
-
-	return container, maps.Clone(s.Env), nil
-}
-
-func evalSymlinks(sys SandboxSys, v *string) error {
-	if p, err := sys.EvalSymlinks(*v); err != nil {
-		if !errors.Is(err, fs.ErrNotExist) {
-			return err
-		}
-		sys.Printf("path %q does not yet exist", *v)
-	} else {
-		*v = p
-	}
-	return nil
-}

internal/app/app.go

@@ -1,82 +1,59 @@
+// Package app defines the generic [App] interface.
 package app
 
 import (
-	"context"
-	"fmt"
-	"log"
-	"sync"
+	"syscall"
+	"time"
 
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/sys"
 )
 
-func New(ctx context.Context, os sys.State) (fst.App, error) {
-	a := new(app)
-	a.sys = os
-	a.ctx = ctx
+type App interface {
+	// ID returns a copy of [ID] held by App.
+	ID() ID
 
-	id := new(fst.ID)
-	err := fst.NewAppID(id)
-	a.id = newID(id)
+	// Seal determines the outcome of config as a [SealedApp].
+	// The value of config might be overwritten and must not be used again.
+	Seal(config *fst.Config) (SealedApp, error)
 
-	return a, err
+	String() string
 }
 
-func MustNew(ctx context.Context, os sys.State) fst.App {
-	a, err := New(ctx, os)
-	if err != nil {
-		log.Fatalf("cannot create app: %v", err)
-	}
-	return a
+type SealedApp interface {
+	// Run commits sealed system setup and starts the app process.
+	Run(rs *RunState) error
 }
 
-type app struct {
-	id  *stringPair[fst.ID]
-	sys sys.State
-	ctx context.Context
+// RunState stores the outcome of a call to [SealedApp.Run].
+type RunState struct {
+	// Time is the exact point in time where the process was created.
+	// Location must be set to UTC.
+	//
+	// Time is nil if no process was ever created.
+	Time *time.Time
+	// RevertErr is stored by the deferred revert call.
+	RevertErr error
+	// WaitErr is the generic error value created by the standard library.
+	WaitErr error
 
-	*outcome
-	mu sync.RWMutex
+	syscall.WaitStatus
 }
 
-func (a *app) ID() fst.ID { a.mu.RLock(); defer a.mu.RUnlock(); return a.id.unwrap() }
-
-func (a *app) String() string {
-	if a == nil {
-		return "(invalid app)"
+// SetStart stores the current time in [RunState] once.
+func (rs *RunState) SetStart() {
+	if rs.Time != nil {
+		panic("attempted to store time twice")
 	}
-
-	a.mu.RLock()
-	defer a.mu.RUnlock()
-
-	if a.outcome != nil {
-		if a.outcome.user.uid == nil {
-			return fmt.Sprintf("(sealed app %s with invalid uid)", a.id)
-		}
-		return fmt.Sprintf("(sealed app %s as uid %s)", a.id, a.outcome.user.uid)
-	}
-
-	return fmt.Sprintf("(unsealed app %s)", a.id)
+	now := time.Now().UTC()
+	rs.Time = &now
 }
 
-func (a *app) Seal(config *fst.Config) (fst.SealedApp, error) {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-
-	if a.outcome != nil {
-		panic("app sealed twice")
-	}
-	if config == nil {
-		return nil, fmsg.WrapError(ErrConfig,
-			"attempted to seal app with nil config")
-	}
-
-	seal := new(outcome)
-	seal.id = a.id
-	err := seal.finalise(a.ctx, a.sys, config)
-	if err == nil {
-		a.outcome = seal
-	}
-	return seal, err
+// Paths contains environment-dependent paths used by fortify.
+type Paths struct {
+	// path to shared directory (usually `/tmp/fortify.%d`)
+	SharePath string `json:"share_path"`
+	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
+	RuntimePath string `json:"runtime_path"`
+	// application runtime directory (usually `/run/user/%d/fortify`)
+	RunDirPath string `json:"run_dir_path"`
 }

internal/app/id.go

@@ -1,4 +1,4 @@
-package fst
+package app
 
 import (
 	"crypto/rand"

internal/app/id_test.go

@@ -1,22 +1,22 @@
-package fst_test
+package app_test
 
 import (
 	"errors"
 	"testing"
 
-	"git.gensokyo.uk/security/fortify/fst"
+	. "git.gensokyo.uk/security/fortify/internal/app"
 )
 
 func TestParseAppID(t *testing.T) {
 	t.Run("bad length", func(t *testing.T) {
-		if err := fst.ParseAppID(new(fst.ID), "meow"); !errors.Is(err, fst.ErrInvalidLength) {
-			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, fst.ErrInvalidLength)
+		if err := ParseAppID(new(ID), "meow"); !errors.Is(err, ErrInvalidLength) {
+			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, ErrInvalidLength)
 		}
 	})
 
 	t.Run("bad byte", func(t *testing.T) {
 		wantErr := "invalid char '\\n' at byte 15"
-		if err := fst.ParseAppID(new(fst.ID), "02bc7f8936b2af6\n\ne2535cd71ef0bb7"); err == nil || err.Error() != wantErr {
+		if err := ParseAppID(new(ID), "02bc7f8936b2af6\n\ne2535cd71ef0bb7"); err == nil || err.Error() != wantErr {
 			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, wantErr)
 		}
 	})
@@ -30,30 +30,30 @@ func TestParseAppID(t *testing.T) {
 
 func FuzzParseAppID(f *testing.F) {
 	for i := 0; i < 16; i++ {
-		id := new(fst.ID)
-		if err := fst.NewAppID(id); err != nil {
+		id := new(ID)
+		if err := NewAppID(id); err != nil {
 			panic(err.Error())
 		}
 		f.Add(id[0], id[1], id[2], id[3], id[4], id[5], id[6], id[7], id[8], id[9], id[10], id[11], id[12], id[13], id[14], id[15])
 	}
 
 	f.Fuzz(func(t *testing.T, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15 byte) {
-		testParseAppID(t, &fst.ID{b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15})
+		testParseAppID(t, &ID{b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15})
 	})
 }
 
 func testParseAppIDWithRandom(t *testing.T) {
-	id := new(fst.ID)
-	if err := fst.NewAppID(id); err != nil {
+	id := new(ID)
+	if err := NewAppID(id); err != nil {
 		t.Fatalf("cannot generate app ID: %v", err)
 	}
 	testParseAppID(t, id)
 }
 
-func testParseAppID(t *testing.T, id *fst.ID) {
+func testParseAppID(t *testing.T, id *ID) {
 	s := id.String()
-	got := new(fst.ID)
-	if err := fst.ParseAppID(got, s); err != nil {
+	got := new(ID)
+	if err := ParseAppID(got, s); err != nil {
 		t.Fatalf("cannot parse app ID: %v", err)
 	}
 

internal/app/instance/common/container.go

@@ -0,0 +1,187 @@
+package common
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"maps"
+	"path"
+	"slices"
+	"syscall"
+
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/sys"
+	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
+)
+
+// NewContainer initialises [sandbox.Params] via [fst.SandboxConfig].
+// Note that remaining container setup must be queued by the caller.
+func NewContainer(s *fst.SandboxConfig, os sys.State, uid, gid *int) (*sandbox.Params, map[string]string, error) {
+	if s == nil {
+		return nil, nil, syscall.EBADE
+	}
+
+	container := &sandbox.Params{
+		Hostname: s.Hostname,
+		Ops:      new(sandbox.Ops),
+		Seccomp:  s.Seccomp,
+	}
+
+	if s.Multiarch {
+		container.Seccomp |= seccomp.FilterMultiarch
+	}
+
+	/* this is only 4 KiB of memory on a 64-bit system,
+	permissive defaults on NixOS results in around 100 entries
+	so this capacity should eliminate copies for most setups */
+	*container.Ops = slices.Grow(*container.Ops, 1<<8)
+
+	if s.Devel {
+		container.Flags |= sandbox.FAllowDevel
+	}
+	if s.Userns {
+		container.Flags |= sandbox.FAllowUserns
+	}
+	if s.Net {
+		container.Flags |= sandbox.FAllowNet
+	}
+	if s.Tty {
+		container.Flags |= sandbox.FAllowTTY
+	}
+
+	if s.MapRealUID {
+		/* some programs fail to connect to dbus session running as a different uid
+		so this workaround is introduced to map priv-side caller uid in container */
+		container.Uid = os.Getuid()
+		*uid = container.Uid
+		container.Gid = os.Getgid()
+		*gid = container.Gid
+	} else {
+		*uid = sandbox.OverflowUid()
+		*gid = sandbox.OverflowGid()
+	}
+
+	container.
+		Proc("/proc").
+		Tmpfs(fst.Tmp, 1<<12, 0755)
+
+	if !s.Device {
+		container.Dev("/dev").Mqueue("/dev/mqueue")
+	} else {
+		container.Bind("/dev", "/dev", sandbox.BindWritable|sandbox.BindDevice)
+	}
+
+	/* retrieve paths and hide them if they're made available in the sandbox;
+	this feature tries to improve user experience of permissive defaults, and
+	to warn about issues in custom configuration; it is NOT a security feature
+	and should not be treated as such, ALWAYS be careful with what you bind */
+	var hidePaths []string
+	sc := os.Paths()
+	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
+	_, systemBusAddr := dbus.Address()
+	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
+		return nil, nil, err
+	} else {
+		// there is usually only one, do not preallocate
+		for _, entry := range entries {
+			if entry.Method != "unix" {
+				continue
+			}
+			for _, pair := range entry.Values {
+				if pair[0] == "path" {
+					if path.IsAbs(pair[1]) {
+						// get parent dir of socket
+						dir := path.Dir(pair[1])
+						if dir == "." || dir == "/" {
+							os.Printf("dbus socket %q is in an unusual location", pair[1])
+						}
+						hidePaths = append(hidePaths, dir)
+					} else {
+						os.Printf("dbus socket %q is not absolute", pair[1])
+					}
+				}
+			}
+		}
+	}
+	hidePathMatch := make([]bool, len(hidePaths))
+	for i := range hidePaths {
+		if err := evalSymlinks(os, &hidePaths[i]); err != nil {
+			return nil, nil, err
+		}
+	}
+
+	for _, c := range s.Filesystem {
+		if c == nil {
+			continue
+		}
+
+		if !path.IsAbs(c.Src) {
+			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
+		}
+
+		dest := c.Dst
+		if c.Dst == "" {
+			dest = c.Src
+		} else if !path.IsAbs(dest) {
+			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
+		}
+
+		srcH := c.Src
+		if err := evalSymlinks(os, &srcH); err != nil {
+			return nil, nil, err
+		}
+
+		for i := range hidePaths {
+			// skip matched entries
+			if hidePathMatch[i] {
+				continue
+			}
+
+			if ok, err := deepContainsH(srcH, hidePaths[i]); err != nil {
+				return nil, nil, err
+			} else if ok {
+				hidePathMatch[i] = true
+				os.Printf("hiding paths from %q", c.Src)
+			}
+		}
+
+		var flags int
+		if c.Write {
+			flags |= sandbox.BindWritable
+		}
+		if c.Device {
+			flags |= sandbox.BindDevice | sandbox.BindWritable
+		}
+		if !c.Must {
+			flags |= sandbox.BindOptional
+		}
+		container.Bind(c.Src, dest, flags)
+	}
+
+	// cover matched paths
+	for i, ok := range hidePathMatch {
+		if ok {
+			container.Tmpfs(hidePaths[i], 1<<13, 0755)
+		}
+	}
+
+	for _, l := range s.Link {
+		container.Link(l[0], l[1])
+	}
+
+	return container, maps.Clone(s.Env), nil
+}
+
+func evalSymlinks(os sys.State, v *string) error {
+	if p, err := os.EvalSymlinks(*v); err != nil {
+		if !errors.Is(err, fs.ErrNotExist) {
+			return err
+		}
+		os.Printf("path %q does not yet exist", *v)
+	} else {
+		*v = p
+	}
+	return nil
+}

