Ophestra Umiker
a3aadd4146
ACL operations are now tagged with the enablement causing them. At the end of child process's life, enablements of all remaining launchers are resolved and inverted. This allows Wait to only revert operations targeting resources no longer required by other launchers. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
58 lines
2.0 KiB
Go
58 lines
2.0 KiB
Go
package app
|
|
|
|
import (
|
|
"path"
|
|
|
|
"git.ophivana.moe/cat/fortify/acl"
|
|
"git.ophivana.moe/cat/fortify/internal/state"
|
|
)
|
|
|
|
const (
|
|
xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
|
xdgSessionClass = "XDG_SESSION_CLASS"
|
|
xdgSessionType = "XDG_SESSION_TYPE"
|
|
)
|
|
|
|
// shareRuntime queues actions for sharing/ensuring the runtime and share directories
|
|
func (seal *appSeal) shareRuntime() {
|
|
// ensure RunDir (e.g. `/run/user/%d/fortify`)
|
|
seal.sys.ensure(seal.RunDirPath, 0700)
|
|
seal.sys.updatePermTag(state.EnableLength, seal.RunDirPath, acl.Execute)
|
|
|
|
// ensure runtime directory ACL (e.g. `/run/user/%d`)
|
|
seal.sys.updatePermTag(state.EnableLength, seal.RuntimePath, acl.Execute)
|
|
|
|
// ensure Share (e.g. `/tmp/fortify.%d`)
|
|
// acl is unnecessary as this directory is world executable
|
|
seal.sys.ensure(seal.SharePath, 0701)
|
|
|
|
// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
|
|
// acl is unnecessary as this directory is world executable
|
|
seal.share = path.Join(seal.SharePath, seal.id.String())
|
|
seal.sys.ensureEphemeral(seal.share, 0701)
|
|
|
|
// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
|
|
seal.shareLocal = path.Join(seal.RunDirPath, seal.id.String())
|
|
seal.sys.ensureEphemeral(seal.shareLocal, 0700)
|
|
seal.sys.updatePerm(seal.shareLocal, acl.Execute)
|
|
}
|
|
|
|
func (seal *appSeal) shareRuntimeChild() string {
|
|
// ensure child runtime parent directory (e.g. `/tmp/fortify.%d/runtime`)
|
|
targetRuntimeParent := path.Join(seal.SharePath, "runtime")
|
|
seal.sys.ensure(targetRuntimeParent, 0700)
|
|
seal.sys.updatePermTag(state.EnableLength, targetRuntimeParent, acl.Execute)
|
|
|
|
// ensure child runtime directory (e.g. `/tmp/fortify.%d/runtime/%d`)
|
|
targetRuntime := path.Join(targetRuntimeParent, seal.sys.Uid)
|
|
seal.sys.ensure(targetRuntime, 0700)
|
|
seal.sys.updatePermTag(state.EnableLength, targetRuntime, acl.Read, acl.Write, acl.Execute)
|
|
|
|
// point to ensured runtime path
|
|
seal.appendEnv(xdgRuntimeDir, targetRuntime)
|
|
seal.appendEnv(xdgSessionClass, "user")
|
|
seal.appendEnv(xdgSessionType, "tty")
|
|
|
|
return targetRuntime
|
|
}
|