Ophestra Umiker
65bd7d18db
shareTmpdirChild happened to request an ephemeral dir within SharePath and was called before shareRuntime which ensures that path. This commit moves SharePath initialisation to shareSystem and moves shareTmpdirChild into ShareSystem. Further cleanup and tests are desperately needed for the app package but for now this fix will have to do. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
39 lines
1.2 KiB
Go
39 lines
1.2 KiB
Go
package app
|
|
|
|
import (
|
|
"path"
|
|
|
|
"git.ophivana.moe/cat/fortify/acl"
|
|
"git.ophivana.moe/cat/fortify/internal/system"
|
|
)
|
|
|
|
const (
|
|
xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
|
xdgSessionClass = "XDG_SESSION_CLASS"
|
|
xdgSessionType = "XDG_SESSION_TYPE"
|
|
)
|
|
|
|
// shareRuntime queues actions for sharing/ensuring the runtime and share directories
|
|
func (seal *appSeal) shareRuntime() {
|
|
// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
|
|
seal.sys.bwrap.Tmpfs("/run/user", 1*1024*1024)
|
|
seal.sys.bwrap.Tmpfs(seal.sys.runtime, 8*1024*1024)
|
|
|
|
// point to inner runtime path `/run/user/%d`
|
|
seal.sys.bwrap.SetEnv[xdgRuntimeDir] = seal.sys.runtime
|
|
seal.sys.bwrap.SetEnv[xdgSessionClass] = "user"
|
|
seal.sys.bwrap.SetEnv[xdgSessionType] = "tty"
|
|
|
|
// ensure RunDir (e.g. `/run/user/%d/fortify`)
|
|
seal.sys.Ensure(seal.RunDirPath, 0700)
|
|
seal.sys.UpdatePermType(system.User, seal.RunDirPath, acl.Execute)
|
|
|
|
// ensure runtime directory ACL (e.g. `/run/user/%d`)
|
|
seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
|
|
|
|
// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
|
|
seal.shareLocal = path.Join(seal.RunDirPath, seal.id.String())
|
|
seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
|
|
seal.sys.UpdatePerm(seal.shareLocal, acl.Execute)
|
|
}
|