internal/app/instance/common/path.go

@@ -1,4 +1,4 @@
-package fst
+package common
 
 import (
 	"path/filepath"

internal/app/instance/common/path_test.go

@@ -1,4 +1,4 @@
-package fst
+package common
 
 import (
 	"testing"

internal/app/instance/errors.go

@@ -0,0 +1,17 @@
+package instance
+
+import (
+	"syscall"
+
+	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/app/internal/setuid"
+)
+
+func PrintRunStateErr(whence int, rs *app.RunState, runErr error) (code int) {
+	switch whence {
+	case ISetuid:
+		return setuid.PrintRunStateErr(rs, runErr)
+	default:
+		panic(syscall.EINVAL)
+	}
+}

internal/app/instance/new.go

@@ -0,0 +1,33 @@
+// Package instance exposes cross-package implementation details and provides constructors for builtin implementations.
+package instance
+
+import (
+	"context"
+	"log"
+	"syscall"
+
+	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/app/internal/setuid"
+	"git.gensokyo.uk/security/fortify/internal/sys"
+)
+
+const (
+	ISetuid = iota
+)
+
+func New(whence int, ctx context.Context, os sys.State) (app.App, error) {
+	switch whence {
+	case ISetuid:
+		return setuid.New(ctx, os)
+	default:
+		return nil, syscall.EINVAL
+	}
+}
+
+func MustNew(whence int, ctx context.Context, os sys.State) app.App {
+	a, err := New(whence, ctx, os)
+	if err != nil {
+		log.Fatalf("cannot create app: %v", err)
+	}
+	return a
+}

internal/app/instance/shim.go

@@ -0,0 +1,6 @@
+package instance
+
+import "git.gensokyo.uk/security/fortify/internal/app/internal/setuid"
+
+// ShimMain is the main function of the shim process and runs as the unconstrained target user.
+func ShimMain() { setuid.ShimMain() }

internal/app/internal/setuid/app.go

@@ -0,0 +1,74 @@
+package setuid
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"git.gensokyo.uk/security/fortify/fst"
+	. "git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/sys"
+)
+
+func New(ctx context.Context, os sys.State) (App, error) {
+	a := new(app)
+	a.sys = os
+	a.ctx = ctx
+
+	id := new(ID)
+	err := NewAppID(id)
+	a.id = newID(id)
+
+	return a, err
+}
+
+type app struct {
+	id  *stringPair[ID]
+	sys sys.State
+	ctx context.Context
+
+	*outcome
+	mu sync.RWMutex
+}
+
+func (a *app) ID() ID { a.mu.RLock(); defer a.mu.RUnlock(); return a.id.unwrap() }
+
+func (a *app) String() string {
+	if a == nil {
+		return "(invalid app)"
+	}
+
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+
+	if a.outcome != nil {
+		if a.outcome.user.uid == nil {
+			return fmt.Sprintf("(sealed app %s with invalid uid)", a.id)
+		}
+		return fmt.Sprintf("(sealed app %s as uid %s)", a.id, a.outcome.user.uid)
+	}
+
+	return fmt.Sprintf("(unsealed app %s)", a.id)
+}
+
+func (a *app) Seal(config *fst.Config) (SealedApp, error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+
+	if a.outcome != nil {
+		panic("app sealed twice")
+	}
+	if config == nil {
+		return nil, fmsg.WrapError(ErrConfig,
+			"attempted to seal app with nil config")
+	}
+
+	seal := new(outcome)
+	seal.id = a.id
+	err := seal.finalise(a.ctx, a.sys, config)
+	if err == nil {
+		a.outcome = seal
+	}
+	return seal, err
+}

internal/app/internal/setuid/app_nixos_test.go

@@ -1,9 +1,10 @@
-package app_test
+package setuid_test
 
 import (
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/sandbox"
 	"git.gensokyo.uk/security/fortify/system"
 )
@@ -48,7 +49,7 @@ var testCasesNixos = []sealTestCase{
 				Enablements: system.EWayland | system.EDBus | system.EPulse,
 			},
 		},
-		fst.ID{
+		app.ID{
 			0x8e, 0x2c, 0x76, 0xb0,
 			0x66, 0xda, 0xbe, 0x57,
 			0x4c, 0xf0, 0x73, 0xbd,
@@ -124,85 +125,7 @@ var testCasesNixos = []sealTestCase{
 				Bind("/sys/devices", "/sys/devices", sandbox.BindOptional).
 				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
 				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
-				Bind("/etc", fst.Tmp+"/etc", 0).
-				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-				Link(fst.Tmp+"/etc/default", "/etc/default").
-				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-				Link("/proc/mounts", "/etc/mtab").
-				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-				Link(fst.Tmp+"/etc/services", "/etc/services").
-				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-				Link(fst.Tmp+"/etc/static", "/etc/static").
-				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
 				Tmpfs("/run/user", 4096, 0755).
 				Tmpfs("/run/user/1971", 8388608, 0700).
 				Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", sandbox.BindWritable).

internal/app/internal/setuid/app_pd_test.go

@@ -1,4 +1,4 @@
-package app_test
+package setuid_test
 
 import (
 	"os"
@@ -6,6 +6,7 @@ import (
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/sandbox"
 	"git.gensokyo.uk/security/fortify/system"
 )
@@ -20,7 +21,7 @@ var testCasesPd = []sealTestCase{
 				Outer:    "/home/chronos",
 			},
 		},
-		fst.ID{
+		app.ID{
 			0x4a, 0x45, 0x0b, 0x65,
 			0x96, 0xd7, 0xbc, 0x15,
 			0xbd, 0x01, 0x78, 0x0e,
@@ -63,85 +64,7 @@ var testCasesPd = []sealTestCase{
 				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
-				Bind("/etc", fst.Tmp+"/etc", 0).
-				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-				Link(fst.Tmp+"/etc/default", "/etc/default").
-				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-				Link("/proc/mounts", "/etc/mtab").
-				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-				Link(fst.Tmp+"/etc/services", "/etc/services").
-				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-				Link(fst.Tmp+"/etc/static", "/etc/static").
-				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
 				Tmpfs("/run/user", 4096, 0755).
 				Tmpfs("/run/user/65534", 8388608, 0700).
 				Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
@@ -195,7 +118,7 @@ var testCasesPd = []sealTestCase{
 				Enablements: system.EWayland | system.EDBus | system.EPulse,
 			},
 		},
-		fst.ID{
+		app.ID{
 			0xeb, 0xf0, 0x83, 0xd1,
 			0xb1, 0x75, 0x91, 0x17,
 			0x82, 0xd4, 0x13, 0x36,
@@ -283,85 +206,7 @@ var testCasesPd = []sealTestCase{
 				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
-				Bind("/etc", fst.Tmp+"/etc", 0).
-				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-				Link(fst.Tmp+"/etc/default", "/etc/default").
-				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-				Link("/proc/mounts", "/etc/mtab").
-				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-				Link(fst.Tmp+"/etc/services", "/etc/services").
-				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-				Link(fst.Tmp+"/etc/static", "/etc/static").
-				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
 				Tmpfs("/run/user", 4096, 0755).
 				Tmpfs("/run/user/65534", 8388608, 0700).
 				Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", sandbox.BindWritable).

internal/app/internal/setuid/app_stub_test.go

@@ -1,4 +1,4 @@
-package app_test
+package setuid_test
 
 import (
 	"fmt"
@@ -7,7 +7,7 @@ import (
 	"os/user"
 	"strconv"
 
-	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/app"
 )
 
 // fs methods are not implemented using a real FS
@@ -125,8 +125,8 @@ func (s *stubNixOS) Open(name string) (fs.File, error) {
 	}
 }
 
-func (s *stubNixOS) Paths() fst.Paths {
-	return fst.Paths{
+func (s *stubNixOS) Paths() app.Paths {
+	return app.Paths{
 		SharePath:   "/tmp/fortify.1971",
 		RuntimePath: "/run/user/1971",
 		RunDirPath:  "/run/user/1971/fortify",

internal/app/internal/setuid/app_test.go

@@ -1,4 +1,4 @@
-package app_test
+package setuid_test
 
 import (
 	"encoding/json"
@@ -9,6 +9,7 @@ import (
 
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/app/internal/setuid"
 	"git.gensokyo.uk/security/fortify/internal/sys"
 	"git.gensokyo.uk/security/fortify/sandbox"
 	"git.gensokyo.uk/security/fortify/system"
@@ -18,7 +19,7 @@ type sealTestCase struct {
 	name          string
 	os            sys.State
 	config        *fst.Config
-	id            fst.ID
+	id            app.ID
 	wantSys       *system.I
 	wantContainer *sandbox.Params
 }
@@ -28,7 +29,7 @@ func TestApp(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			a := app.NewWithID(tc.id, tc.os)
+			a := setuid.NewWithID(tc.id, tc.os)
 			var (
 				gotSys       *system.I
 				gotContainer *sandbox.Params
@@ -38,7 +39,7 @@ func TestApp(t *testing.T) {
 					t.Errorf("Seal: error = %v", err)
 					return
 				} else {
-					gotSys, gotContainer = app.AppIParams(a, sa)
+					gotSys, gotContainer = setuid.AppIParams(a, sa)
 				}
 			}) {
 				return

internal/app/internal/setuid/errors.go

@@ -1,14 +1,16 @@
-package app
+package setuid
 
 import (
 	"errors"
 	"log"
 
-	"git.gensokyo.uk/security/fortify/fst"
+	. "git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
-func PrintRunStateErr(rs *fst.RunState, runErr error) {
+func PrintRunStateErr(rs *RunState, runErr error) (code int) {
+	code = rs.ExitStatus()
+
 	if runErr != nil {
 		if rs.Time == nil {
 			fmsg.PrintBaseError(runErr, "cannot start app:")
@@ -49,8 +51,8 @@ func PrintRunStateErr(rs *fst.RunState, runErr error) {
 			}
 		}
 
-		if rs.ExitCode == 0 {
-			rs.ExitCode = 126
+		if code == 0 {
+			code = 126
 		}
 	}
 
