Ophestra Umiker
65af1684e3
All checks were successful
test / test (push) Successful in 14s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
104 lines
2.4 KiB
Go
104 lines
2.4 KiB
Go
package app
|
|
|
|
import (
|
|
"os/user"
|
|
|
|
"git.ophivana.moe/security/fortify/dbus"
|
|
"git.ophivana.moe/security/fortify/helper/bwrap"
|
|
"git.ophivana.moe/security/fortify/internal"
|
|
"git.ophivana.moe/security/fortify/internal/state"
|
|
"git.ophivana.moe/security/fortify/internal/system"
|
|
)
|
|
|
|
// appSeal seals the application with child-related information
|
|
type appSeal struct {
|
|
// wayland socket path if mediated wayland is enabled
|
|
wl string
|
|
// wait for wayland client to exit if mediated wayland is enabled,
|
|
// (wlDone == nil) determines whether mediated wayland setup is performed
|
|
wlDone chan struct{}
|
|
|
|
// app unique ID string representation
|
|
id string
|
|
// freedesktop application ID
|
|
fid string
|
|
// argv to start process with in the final confined environment
|
|
command []string
|
|
// persistent process state store
|
|
store state.Store
|
|
|
|
// uint8 representation of launch method sealed from config
|
|
launchOption uint8
|
|
// process-specific share directory path
|
|
share string
|
|
// process-specific share directory path local to XDG_RUNTIME_DIR
|
|
shareLocal string
|
|
|
|
// path to launcher program
|
|
toolPath string
|
|
// pass-through enablement tracking from config
|
|
et system.Enablements
|
|
|
|
// prevents sharing from happening twice
|
|
shared bool
|
|
// seal system-level component
|
|
sys *appSealSys
|
|
|
|
// used in various sealing operations
|
|
internal.SystemConstants
|
|
|
|
// protected by upstream mutex
|
|
}
|
|
|
|
// appSealSys encapsulates app seal behaviour with OS interactions
|
|
type appSealSys struct {
|
|
bwrap *bwrap.Config
|
|
// paths to override by mounting tmpfs over them
|
|
override []string
|
|
|
|
// default formatted XDG_RUNTIME_DIR of User
|
|
runtime string
|
|
// sealed path to fortify executable, used by shim
|
|
executable string
|
|
// target user sealed from config
|
|
user *user.User
|
|
|
|
*system.I
|
|
|
|
// protected by upstream mutex
|
|
}
|
|
|
|
// shareAll calls all share methods in sequence
|
|
func (seal *appSeal) shareAll(bus [2]*dbus.Config) error {
|
|
if seal.shared {
|
|
panic("seal shared twice")
|
|
}
|
|
seal.shared = true
|
|
|
|
seal.shareSystem()
|
|
seal.shareRuntime()
|
|
seal.sharePasswd()
|
|
if err := seal.shareDisplay(); err != nil {
|
|
return err
|
|
}
|
|
if err := seal.sharePulse(); err != nil {
|
|
return err
|
|
}
|
|
|
|
// ensure dbus session bus defaults
|
|
if bus[0] == nil {
|
|
bus[0] = dbus.NewConfig(seal.fid, true, true)
|
|
}
|
|
|
|
if err := seal.shareDBus(bus); err != nil {
|
|
return err
|
|
}
|
|
|
|
// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
|
|
for _, dest := range seal.sys.override {
|
|
seal.sys.bwrap.Tmpfs(dest, 8*1024)
|
|
}
|
|
|
|
return nil
|
|
}
|