Ophestra Umiker
af15b1c048
All checks were successful
test / test (push) Successful in 40s
Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
72 lines
2.3 KiB
Go
72 lines
2.3 KiB
Go
package app
|
|
|
|
import (
|
|
"path"
|
|
|
|
"git.ophivana.moe/security/fortify/acl"
|
|
"git.ophivana.moe/security/fortify/internal/linux"
|
|
"git.ophivana.moe/security/fortify/internal/system"
|
|
)
|
|
|
|
const (
|
|
shell = "SHELL"
|
|
)
|
|
|
|
// shareSystem queues various system-related actions
|
|
func (seal *appSeal) shareSystem() {
|
|
// ensure Share (e.g. `/tmp/fortify.%d`)
|
|
// acl is unnecessary as this directory is world executable
|
|
seal.sys.Ensure(seal.SharePath, 0701)
|
|
|
|
// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
|
|
// acl is unnecessary as this directory is world executable
|
|
seal.share = path.Join(seal.SharePath, seal.id)
|
|
seal.sys.Ephemeral(system.Process, seal.share, 0701)
|
|
|
|
// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
|
|
targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
|
|
seal.sys.Ensure(targetTmpdirParent, 0700)
|
|
seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
|
|
|
|
// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
|
|
targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.Uid)
|
|
seal.sys.Ensure(targetTmpdir, 01700)
|
|
seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
|
|
seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
|
|
|
|
// mount tmpfs on inner shared directory (e.g. `/tmp/fortify.%d`)
|
|
seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024)
|
|
}
|
|
|
|
func (seal *appSeal) sharePasswd(os linux.System) {
|
|
// look up shell
|
|
sh := "/bin/sh"
|
|
if s, ok := os.LookupEnv(shell); ok {
|
|
seal.sys.bwrap.SetEnv[shell] = s
|
|
sh = s
|
|
}
|
|
|
|
// generate /etc/passwd
|
|
passwdPath := path.Join(seal.share, "passwd")
|
|
username := "chronos"
|
|
if seal.sys.user.Username != "" {
|
|
username = seal.sys.user.Username
|
|
seal.sys.bwrap.SetEnv["USER"] = seal.sys.user.Username
|
|
}
|
|
homeDir := "/var/empty"
|
|
if seal.sys.user.HomeDir != "" {
|
|
homeDir = seal.sys.user.HomeDir
|
|
seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir
|
|
}
|
|
passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
|
|
seal.sys.Write(passwdPath, passwd)
|
|
|
|
// write /etc/group
|
|
groupPath := path.Join(seal.share, "group")
|
|
seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")
|
|
|
|
// bind /etc/passwd and /etc/group
|
|
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
|
seal.sys.bwrap.Bind(groupPath, "/etc/group")
|
|
}
|