@@ -97,13 +99,14 @@ func PrintRunStateErr(rs *fst.RunState, runErr error) {
 		}
 
 	out:
-		if rs.ExitCode == 0 {
-			rs.ExitCode = 128
+		if code == 0 {
+			code = 128
 		}
 	}
 	if rs.WaitErr != nil {
-		log.Println("inner wait failed:", rs.WaitErr)
+		fmsg.Verbosef("wait: %v", rs.WaitErr)
 	}
+	return
 }
 
 // StateStoreError is returned for a failed state save
@@ -121,7 +124,7 @@ type StateStoreError struct {
 }
 
 // save saves arbitrary errors in [StateStoreError] once.
-func (e *StateStoreError) save(errs []error) {
+func (e *StateStoreError) save(errs ...error) {
 	if len(errs) == 0 || e.Err != nil {
 		panic("invalid call to save")
 	}

internal/app/internal/setuid/export_test.go

@@ -1,20 +1,20 @@
-package app
+package setuid
 
 import (
-	"git.gensokyo.uk/security/fortify/fst"
+	. "git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/sys"
 	"git.gensokyo.uk/security/fortify/sandbox"
 	"git.gensokyo.uk/security/fortify/system"
 )
 
-func NewWithID(id fst.ID, os sys.State) fst.App {
+func NewWithID(id ID, os sys.State) App {
 	a := new(app)
 	a.id = newID(&id)
 	a.sys = os
 	return a
 }
 
-func AppIParams(a fst.App, sa fst.SealedApp) (*system.I, *sandbox.Params) {
+func AppIParams(a App, sa SealedApp) (*system.I, *sandbox.Params) {
 	v := a.(*app)
 	seal := sa.(*outcome)
 	if v.outcome != seal || v.id != seal.id {

internal/app/internal/setuid/process.go

@@ -0,0 +1,195 @@
+package setuid
+
+import (
+	"context"
+	"encoding/gob"
+	"errors"
+	"log"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"git.gensokyo.uk/security/fortify/internal"
+	. "git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/state"
+	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/system"
+)
+
+const shimWaitTimeout = 5 * time.Second
+
+func (seal *outcome) Run(rs *RunState) error {
+	if !seal.f.CompareAndSwap(false, true) {
+		// run does much more than just starting a process; calling it twice, even if the first call fails, will result
+		// in inconsistent state that is impossible to clean up; return here to limit damage and hopefully give the
+		// other Run a chance to return
+		return errors.New("outcome: attempted to run twice")
+	}
+
+	if rs == nil {
+		panic("invalid state")
+	}
+
+	// read comp value early to allow for early failure
+	fsuPath := internal.MustFsuPath()
+
+	if err := seal.sys.Commit(seal.ctx); err != nil {
+		return err
+	}
+	store := state.NewMulti(seal.runDirPath)
+	deferredStoreFunc := func(c state.Cursor) error { return nil } // noop until state in store
+	defer func() {
+		var revertErr error
+		storeErr := new(StateStoreError)
+		storeErr.Inner, storeErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
+			revertErr = func() error {
+				storeErr.InnerErr = deferredStoreFunc(c)
+
+				var rt system.Enablement
+				ec := system.Process
+				if states, err := c.Load(); err != nil {
+					// revert per-process state here to limit damage
+					storeErr.OpErr = err
+					return seal.sys.Revert((*system.Criteria)(&ec))
+				} else {
+					if l := len(states); l == 0 {
+						ec |= system.User
+					} else {
+						fmsg.Verbosef("found %d instances, cleaning up without user-scoped operations", l)
+					}
+
+					// accumulate enablements of remaining launchers
+					for i, s := range states {
+						if s.Config != nil {
+							rt |= s.Config.Confinement.Enablements
+						} else {
+							log.Printf("state entry %d does not contain config", i)
+						}
+					}
+				}
+				ec |= rt ^ (system.EWayland | system.EX11 | system.EDBus | system.EPulse)
+				if fmsg.Load() {
+					if ec > 0 {
+						fmsg.Verbose("reverting operations scope", system.TypeString(ec))
+					}
+				}
+
+				return seal.sys.Revert((*system.Criteria)(&ec))
+			}()
+		})
+		storeErr.save(revertErr, store.Close())
+		rs.RevertErr = storeErr.equiv("error during cleanup:")
+	}()
+
+	ctx, cancel := context.WithCancel(seal.ctx)
+	defer cancel()
+	cmd := exec.CommandContext(ctx, fsuPath)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	cmd.Dir = "/" // container init enters final working directory
+	// shim runs in the same session as monitor; see shim.go for behaviour
+	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }
+
+	var e *gob.Encoder
+	if fd, encoder, err := sandbox.Setup(&cmd.ExtraFiles); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			"cannot create shim setup pipe:")
+	} else {
+		e = encoder
+		cmd.Env = []string{
+			// passed through to shim by fsu
+			shimEnv + "=" + strconv.Itoa(fd),
+			// interpreted by fsu
+			"FORTIFY_APP_ID=" + seal.user.aid.String(),
+		}
+	}
+
+	if len(seal.user.supp) > 0 {
+		fmsg.Verbosef("attaching supplementary group ids %s", seal.user.supp)
+		// interpreted by fsu
+		cmd.Env = append(cmd.Env, "FORTIFY_GROUPS="+strings.Join(seal.user.supp, " "))
+	}
+
+	fmsg.Verbosef("setuid helper at %s", fsuPath)
+	fmsg.Suspend()
+	if err := cmd.Start(); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			"cannot start setuid wrapper:")
+	}
+	rs.SetStart()
+
+	// this prevents blocking forever on an early failure
+	waitErr, setupErr := make(chan error, 1), make(chan error, 1)
+	go func() { waitErr <- cmd.Wait(); cancel() }()
+	go func() { setupErr <- e.Encode(&shimParams{os.Getpid(), seal.container, seal.user.data, fmsg.Load()}) }()
+
+	select {
+	case err := <-setupErr:
+		if err != nil {
+			fmsg.Resume()
+			return fmsg.WrapErrorSuffix(err,
+				"cannot transmit shim config:")
+		}
+
+	case <-ctx.Done():
+		fmsg.Resume()
+		return fmsg.WrapError(syscall.ECANCELED,
+			"shim setup canceled")
+	}
+
+	// returned after blocking on waitErr
+	var earlyStoreErr = new(StateStoreError)
+	{
+		// shim accepted setup payload, create process state
+		sd := state.State{
+			ID:   seal.id.unwrap(),
+			PID:  cmd.Process.Pid,
+			Time: *rs.Time,
+		}
+		earlyStoreErr.Inner, earlyStoreErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
+			earlyStoreErr.InnerErr = c.Save(&sd, seal.ct)
+		})
+	}
+
+	// state in store at this point, destroy defunct state entry on return
+	deferredStoreFunc = func(c state.Cursor) error { return c.Destroy(seal.id.unwrap()) }
+
+	waitTimeout := make(chan struct{})
+	go func() { <-seal.ctx.Done(); time.Sleep(shimWaitTimeout); close(waitTimeout) }()
+
+	select {
+	case rs.WaitErr = <-waitErr:
+		rs.WaitStatus = cmd.ProcessState.Sys().(syscall.WaitStatus)
+		if fmsg.Load() {
+			switch {
+			case rs.Exited():
+				fmsg.Verbosef("process %d exited with code %d", cmd.Process.Pid, rs.ExitStatus())
+			case rs.CoreDump():
+				fmsg.Verbosef("process %d dumped core", cmd.Process.Pid)
+			case rs.Signaled():
+				fmsg.Verbosef("process %d got %s", cmd.Process.Pid, rs.Signal())
+			default:
+				fmsg.Verbosef("process %d exited with status %#x", cmd.Process.Pid, rs.WaitStatus)
+			}
+		}
+	case <-waitTimeout:
+		rs.WaitErr = syscall.ETIMEDOUT
+		fmsg.Resume()
+		log.Printf("process %d did not terminate", cmd.Process.Pid)
+	}
+
+	fmsg.Resume()
+	if seal.sync != nil {
+		if err := seal.sync.Close(); err != nil {
+			log.Printf("cannot close wayland security context: %v", err)
+		}
+	}
+	if seal.dbusMsg != nil {
+		seal.dbusMsg()
+	}
+
+	return earlyStoreErr.equiv("cannot save process state:")
+}

internal/app/internal/setuid/seal.go

@@ -1,4 +1,4 @@
-package app
+package setuid
 
 import (
 	"bytes"
@@ -20,6 +20,8 @@ import (
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal"
+	. "git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/app/instance/common"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/sys"
 	"git.gensokyo.uk/security/fortify/sandbox"
@@ -64,7 +66,7 @@ var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z
 // outcome stores copies of various parts of [fst.Config]
 type outcome struct {
 	// copied from initialising [app]
-	id *stringPair[fst.ID]
+	id *stringPair[ID]
 	// copied from [sys.State] response
 	runDirPath string
 
@@ -95,7 +97,7 @@ type shareHost struct {
 	runtimeSharePath string
 
 	seal *outcome
-	sc   fst.Paths
+	sc   Paths
 }
 
 // ensureRuntimeDir must be called if direct access to paths within XDG_RUNTIME_DIR is required
@@ -279,7 +281,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 	{
 		var uid, gid int
 		var err error
-		seal.container, seal.env, err = config.Confinement.Sandbox.ToContainer(sys, &uid, &gid)
+		seal.container, seal.env, err = common.NewContainer(config.Confinement.Sandbox, sys, &uid, &gid)
 		if err != nil {
 			return fmsg.WrapErrorSuffix(err,
 				"cannot initialise container configuration:")
@@ -301,6 +303,18 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 	}
 
+	if !config.Confinement.Sandbox.AutoEtc {
+		if config.Confinement.Sandbox.Etc != "" {
+			seal.container.Bind(config.Confinement.Sandbox.Etc, "/etc", 0)
+		}
+	} else {
+		etcPath := config.Confinement.Sandbox.Etc
+		if etcPath == "" {
+			etcPath = "/etc"
+		}
+		seal.container.Etc(etcPath, seal.id.String())
+	}
+
 	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
 	innerRuntimeDir := path.Join("/run/user", mapuid.String())
 	seal.container.Tmpfs("/run/user", 1<<12, 0755)

internal/app/internal/setuid/shim.go

@@ -1,26 +1,78 @@
-package app
+package setuid
 
 import (
 	"context"
-	"encoding/gob"
 	"errors"
 	"log"
 	"os"
 	"os/exec"
 	"os/signal"
-	"strconv"
-	"strings"
 	"syscall"
 	"time"
 
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 )
 
+/*
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <signal.h>
+
+static pid_t f_shim_param_ppid = -1;
+
+// this cannot unblock fmsg since Go code is not async-signal-safe
+static void f_shim_sigaction(int sig, siginfo_t *si, void *ucontext) {
+  if (sig != SIGCONT || si == NULL) {
+    // unreachable
+    fprintf(stderr, "sigaction: sa_sigaction got invalid siginfo\n");
+    return;
+  }
+
+  // monitor requests shim exit
+  if (si->si_pid == f_shim_param_ppid)
+    exit(254);
+
+  fprintf(stderr, "sigaction: got SIGCONT from process %d\n", si->si_pid);
+
+  // shim orphaned before monitor delivers a signal
+  if (getppid() != f_shim_param_ppid)
+    exit(3);
+}
+
+void f_shim_setup_cont_signal(pid_t ppid) {
+  struct sigaction new_action = {0}, old_action = {0};
+  if (sigaction(SIGCONT, NULL, &old_action) != 0)
+    return;
+  if (old_action.sa_handler != SIG_DFL) {
+    errno = ENOTRECOVERABLE;
+    return;
+  }
+
+  new_action.sa_sigaction = f_shim_sigaction;
+  if (sigemptyset(&new_action.sa_mask) != 0)
+    return;
+  new_action.sa_flags = SA_ONSTACK | SA_SIGINFO;
+
+  if (sigaction(SIGCONT, &new_action, NULL) != 0)
+    return;
+
+  errno = 0;
+  f_shim_param_ppid = ppid;
+}
+*/
+import "C"
+
 const shimEnv = "FORTIFY_SHIM"
 
 type shimParams struct {
+	// monitor pid, checked against ppid in signal handler
+	Monitor int
+
 	// finalised container params
 	Container *sandbox.Params
 	// path to outer home directory
@@ -54,6 +106,16 @@ func ShimMain() {
 	} else {
 		internal.InstallFmsg(params.Verbose)
 		closeSetup = f
+
+		// the Go runtime does not expose siginfo_t so SIGCONT is handled in C to check si_pid
+		if _, err = C.f_shim_setup_cont_signal(C.pid_t(params.Monitor)); err != nil {
+			log.Fatalf("cannot install SIGCONT handler: %v", err)
+		}
+
+		// pdeath_signal delivery is checked as if the dying process called kill(2), see kernel/exit.c
+		if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGCONT), 0); errno != 0 {
+			log.Fatalf("cannot set parent-death signal: %v", errno)
+		}
 	}
 
 	if params.Container == nil || params.Container.Ops == nil {
@@ -100,6 +162,11 @@ func ShimMain() {
 	if err := container.Serve(); err != nil {
 		fmsg.PrintBaseError(err, "cannot configure container:")
 	}
+
+	if err := seccomp.Load(seccomp.PresetCommon); err != nil {
+		log.Fatalf("cannot load syscall filter: %v", err)
+	}
+
 	if err := container.Wait(); err != nil {
 		var exitError *exec.ExitError
 		if !errors.As(err, &exitError) {
@@ -112,101 +179,3 @@ func ShimMain() {
 		os.Exit(exitError.ExitCode())
 	}
 }
-
-type shimProcess struct {
-	// user switcher process
-	cmd *exec.Cmd
-	// fallback exit notifier with error returned killing the process
-	killFallback chan error
-	// monitor to shim encoder
-	encoder *gob.Encoder
-}
-
-func (s *shimProcess) Unwrap() *exec.Cmd    { return s.cmd }
-func (s *shimProcess) Fallback() chan error { return s.killFallback }
-
-func (s *shimProcess) String() string {
-	if s.cmd == nil {
-		return "(unused shim manager)"
-	}
-	return s.cmd.String()
-}
-
-func (s *shimProcess) Start(
-	aid string,
-	supp []string,
-) (*time.Time, error) {
-	// prepare user switcher invocation
-	fsuPath := internal.MustFsuPath()
-	s.cmd = exec.Command(fsuPath)
-
-	// pass shim setup pipe
-	if fd, e, err := sandbox.Setup(&s.cmd.ExtraFiles); err != nil {
-		return nil, fmsg.WrapErrorSuffix(err,
-			"cannot create shim setup pipe:")
-	} else {
-		s.encoder = e
-		s.cmd.Env = []string{
-			shimEnv + "=" + strconv.Itoa(fd),
-			"FORTIFY_APP_ID=" + aid,
-		}
-	}
-
-	// format fsu supplementary groups
-	if len(supp) > 0 {
-		fmsg.Verbosef("attaching supplementary group ids %s", supp)
-		s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(supp, " "))
-	}
-	s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	s.cmd.Dir = "/"
-
-	fmsg.Verbose("starting shim via fsu:", s.cmd)
-	// withhold messages to stderr
-	fmsg.Suspend()
-	if err := s.cmd.Start(); err != nil {
-		return nil, fmsg.WrapErrorSuffix(err,
-			"cannot start fsu:")
-	}
-	startTime := time.Now().UTC()
-
-	return &startTime, nil
-}
-
-func (s *shimProcess) Serve(ctx context.Context, params *shimParams) error {
-	// kill shim if something goes wrong and an error is returned
-	s.killFallback = make(chan error, 1)
-	killShim := func() {
-		if err := s.cmd.Process.Signal(os.Interrupt); err != nil {
-			s.killFallback <- err
-		}
-	}
-	defer func() { killShim() }()
-
-	encodeErr := make(chan error)
-	go func() { encodeErr <- s.encoder.Encode(params) }()
-
-	select {
-	// encode return indicates setup completion
-	case err := <-encodeErr:
-		if err != nil {
-			return fmsg.WrapErrorSuffix(err,
-				"cannot transmit shim config:")
-		}
-		killShim = func() {}
-		return nil
-
-	// setup canceled before payload was accepted
-	case <-ctx.Done():
-		err := ctx.Err()
-		if errors.Is(err, context.Canceled) {
-			return fmsg.WrapError(syscall.ECANCELED,
-				"shim setup canceled")
-		}
-		if errors.Is(err, context.DeadlineExceeded) {
-			return fmsg.WrapError(syscall.ETIMEDOUT,
-				"deadline exceeded waiting for shim")
-		}
-		// unreachable
-		return err
-	}
-}

internal/app/internal/setuid/strings.go

@@ -1,13 +1,13 @@
-package app
+package setuid
 
 import (
 	"strconv"
 
-	"git.gensokyo.uk/security/fortify/fst"
+	. "git.gensokyo.uk/security/fortify/internal/app"
 )
 
-func newInt(v int) *stringPair[int]        { return &stringPair[int]{v, strconv.Itoa(v)} }
-func newID(id *fst.ID) *stringPair[fst.ID] { return &stringPair[fst.ID]{*id, id.String()} }
+func newInt(v int) *stringPair[int] { return &stringPair[int]{v, strconv.Itoa(v)} }
+func newID(id *ID) *stringPair[ID]  { return &stringPair[ID]{*id, id.String()} }
 
 // stringPair stores a value and its string representation.
 type stringPair[T comparable] struct {

internal/app/process.go

@@ -1,180 +0,0 @@
-package app
-
-import (
-	"context"
-	"errors"
-	"log"
-	"os/exec"
-	"time"
-
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/state"
-	"git.gensokyo.uk/security/fortify/system"
-)
-
-const shimSetupTimeout = 5 * time.Second
-
-func (seal *outcome) Run(rs *fst.RunState) error {
-	if !seal.f.CompareAndSwap(false, true) {
-		// run does much more than just starting a process; calling it twice, even if the first call fails, will result
-		// in inconsistent state that is impossible to clean up; return here to limit damage and hopefully give the
-		// other Run a chance to return
-		panic("attempted to run twice")
-	}
-
-	if rs == nil {
-		panic("invalid state")
-	}
-
-	// read comp values early to allow for early failure
-	fmsg.Verbosef("version %s", internal.Version())
-	fmsg.Verbosef("setuid helper at %s", internal.MustFsuPath())
-
-	/*
-		prepare/revert os state
-	*/
-
-	if err := seal.sys.Commit(seal.ctx); err != nil {
-		return err
-	}
-	store := state.NewMulti(seal.runDirPath)
-	deferredStoreFunc := func(c state.Cursor) error { return nil }
-	defer func() {
-		var revertErr error
-		storeErr := new(StateStoreError)
-		storeErr.Inner, storeErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
-			revertErr = func() error {
-				storeErr.InnerErr = deferredStoreFunc(c)
-
-				/*
-					revert app setup transaction
-				*/
-
-				var rt system.Enablement
-				ec := system.Process
-				if states, err := c.Load(); err != nil {
-					// revert per-process state here to limit damage
-					storeErr.OpErr = err
-					return seal.sys.Revert((*system.Criteria)(&ec))
-				} else {
-					if l := len(states); l == 0 {
-						fmsg.Verbose("no other launchers active, will clean up globals")
-						ec |= system.User
-					} else {
-						fmsg.Verbosef("found %d active launchers, cleaning up without globals", l)
-					}
-
-					// accumulate enablements of remaining launchers
-					for i, s := range states {
-						if s.Config != nil {
-							rt |= s.Config.Confinement.Enablements
-						} else {
-							log.Printf("state entry %d does not contain config", i)
-						}
-					}
-				}
-				ec |= rt ^ (system.EWayland | system.EX11 | system.EDBus | system.EPulse)
-				if fmsg.Load() {
-					if ec > 0 {
-						fmsg.Verbose("reverting operations type", system.TypeString(ec))
-					}
-				}
-
-				return seal.sys.Revert((*system.Criteria)(&ec))
-			}()
-		})
-		storeErr.save([]error{revertErr, store.Close()})
-		rs.RevertErr = storeErr.equiv("error returned during cleanup:")
-	}()
-
-	/*
-		shim process lifecycle
-	*/
-
-	waitErr := make(chan error, 1)
-	cmd := new(shimProcess)
-	if startTime, err := cmd.Start(
-		seal.user.aid.String(),
-		seal.user.supp,
-	); err != nil {
-		return err
-	} else {
-		// whether/when the fsu process was created
-		rs.Time = startTime
-	}
-
-	ctx, cancel := context.WithTimeout(seal.ctx, shimSetupTimeout)
-	defer cancel()
-
-	go func() {
-		waitErr <- cmd.Unwrap().Wait()
-		// cancel shim setup in case shim died before receiving payload
-		cancel()
-	}()
-
-	if err := cmd.Serve(ctx, &shimParams{
-		Container: seal.container,
-		Home:      seal.user.data,
-
-		Verbose: fmsg.Load(),
-	}); err != nil {
-		return err
-	}
-
-	// shim accepted setup payload, create process state
-	sd := state.State{
-		ID:   seal.id.unwrap(),
-		PID:  cmd.Unwrap().Process.Pid,
-		Time: *rs.Time,
-	}
-	var earlyStoreErr = new(StateStoreError) // returned after blocking on waitErr
-	earlyStoreErr.Inner, earlyStoreErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
-		earlyStoreErr.InnerErr = c.Save(&sd, seal.ct)
-	})
-	// destroy defunct state entry
-	deferredStoreFunc = func(c state.Cursor) error { return c.Destroy(seal.id.unwrap()) }
-
-	select {
-	case err := <-waitErr: // block until fsu/shim returns
-		if err != nil {
-			var exitError *exec.ExitError
-			if !errors.As(err, &exitError) {
-				// should be unreachable
-				rs.WaitErr = err
-			}
-
-			// store non-zero return code
-			rs.ExitCode = exitError.ExitCode()
-		} else {
-			rs.ExitCode = cmd.Unwrap().ProcessState.ExitCode()
-		}
-		if fmsg.Load() {
-			fmsg.Verbosef("process %d exited with exit code %d", cmd.Unwrap().Process.Pid, rs.ExitCode)
-		}
-
-	// this is reached when a fault makes an already running shim impossible to continue execution
-	// however a kill signal could not be delivered (should actually always happen like that since fsu)
-	// the effects of this is similar to the alternative exit path and ensures shim death
-	case err := <-cmd.Fallback():
-		rs.ExitCode = 255
-		log.Printf("cannot terminate shim on faulted setup: %v", err)
-
-	// alternative exit path relying on shim behaviour on monitor process exit
-	case <-seal.ctx.Done():
-		fmsg.Verbose("alternative exit path selected")
-	}
-
-	fmsg.Resume()
-	if seal.sync != nil {
-		if err := seal.sync.Close(); err != nil {
-			log.Printf("cannot close wayland security context: %v", err)
-		}
-	}
-	if seal.dbusMsg != nil {
-		seal.dbusMsg()
-	}
-
-	return earlyStoreErr.equiv("cannot save process state:")
-}

internal/state/multi.go

@@ -14,6 +14,7 @@ import (
 	"syscall"
 
 	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
@@ -129,7 +130,7 @@ type multiBackend struct {
 	lock sync.RWMutex
 }
 
-func (b *multiBackend) filename(id *fst.ID) string {
+func (b *multiBackend) filename(id *app.ID) string {
 	return path.Join(b.path, id.String())
 }
 
@@ -189,8 +190,8 @@ func (b *multiBackend) load(decode bool) (Entries, error) {
 			return nil, fmt.Errorf("unexpected directory %q in store", e.Name())
 		}
 
-		id := new(fst.ID)
-		if err := fst.ParseAppID(id, e.Name()); err != nil {
+		id := new(app.ID)
+		if err := app.ParseAppID(id, e.Name()); err != nil {
 			return nil, err
 		}
 
@@ -335,7 +336,7 @@ func (b *multiBackend) encodeState(w io.WriteSeeker, state *State, configWriter
 	return err
 }
 
-func (b *multiBackend) Destroy(id fst.ID) error {
+func (b *multiBackend) Destroy(id app.ID) error {
 	b.lock.Lock()
 	defer b.lock.Unlock()
 

internal/state/state.go

@@ -6,11 +6,12 @@ import (
 	"time"
 
 	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/app"
 )
 
 var ErrNoConfig = errors.New("state does not contain config")
 
-type Entries map[fst.ID]*State
+type Entries map[app.ID]*State
 
 type Store interface {
 	// Do calls f exactly once and ensures store exclusivity until f returns.
@@ -29,7 +30,7 @@ type Store interface {
 // Cursor provides access to the store
 type Cursor interface {
 	Save(state *State, configWriter io.WriterTo) error
-	Destroy(id fst.ID) error
+	Destroy(id app.ID) error
 	Load() (Entries, error)
 	Len() (int, error)
 }
@@ -37,7 +38,7 @@ type Cursor interface {
 // State is a fortify process's state
 type State struct {
 	// fortify instance id
-	ID fst.ID `json:"instance"`
+	ID app.ID `json:"instance"`
 	// child process PID value
 	PID int `json:"pid"`
 	// sealed app configuration

internal/state/state_test.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/state"
 )
 
@@ -133,7 +134,7 @@ func testStore(t *testing.T, s state.Store) {
 }
 
 func makeState(t *testing.T, s *state.State, ct io.Writer) {
-	if err := fst.NewAppID(&s.ID); err != nil {
+	if err := app.NewAppID(&s.ID); err != nil {
 		t.Fatalf("cannot create dummy state: %v", err)
 	}
 	if err := gob.NewEncoder(ct).Encode(fst.Template()); err != nil {

internal/sys/interface.go

@@ -6,7 +6,7 @@ import (
 	"path"
 	"strconv"
 
-	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
@@ -41,14 +41,14 @@ type State interface {
 	Printf(format string, v ...any)
 
 	// Paths returns a populated [Paths] struct.
-	Paths() fst.Paths
+	Paths() app.Paths
 	// Uid invokes fsu and returns target uid.
 	// Any errors returned by Uid is already wrapped [fmsg.BaseError].
 	Uid(aid int) (int, error)
 }
 
 // CopyPaths is a generic implementation of [fst.Paths].
-func CopyPaths(os State, v *fst.Paths) {
+func CopyPaths(os State, v *app.Paths) {
 	v.SharePath = path.Join(os.TempDir(), "fortify."+strconv.Itoa(os.Getuid()))
 
 	fmsg.Verbosef("process share directory at %q", v.SharePath)

internal/sys/std.go

@@ -12,15 +12,15 @@ import (
 	"sync"
 	"syscall"
 
-	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/sandbox"
 )
 
 // Std implements System using the standard library.
 type Std struct {
-	paths     fst.Paths
+	paths     app.Paths
 	pathsOnce sync.Once
 
 	uidOnce sync.Once
@@ -48,7 +48,7 @@ func (s *Std) Printf(format string, v ...any)               { fmsg.Verbosef(form
 
 const xdgRuntimeDir = "XDG_RUNTIME_DIR"
 
-func (s *Std) Paths() fst.Paths {
+func (s *Std) Paths() app.Paths {
 	s.pathsOnce.Do(func() { CopyPaths(s, &s.paths) })
 	return s.paths
 }

main.go

@@ -20,6 +20,7 @@ import (
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/app/instance"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/state"
 	"git.gensokyo.uk/security/fortify/internal/sys"
@@ -73,7 +74,7 @@ func buildCommand(out io.Writer) command.Command {
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output as JSON when applicable")
 
-	c.Command("shim", command.UsageInternal, func([]string) error { app.ShimMain(); return errSuccess })
+	c.Command("shim", command.UsageInternal, func([]string) error { instance.ShimMain(); return errSuccess })
 
 	c.Command("app", "Launch app defined by the specified config file", func(args []string) error {
 		if len(args) < 1 {
@@ -239,11 +240,11 @@ func buildCommand(out io.Writer) command.Command {
 
 		case 1: // instance
 			name := args[0]
-			config, instance := tryShort(name)
+			config, entry := tryShort(name)
 			if config == nil {
 				config = tryPath(name)
 			}
-			printShowInstance(os.Stdout, time.Now().UTC(), instance, config, showFlagShort, flagJSON)
+			printShowInstance(os.Stdout, time.Now().UTC(), entry, config, showFlagShort, flagJSON)
 
 		default:
 			log.Fatal("show requires 1 argument")
@@ -284,15 +285,15 @@ func runApp(config *fst.Config) {
 	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM)
 	defer stop() // unreachable
-	a := app.MustNew(ctx, std)
+	a := instance.MustNew(instance.ISetuid, ctx, std)
 
-	rs := new(fst.RunState)
+	rs := new(app.RunState)
 	if sa, err := a.Seal(config); err != nil {
 		fmsg.PrintBaseError(err, "cannot seal app:")
-		rs.ExitCode = 1
+		internal.Exit(1)
 	} else {
-		// this updates ExitCode
-		app.PrintRunStateErr(rs, sa.Run(rs))
+		internal.Exit(instance.PrintRunStateErr(instance.ISetuid, rs, sa.Run(rs)))
 	}
-	internal.Exit(rs.ExitCode)
+
+	*(*int)(nil) = 0 // not reached
 }

nixos.nix

@@ -108,7 +108,7 @@ in
                           devel
                           userns
                           net
-                          dev
+                          device
                           tty
                           multiarch
                           env

options.nix

@@ -177,7 +177,7 @@ in
 
               nix = mkEnableOption "nix daemon access";
               mapRealUid = mkEnableOption "mapping to priv-user uid";
-              dev = mkEnableOption "access to all devices";
+              device = mkEnableOption "access to all devices";
               insecureWayland = mkEnableOption "direct access to the Wayland socket";
 
               gpu = mkOption {

parse.go

@@ -67,7 +67,7 @@ func tryFd(name string) io.ReadCloser {
 	}
 }
 
-func tryShort(name string) (config *fst.Config, instance *state.State) {
+func tryShort(name string) (config *fst.Config, entry *state.State) {
 	likePrefix := false
 	if len(name) <= 32 {
 		likePrefix = true
@@ -96,8 +96,8 @@ func tryShort(name string) (config *fst.Config, instance *state.State) {
 				v := id.String()
 				if strings.HasPrefix(v, name) {
 					// match, use config from this state entry
-					instance = entries[id]
-					config = instance.Config
+					entry = entries[id]
+					config = entry.Config
 					break
 				}
 

print.go

@@ -92,8 +92,9 @@ func printShowInstance(
 			}
 		}
 		writeFlag("userns", sandbox.Userns)
+		writeFlag("devel", sandbox.Devel)
 		writeFlag("net", sandbox.Net)
-		writeFlag("dev", sandbox.Dev)
+		writeFlag("device", sandbox.Device)
 		writeFlag("tty", sandbox.Tty)
 		writeFlag("mapuid", sandbox.MapRealUID)
 		writeFlag("directwl", sandbox.DirectWayland)
@@ -256,12 +257,20 @@ func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON boo
 
 	t.Println("\tInstance\tPID\tApplication\tUptime")
 	for _, e := range exp {
+		if len(e.s) != 1<<5 {
+			// unreachable
+			log.Printf("possible store corruption: invalid instance string %s", e.s)
+			continue
+		}
+
 		as := "(No configuration information)"
 		if e.Config != nil {
 			as = strconv.Itoa(e.Config.Confinement.AppID)
-			if e.Config.ID != "" {
-				as += " (" + e.Config.ID + ")"
+			id := e.Config.ID
+			if id == "" {
+				id = "uk.gensokyo.fortify." + e.s[:8]
 			}
+			as += " (" + id + ")"
 		}
 		t.Printf("\t%s\t%d\t%s\t%s\n",
 			e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String())

print_test.go

@@ -7,11 +7,12 @@ import (
 
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/state"
 )
 
 var (
-	testID = fst.ID{
+	testID = app.ID{
 		0x8e, 0x2c, 0x76, 0xb0,
 		0x66, 0xda, 0xbe, 0x57,
 		0x4c, 0xf0, 0x73, 0xbd,
@@ -41,7 +42,7 @@ func Test_printShowInstance(t *testing.T) {
  Groups:         ["video"]
  Directory:      /var/lib/persist/home/org.chromium.Chromium
  Hostname:       "localhost"
- Flags:          userns net dev tty mapuid autoetc
+ Flags:          userns devel net device tty mapuid autoetc
  Etc:            /etc
  Cover:          /var/run/nscd
  Path:           /run/current-system/sw/bin/chromium
@@ -120,7 +121,7 @@ App
  Groups:         ["video"]
  Directory:      /var/lib/persist/home/org.chromium.Chromium
  Hostname:       "localhost"
- Flags:          userns net dev tty mapuid autoetc
+ Flags:          userns devel net device tty mapuid autoetc
  Etc:            /etc
  Cover:          /var/run/nscd
  Path:           /run/current-system/sw/bin/chromium
@@ -217,7 +218,7 @@ App
           "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
         },
         "map_real_uid": true,
-        "dev": true,
+        "device": true,
         "filesystem": [
           {
             "src": "/nix/store"
@@ -342,7 +343,7 @@ App
         "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
       },
       "map_real_uid": true,
-      "dev": true,
+      "device": true,
       "filesystem": [
         {
           "src": "/nix/store"
@@ -454,19 +455,19 @@ func Test_printPs(t *testing.T) {
 		short, json bool
 		want        string
 	}{
-		{"no entries", make(state.Entries), false, false, `    Instance    PID    Application    Uptime
-`},
-		{"no entries short", make(state.Entries), true, false, ``},
-		{"nil instance", state.Entries{testID: nil}, false, false, `    Instance    PID    Application    Uptime
-`},
-		{"state corruption", state.Entries{fst.ID{}: testState}, false, false, `    Instance    PID    Application    Uptime
+		{"no entries", make(state.Entries), false, false, "    Instance    PID    Application    Uptime\n"},
+		{"no entries short", make(state.Entries), true, false, ""},
+		{"nil instance", state.Entries{testID: nil}, false, false, "    Instance    PID    Application    Uptime\n"},
+		{"state corruption", state.Entries{app.ID{}: testState}, false, false, "    Instance    PID    Application    Uptime\n"},
+
+		{"valid pd", state.Entries{testID: &state.State{ID: testID, PID: 1 << 8, Config: new(fst.Config), Time: testAppTime}}, false, false, `    Instance    PID    Application                         Uptime
+    8e2c76b0    256    0 (uk.gensokyo.fortify.8e2c76b0)    1h2m32s
 `},
 
 		{"valid", state.Entries{testID: testState}, false, false, `    Instance    PID           Application                  Uptime
     8e2c76b0    3735928559    9 (org.chromium.Chromium)    1h2m32s
 `},
-		{"valid short", state.Entries{testID: testState}, true, false, `8e2c76b0
-`},
+		{"valid short", state.Entries{testID: testState}, true, false, "8e2c76b0\n"},
 		{"valid json", state.Entries{testID: testState}, false, true, `{
   "8e2c76b066dabe574cf073bdb46eb5c1": {
     "instance": [
@@ -521,7 +522,7 @@ func Test_printPs(t *testing.T) {
             "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
           },
           "map_real_uid": true,
-          "dev": true,
+          "device": true,
           "filesystem": [
             {
               "src": "/nix/store"

sandbox/container.go

@@ -27,18 +27,18 @@ const (
 	FAllowNet
 )
 
-func (flags HardeningFlags) seccomp(opts seccomp.SyscallOpts) seccomp.SyscallOpts {
+func (flags HardeningFlags) seccomp(opts seccomp.FilterOpts) seccomp.FilterOpts {
 	if flags&FSyscallCompat == 0 {
-		opts |= seccomp.FlagExt
+		opts |= seccomp.FilterExt
 	}
 	if flags&FAllowDevel == 0 {
-		opts |= seccomp.FlagDenyDevel
+		opts |= seccomp.FilterDenyDevel
 	}
 	if flags&FAllowUserns == 0 {
-		opts |= seccomp.FlagDenyNS
+		opts |= seccomp.FilterDenyNS
 	}
 	if flags&FAllowTTY == 0 {
-		opts |= seccomp.FlagDenyTTY
+		opts |= seccomp.FilterDenyTTY
 	}
 	return opts
 }
@@ -95,7 +95,7 @@ type (
 		// Sequential container setup ops.
 		*Ops
 		// Extra seccomp options.
-		Seccomp seccomp.SyscallOpts
+		Seccomp seccomp.FilterOpts
 		// Permission bits of newly created parent directories.
 		// The zero value is interpreted as 0755.
 		ParentPerm os.FileMode

sandbox/container_test.go

@@ -164,7 +164,7 @@ func e(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoE
 func TestContainerString(t *testing.T) {
 	container := sandbox.New(context.TODO(), "ldd", "/usr/bin/env")
 	container.Flags |= sandbox.FAllowDevel
-	container.Seccomp |= seccomp.FlagMultiarch
+	container.Seccomp |= seccomp.FilterMultiarch
 	want := `argv: ["ldd" "/usr/bin/env"], flags: 0x2, seccomp: 0x2e`
 	if got := container.String(); got != want {
 		t.Errorf("String: %s, want %s", got, want)

sandbox/ops.go

@@ -440,3 +440,60 @@ func (f *Ops) PlaceP(name string, dataP **[]byte) *Ops {
 	*f = append(*f, t)
 	return f
 }
+
+func init() { gob.Register(new(AutoEtc)) }
+
+// AutoEtc expands host /etc into a toplevel symlink mirror with /etc semantics.
+// This is not a generic setup op. It is implemented here to reduce ipc overhead.
+type AutoEtc struct{ Prefix string }
+
+func (e *AutoEtc) early(*Params) error { return nil }
+func (e *AutoEtc) apply(*Params) error {
+	const target = sysrootPath + "/etc/"
+	rel := e.hostRel() + "/"
+
+	if err := os.MkdirAll(target, 0755); err != nil {
+		return wrapErrSelf(err)
+	}
+	if d, err := os.ReadDir(toSysroot(e.hostPath())); err != nil {
+		return wrapErrSelf(err)
+	} else {
+		for _, ent := range d {
+			n := ent.Name()
+			switch n {
+			case ".host":
+
+			case "passwd":
+			case "group":
+
+			case "mtab":
+				if err = os.Symlink("/proc/mounts", target+n); err != nil {
+					return wrapErrSelf(err)
+				}
+
+			default:
+				if err = os.Symlink(rel+n, target+n); err != nil {
+					return wrapErrSelf(err)
+				}
+			}
+		}
+	}
+
+	return nil
+}
+func (e *AutoEtc) hostPath() string { return "/etc/" + e.hostRel() }
+func (e *AutoEtc) hostRel() string  { return ".host/" + e.Prefix }
+
+func (e *AutoEtc) Is(op Op) bool {
+	ve, ok := op.(*AutoEtc)
+	return ok && ((e == nil && ve == nil) || (e != nil && ve != nil && *e == *ve))
+}
+func (*AutoEtc) prefix() string   { return "setting up" }
+func (e *AutoEtc) String() string { return fmt.Sprintf("auto etc %s", e.Prefix) }
+func (f *Ops) Etc(host, prefix string) *Ops {
+	e := &AutoEtc{prefix}
+	f.Mkdir("/etc", 0755)
+	f.Bind(host, e.hostPath(), 0)
+	*f = append(*f, e)
+	return f
+}

sandbox/seccomp/api.go

@@ -8,11 +8,16 @@ import (
 	"git.gensokyo.uk/security/fortify/helper/proc"
 )
 
+const (
+	PresetStrict = FilterExt | FilterDenyNS | FilterDenyTTY | FilterDenyDevel
+	PresetCommon = PresetStrict | FilterMultiarch
+)
+
 // New returns an inactive Encoder instance.
-func New(opts SyscallOpts) *Encoder { return &Encoder{newExporter(opts)} }
+func New(opts FilterOpts) *Encoder { return &Encoder{newExporter(opts)} }
 
 // Load loads a filter into the kernel.
-func Load(opts SyscallOpts) error { return buildFilter(-1, opts) }
+func Load(opts FilterOpts) error { return buildFilter(-1, opts) }
 
 /*
 An Encoder writes a BPF program to an output stream.
@@ -42,11 +47,11 @@ func (e *Encoder) Close() error {
 }
 
 // NewFile returns an instance of exporter implementing [proc.File].
-func NewFile(opts SyscallOpts) proc.File { return &File{opts: opts} }
+func NewFile(opts FilterOpts) proc.File { return &File{opts: opts} }
 
 // File implements [proc.File] and provides access to the read end of exporter pipe.
 type File struct {
-	opts SyscallOpts
+	opts FilterOpts
 	proc.BaseFile
 }
 

sandbox/seccomp/export.go

@@ -7,7 +7,7 @@ import (
 )
 
 type exporter struct {
-	opts SyscallOpts
+	opts FilterOpts
 	r, w *os.File
 
 	prepareOnce sync.Once
@@ -53,6 +53,6 @@ func (e *exporter) closeWrite() error {
 	return e.closeErr
 }
 
-func newExporter(opts SyscallOpts) *exporter {
+func newExporter(opts FilterOpts) *exporter {
 	return &exporter{opts: opts}
 }

sandbox/seccomp/export_test.go

@@ -14,7 +14,7 @@ import (
 func TestExport(t *testing.T) {
 	testCases := []struct {
 		name    string
-		opts    seccomp.SyscallOpts
+		opts    seccomp.FilterOpts
 		want    []byte
 		wantErr bool
 	}{
@@ -28,7 +28,7 @@ func TestExport(t *testing.T) {
 			0xa7, 0x9b, 0x07, 0x0e, 0x04, 0xc0, 0xee, 0x9a,
 			0xcd, 0xf5, 0x8f, 0x55, 0xcf, 0xa8, 0x15, 0xa5,
 		}, false},
-		{"base", seccomp.FlagExt, []byte{
+		{"base", seccomp.FilterExt, []byte{
 			0xdc, 0x7f, 0x2e, 0x1c, 0x5e, 0x82, 0x9b, 0x79,
 			0xeb, 0xb7, 0xef, 0xc7, 0x59, 0x15, 0x0f, 0x54,
 			0xa8, 0x3a, 0x75, 0xc8, 0xdf, 0x6f, 0xee, 0x4d,
@@ -38,10 +38,10 @@ func TestExport(t *testing.T) {
 			0x1d, 0xb0, 0x5d, 0x90, 0x99, 0x7c, 0x86, 0x59,
 			0xb9, 0x58, 0x91, 0x20, 0x6a, 0xc9, 0x95, 0x2d,
 		}, false},
-		{"everything", seccomp.FlagExt |
-			seccomp.FlagDenyNS | seccomp.FlagDenyTTY | seccomp.FlagDenyDevel |
-			seccomp.FlagMultiarch | seccomp.FlagLinux32 | seccomp.FlagCan |
-			seccomp.FlagBluetooth, []byte{
+		{"everything", seccomp.FilterExt |
+			seccomp.FilterDenyNS | seccomp.FilterDenyTTY | seccomp.FilterDenyDevel |
+			seccomp.FilterMultiarch | seccomp.FilterLinux32 | seccomp.FilterCan |
+			seccomp.FilterBluetooth, []byte{
 			0xe9, 0x9d, 0xd3, 0x45, 0xe1, 0x95, 0x41, 0x34,
 			0x73, 0xd3, 0xcb, 0xee, 0x07, 0xb4, 0xed, 0x57,
 			0xb9, 0x08, 0xbf, 0xa8, 0x9e, 0xa2, 0x07, 0x2f,
@@ -51,8 +51,7 @@ func TestExport(t *testing.T) {
 			0x4c, 0x02, 0x4e, 0xd4, 0x88, 0x50, 0xbe, 0x69,
 			0xb6, 0x8a, 0x9a, 0x4c, 0x5f, 0x53, 0xa9, 0xdb,
 		}, false},
-		{"strict", seccomp.FlagExt |
-			seccomp.FlagDenyNS | seccomp.FlagDenyTTY | seccomp.FlagDenyDevel, []byte{
+		{"strict", seccomp.PresetStrict, []byte{
 			0xe8, 0x80, 0x29, 0x8d, 0xf2, 0xbd, 0x67, 0x51,
 			0xd0, 0x04, 0x0f, 0xc2, 0x1b, 0xc0, 0xed, 0x4c,
 			0x00, 0xf9, 0x5d, 0xc0, 0xd7, 0xba, 0x50, 0x6c,
@@ -63,7 +62,7 @@ func TestExport(t *testing.T) {
 			0x14, 0x89, 0x60, 0xfb, 0xd3, 0x5c, 0xd7, 0x35,
 		}, false},
 		{"strict compat", 0 |
-			seccomp.FlagDenyNS | seccomp.FlagDenyTTY | seccomp.FlagDenyDevel, []byte{
+			seccomp.FilterDenyNS | seccomp.FilterDenyTTY | seccomp.FilterDenyDevel, []byte{
 			0x39, 0x87, 0x1b, 0x93, 0xff, 0xaf, 0xc8, 0xb9,
 			0x79, 0xfc, 0xed, 0xc0, 0xb0, 0xc3, 0x7b, 0x9e,
 			0x03, 0x92, 0x2f, 0x5b, 0x02, 0x74, 0x8d, 0xc5,
@@ -73,7 +72,7 @@ func TestExport(t *testing.T) {
 			0x80, 0x8b, 0x1a, 0x6f, 0x84, 0xf3, 0x2b, 0xbd,
 			0xe1, 0xaa, 0x02, 0xae, 0x30, 0xee, 0xdc, 0xfa,
 		}, false},
-		{"fortify default", seccomp.FlagExt | seccomp.FlagDenyDevel, []byte{
+		{"fortify default", seccomp.FilterExt | seccomp.FilterDenyDevel, []byte{
 			0xc6, 0x98, 0xb0, 0x81, 0xff, 0x95, 0x7a, 0xfe,
 			0x17, 0xa6, 0xd9, 0x43, 0x74, 0x53, 0x7d, 0x37,
 			0xf2, 0xa6, 0x3f, 0x6f, 0x9d, 0xd7, 0x5d, 0xa7,
@@ -138,10 +137,10 @@ func TestExport(t *testing.T) {
 func BenchmarkExport(b *testing.B) {
 	buf := make([]byte, 8)
 	for i := 0; i < b.N; i++ {
-		e := seccomp.New(seccomp.FlagExt |
-			seccomp.FlagDenyNS | seccomp.FlagDenyTTY | seccomp.FlagDenyDevel |
-			seccomp.FlagMultiarch | seccomp.FlagLinux32 | seccomp.FlagCan |
-			seccomp.FlagBluetooth)
+		e := seccomp.New(seccomp.FilterExt |
+			seccomp.FilterDenyNS | seccomp.FilterDenyTTY | seccomp.FilterDenyDevel |
+			seccomp.FilterMultiarch | seccomp.FilterLinux32 | seccomp.FilterCan |
+			seccomp.FilterBluetooth)
 		if _, err := io.CopyBuffer(io.Discard, e, buf); err != nil {
 			b.Fatalf("cannot export: %v", err)
 		}

sandbox/seccomp/output.go

@@ -22,8 +22,8 @@ func GetOutput() func(v ...any) {
 	}
 }
 
-//export F_println
-func F_println(v *C.char) {
+//export f_println
+func f_println(v *C.char) {
 	if fp := printlnP.Load(); fp != nil {
 		(*fp)(C.GoString(v))
 	}

sandbox/seccomp/seccomp-build.c

@@ -28,7 +28,7 @@ struct f_syscall_act {
 #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
 
 #define SECCOMP_RULESET_ADD(ruleset) do {                                                                         \
-  if (opts & F_VERBOSE) F_println("adding seccomp ruleset \"" #ruleset "\"");                                     \
+  if (opts & F_VERBOSE) f_println("adding seccomp ruleset \"" #ruleset "\"");                                     \
   for (int i = 0; i < LEN(ruleset); i++) {                                                                        \
     assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS);                                          \
                                                                                                                   \
@@ -47,7 +47,7 @@ struct f_syscall_act {
   }                                                                                                               \
 } while (0)
 
-int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts opts) {
+int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, f_filter_opts opts) {
   int32_t res = 0; // refer to resErr for meaning
   int allow_multiarch = opts & F_MULTIARCH;
   int allowed_personality = PER_LINUX;
@@ -209,7 +209,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, f_
   struct
   {
     int            family;
-    f_syscall_opts flags_mask;
+    f_filter_opts flags_mask;
   } socket_family_allowlist[] = {
     // NOTE: Keep in numerical order
     { AF_UNSPEC, 0 },

sandbox/seccomp/seccomp-build.h

@@ -17,7 +17,7 @@ typedef enum {
   F_LINUX32    = 1 << 6,
   F_CAN        = 1 << 7,
   F_BLUETOOTH  = 1 << 8,
-} f_syscall_opts;
+} f_filter_opts;
 
-extern void F_println(char *v);
-int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts opts);
+extern void f_println(char *v);
+int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch, f_filter_opts opts);

sandbox/seccomp/seccomp.go

@@ -7,6 +7,7 @@ package seccomp
 #include "seccomp-build.h"
 */
 import "C"
+
 import (
 	"errors"
 	"fmt"
@@ -56,29 +57,29 @@ var resPrefix = [...]string{
 	7: "seccomp_load failed",
 }
 
-type SyscallOpts = C.f_syscall_opts
+type FilterOpts = C.f_filter_opts
 
 const (
-	flagVerbose SyscallOpts = C.F_VERBOSE
-	// FlagExt are project-specific extensions.
-	FlagExt SyscallOpts = C.F_EXT
-	// FlagDenyNS denies namespace setup syscalls.
-	FlagDenyNS SyscallOpts = C.F_DENY_NS
-	// FlagDenyTTY denies faking input.
-	FlagDenyTTY SyscallOpts = C.F_DENY_TTY
-	// FlagDenyDevel denies development-related syscalls.
-	FlagDenyDevel SyscallOpts = C.F_DENY_DEVEL
-	// FlagMultiarch allows multiarch/emulation.
-	FlagMultiarch SyscallOpts = C.F_MULTIARCH
-	// FlagLinux32 sets PER_LINUX32.
-	FlagLinux32 SyscallOpts = C.F_LINUX32
-	// FlagCan allows AF_CAN.
-	FlagCan SyscallOpts = C.F_CAN
-	// FlagBluetooth allows AF_BLUETOOTH.
-	FlagBluetooth SyscallOpts = C.F_BLUETOOTH
+	filterVerbose FilterOpts = C.F_VERBOSE
+	// FilterExt are project-specific extensions.
+	FilterExt FilterOpts = C.F_EXT
+	// FilterDenyNS denies namespace setup syscalls.
+	FilterDenyNS FilterOpts = C.F_DENY_NS
+	// FilterDenyTTY denies faking input.
+	FilterDenyTTY FilterOpts = C.F_DENY_TTY
+	// FilterDenyDevel denies development-related syscalls.
+	FilterDenyDevel FilterOpts = C.F_DENY_DEVEL
+	// FilterMultiarch allows multiarch/emulation.
+	FilterMultiarch FilterOpts = C.F_MULTIARCH
+	// FilterLinux32 sets PER_LINUX32.
+	FilterLinux32 FilterOpts = C.F_LINUX32
+	// FilterCan allows AF_CAN.
+	FilterCan FilterOpts = C.F_CAN
+	// FilterBluetooth allows AF_BLUETOOTH.
+	FilterBluetooth FilterOpts = C.F_BLUETOOTH
 )
 
-func buildFilter(fd int, opts SyscallOpts) error {
+func buildFilter(fd int, opts FilterOpts) error {
 	var (
 		arch      C.uint32_t = 0
 		multiarch C.uint32_t = 0
@@ -99,7 +100,7 @@ func buildFilter(fd int, opts SyscallOpts) error {
 	// this removes repeated transitions between C and Go execution
 	// when producing log output via F_println and CPrintln is nil
 	if fp := printlnP.Load(); fp != nil {
-		opts |= flagVerbose
+		opts |= filterVerbose
 	}
 
 	var ret C.int

test/sandbox/case/default.nix

@@ -37,7 +37,7 @@ let
     {
       name = "check-sandbox-${tc.name}";
       verbose = true;
-      inherit (tc) tty mapRealUid;
+      inherit (tc) tty device mapRealUid;
       share = testProgram;
       packages = [ ];
       path = "${testProgram}/bin/fortify-test";
@@ -51,4 +51,5 @@ in
   preset = callTestCase ./preset.nix;
   tty = callTestCase ./tty.nix;
   mapuid = callTestCase ./mapuid.nix;
+  device = callTestCase ./device.nix;
 }

test/sandbox/case/device.nix

@@ -0,0 +1,203 @@
+{
+  fs,
+  ent,
+  ignore,
+}:
+{
+  name = "device";
+  tty = false;
+  device = true;
+  mapRealUid = false;
+
+  want = {
+    env = [
+      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
+      "HOME=/var/lib/fortify/u0/a4"
+      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
+      "SHELL=/run/current-system/sw/bin/bash"
+      "TERM=linux"
+      "USER=u0_a4"
+      "WAYLAND_DISPLAY=wayland-0"
+      "XDG_RUNTIME_DIR=/run/user/65534"
+      "XDG_SESSION_CLASS=user"
+      "XDG_SESSION_TYPE=tty"
+    ];
+
+    fs = fs "dead" {
+      ".fortify" = fs "800001ed" { } null;
+      bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
+      dev = fs "800001ed" null null;
+      etc = fs "800001ed" {
+        ".clean" = fs "80001ff" null null;
+        ".host" = fs "800001c0" null null;
+        ".updated" = fs "80001ff" null null;
+        "NIXOS" = fs "80001ff" null null;
+        "X11" = fs "80001ff" null null;
+        "alsa" = fs "80001ff" null null;
+        "bashrc" = fs "80001ff" null null;
+        "binfmt.d" = fs "80001ff" null null;
+        "dbus-1" = fs "80001ff" null null;
+        "default" = fs "80001ff" null null;
+        "dhcpcd.exit-hook" = fs "80001ff" null null;
+        "fonts" = fs "80001ff" null null;
+        "fstab" = fs "80001ff" null null;
+        "fsurc" = fs "80001ff" null null;
+        "fuse.conf" = fs "80001ff" null null;
+        "group" = fs "180" null "fortify:x:65534:\n";
+        "host.conf" = fs "80001ff" null null;
+        "hostname" = fs "80001ff" null null;
+        "hosts" = fs "80001ff" null null;
+        "inputrc" = fs "80001ff" null null;
+        "issue" = fs "80001ff" null null;
+        "kbd" = fs "80001ff" null null;
+        "locale.conf" = fs "80001ff" null null;
+        "login.defs" = fs "80001ff" null null;
+        "lsb-release" = fs "80001ff" null null;
+        "lvm" = fs "80001ff" null null;
+        "machine-id" = fs "80001ff" null null;
+        "man_db.conf" = fs "80001ff" null null;
+        "modprobe.d" = fs "80001ff" null null;
+        "modules-load.d" = fs "80001ff" null null;
+        "mtab" = fs "80001ff" null null;
+        "nanorc" = fs "80001ff" null null;
+        "netgroup" = fs "80001ff" null null;
+        "nix" = fs "80001ff" null null;
+        "nixos" = fs "80001ff" null null;
+        "nscd.conf" = fs "80001ff" null null;
+        "nsswitch.conf" = fs "80001ff" null null;
+        "os-release" = fs "80001ff" null null;
+        "pam" = fs "80001ff" null null;
+        "pam.d" = fs "80001ff" null null;
+        "passwd" = fs "180" null "u0_a4:x:65534:65534:Fortify:/var/lib/fortify/u0/a4:/run/current-system/sw/bin/bash\n";
+        "pipewire" = fs "80001ff" null null;
+        "pki" = fs "80001ff" null null;
+        "polkit-1" = fs "80001ff" null null;
+        "profile" = fs "80001ff" null null;
+        "protocols" = fs "80001ff" null null;
+        "resolv.conf" = fs "80001ff" null null;
+        "resolvconf.conf" = fs "80001ff" null null;
+        "rpc" = fs "80001ff" null null;
+        "services" = fs "80001ff" null null;
+        "set-environment" = fs "80001ff" null null;
+        "shadow" = fs "80001ff" null null;
+        "shells" = fs "80001ff" null null;
+        "ssh" = fs "80001ff" null null;
+        "ssl" = fs "80001ff" null null;
+        "static" = fs "80001ff" null null;
+        "subgid" = fs "80001ff" null null;
+        "subuid" = fs "80001ff" null null;
+        "sudoers" = fs "80001ff" null null;
+        "sway" = fs "80001ff" null null;
+        "sysctl.d" = fs "80001ff" null null;
+        "systemd" = fs "80001ff" null null;
+        "terminfo" = fs "80001ff" null null;
+        "tmpfiles.d" = fs "80001ff" null null;
+        "udev" = fs "80001ff" null null;
+        "vconsole.conf" = fs "80001ff" null null;
+        "xdg" = fs "80001ff" null null;
+        "zoneinfo" = fs "80001ff" null null;
+      } null;
+      nix = fs "800001c0" { store = fs "801001fd" null null; } null;
+      proc = fs "8000016d" null null;
+      run = fs "800001ed" {
+        current-system = fs "80001ff" null null;
+        opengl-driver = fs "80001ff" null null;
+        user = fs "800001ed" {
+          "65534" = fs "800001c0" {
+            bus = fs "10001fd" null null;
+            pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
+            wayland-0 = fs "1000038" null null;
+          } null;
+        } null;
+      } null;
+      sys = fs "800001c0" {
+        block = fs "800001ed" {
+          fd0 = fs "80001ff" null null;
+          loop0 = fs "80001ff" null null;
+          loop1 = fs "80001ff" null null;
+          loop2 = fs "80001ff" null null;
+          loop3 = fs "80001ff" null null;
+          loop4 = fs "80001ff" null null;
+          loop5 = fs "80001ff" null null;
+          loop6 = fs "80001ff" null null;
+          loop7 = fs "80001ff" null null;
+          sr0 = fs "80001ff" null null;
+          vda = fs "80001ff" null null;
+        } null;
+        bus = fs "800001ed" null null;
+        class = fs "800001ed" null null;
+        dev = fs "800001ed" {
+          block = fs "800001ed" null null;
+          char = fs "800001ed" null null;
+        } null;
+        devices = fs "800001ed" null null;
+      } null;
+      tmp = fs "800001f8" { } null;
+      usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
+      var = fs "800001c0" {
+        lib = fs "800001c0" {
+          fortify = fs "800001c0" {
+            u0 = fs "800001c0" {
+              a4 = fs "800001c0" {
+                ".cache" = fs "800001ed" { ".keep" = fs "80001ff" null ""; } null;
+                ".config" = fs "800001ed" { "environment.d" = fs "800001ed" { "10-home-manager.conf" = fs "80001ff" null null; } null; } null;
+                ".local" = fs "800001ed" {
+                  state = fs "800001ed" {
+                    home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
+                    nix = fs "800001ed" {
+                      profiles = fs "800001ed" {
+                        home-manager = fs "80001ff" null null;
+                        home-manager-1-link = fs "80001ff" null null;
+                        profile = fs "80001ff" null null;
+                        profile-1-link = fs "80001ff" null null;
+                      } null;
+                    } null;
+                  } null;
+                } null;
+                ".nix-defexpr" = fs "800001ed" {
+                  channels = fs "80001ff" null null;
+                  channels_root = fs "80001ff" null null;
+                } null;
+                ".nix-profile" = fs "80001ff" null null;
+              } null;
+            } null;
+          } null;
+        } null;
+        run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
+      } null;
+    } null;
+
+    mount = [
+      (ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
+      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
+      (ent "/" "/.fortify" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
+      (ent "/" "/dev" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
+      (ent "/" "/dev/pts" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,gid=3,mode=620,ptmxmode=666")
+      (ent "/" "/dev/shm" "rw,nosuid,nodev" "tmpfs" "tmpfs" ignore)
+      (ent "/" ignore ignore ignore ignore ignore) # order not deterministic
+      (ent "/" ignore ignore ignore ignore ignore)
+      (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
+      (ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
+      (ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
+      (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
+      (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
+      (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
+      (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
+      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
+      (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000004,gid=1000004")
+      (ent "/tmp/fortify.1000/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/var/lib/fortify/u0/a4" "/var/lib/fortify/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
+      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
+      (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
+      (ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/" "/var/run/nscd" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8k,mode=755,uid=1000004,gid=1000004")
+    ];
+
+    seccomp = true;
+  };
+}

test/sandbox/case/mapuid.nix

@@ -6,6 +6,7 @@
 {
   name = "mapuid";
   tty = false;
+  device = false;
   mapRealUid = true;
 
   want = {
@@ -23,9 +24,7 @@
     ];
 
     fs = fs "dead" {
-      ".fortify" = fs "800001ed" {
-        etc = fs "800001ed" null null;
-      } null;
+      ".fortify" = fs "800001ed" { } null;
       bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
       dev = fs "800001ed" {
         core = fs "80001ff" null null;
@@ -54,6 +53,7 @@
       } null;
       etc = fs "800001ed" {
         ".clean" = fs "80001ff" null null;
+        ".host" = fs "800001c0" null null;
         ".updated" = fs "80001ff" null null;
         "NIXOS" = fs "80001ff" null null;
         "X11" = fs "80001ff" null null;
@@ -213,7 +213,7 @@
       (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
-      (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
       (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000003,gid=1000003")
       (ent "/tmp/fortify.1000/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")

test/sandbox/case/preset.nix

@@ -6,6 +6,7 @@
 {
   name = "preset";
   tty = false;
+  device = false;
   mapRealUid = false;
 
   want = {
@@ -23,9 +24,7 @@
     ];
 
     fs = fs "dead" {
-      ".fortify" = fs "800001ed" {
-        etc = fs "800001ed" null null;
-      } null;
+      ".fortify" = fs "800001ed" { } null;
       bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
       dev = fs "800001ed" {
         core = fs "80001ff" null null;
@@ -54,6 +53,7 @@
       } null;
       etc = fs "800001ed" {
         ".clean" = fs "80001ff" null null;
+        ".host" = fs "800001c0" null null;
         ".updated" = fs "80001ff" null null;
         "NIXOS" = fs "80001ff" null null;
         "X11" = fs "80001ff" null null;
@@ -213,7 +213,7 @@
       (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
-      (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
       (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000001,gid=1000001")
       (ent "/tmp/fortify.1000/tmpdir/1" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")

test/sandbox/case/tty.nix

@@ -6,6 +6,7 @@
 {
   name = "tty";
   tty = true;
+  device = false;
   mapRealUid = false;
 
   want = {
@@ -23,9 +24,7 @@
     ];
 
     fs = fs "dead" {
-      ".fortify" = fs "800001ed" {
-        etc = fs "800001ed" null null;
-      } null;
+      ".fortify" = fs "800001ed" { } null;
       bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
       dev = fs "800001ed" {
         console = fs "4200190" null null;
@@ -55,6 +54,7 @@
       } null;
       etc = fs "800001ed" {
         ".clean" = fs "80001ff" null null;
+        ".host" = fs "800001c0" null null;
         ".updated" = fs "80001ff" null null;
         "NIXOS" = fs "80001ff" null null;
         "X11" = fs "80001ff" null null;
@@ -215,7 +215,7 @@
       (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
-      (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
       (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000002,gid=1000002")
       (ent "/tmp/fortify.1000/tmpdir/2" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")

test/sandbox/configuration.nix

@@ -67,10 +67,11 @@ in
 
     home-manager = _: _: { home.stateVersion = "23.05"; };
 
-    apps = [
-      testCases.preset
-      testCases.tty
-      testCases.mapuid
+    apps = with testCases; [
+      preset
+      tty
+      mapuid
+      device
     ];
   };
 }

test/sandbox/test.py

@@ -62,6 +62,7 @@ def check_sandbox(name):
 check_sandbox("preset")
 check_sandbox("tty")
 check_sandbox("mapuid")
+check_sandbox("device")
 
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)

test/test.py

@@ -169,6 +169,16 @@ machine.send_chars("exit\n")
 machine.wait_for_file("/tmp/p0-exit-ok", timeout=15)
 machine.fail("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")
 
+# Check interrupt shim behaviour:
+swaymsg("exec sh -c 'ne-foot; echo -n $? > /tmp/monitor-exit-code'")
+wait_for_window(f"u0_a{aid(0)}@machine")
+machine.succeed("pkill -INT -f 'fortify -v app '")
+machine.wait_until_fails("pgrep foot", timeout=5)
+machine.wait_for_file("/tmp/monitor-exit-code")
+interrupt_exit_code = int(machine.succeed("cat /tmp/monitor-exit-code"))
+if interrupt_exit_code != 254:
+    raise Exception(f"unexpected exit code {interrupt_exit_code}")
+
 # Start app (foot) with Wayland enablement:
 swaymsg("exec ne-foot")
 wait_for_window(f"u0_a{aid(0)}@machine")