Ophestra
c460892cbd
All checks were successful
Test / Create distribution (push) Successful in 26s
Test / Sandbox (push) Successful in 1m51s
Test / Fortify (push) Successful in 2m39s
Test / Sandbox (race detector) (push) Successful in 3m7s
Test / Fpkg (push) Successful in 3m36s
Test / Fortify (race detector) (push) Successful in 4m14s
Test / Flake checks (push) Successful in 1m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
88 lines
3.0 KiB
Go
88 lines
3.0 KiB
Go
package fst
|
|
|
|
import (
|
|
"git.gensokyo.uk/security/fortify/dbus"
|
|
"git.gensokyo.uk/security/fortify/sandbox/seccomp"
|
|
"git.gensokyo.uk/security/fortify/system"
|
|
)
|
|
|
|
// Template returns a fully populated instance of Config.
|
|
func Template() *Config {
|
|
return &Config{
|
|
ID: "org.chromium.Chromium",
|
|
Path: "/run/current-system/sw/bin/chromium",
|
|
Args: []string{
|
|
"chromium",
|
|
"--ignore-gpu-blocklist",
|
|
"--disable-smooth-scrolling",
|
|
"--enable-features=UseOzonePlatform",
|
|
"--ozone-platform=wayland",
|
|
},
|
|
Confinement: ConfinementConfig{
|
|
AppID: 9,
|
|
Groups: []string{"video"},
|
|
Username: "chronos",
|
|
Outer: "/var/lib/persist/home/org.chromium.Chromium",
|
|
Inner: "/var/lib/fortify",
|
|
Shell: "/run/current-system/sw/bin/zsh",
|
|
Sandbox: &SandboxConfig{
|
|
Hostname: "localhost",
|
|
Devel: true,
|
|
Userns: true,
|
|
Net: true,
|
|
Device: true,
|
|
Seccomp: seccomp.FilterMultiarch,
|
|
Tty: true,
|
|
Multiarch: true,
|
|
MapRealUID: true,
|
|
DirectWayland: false,
|
|
// example API credentials pulled from Google Chrome
|
|
// DO NOT USE THESE IN A REAL BROWSER
|
|
Env: map[string]string{
|
|
"GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
|
|
"GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
|
|
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
|
|
},
|
|
Filesystem: []*FilesystemConfig{
|
|
{Src: "/nix/store"},
|
|
{Src: "/run/current-system"},
|
|
{Src: "/run/opengl-driver"},
|
|
{Src: "/var/db/nix-channels"},
|
|
{Src: "/var/lib/fortify/u0/org.chromium.Chromium",
|
|
Dst: "/data/data/org.chromium.Chromium", Write: true, Must: true},
|
|
{Src: "/dev/dri", Device: true},
|
|
},
|
|
Link: [][2]string{{"/run/user/65534", "/run/user/150"}},
|
|
Etc: "/etc",
|
|
AutoEtc: true,
|
|
Cover: []string{"/var/run/nscd"},
|
|
},
|
|
ExtraPerms: []*ExtraPermConfig{
|
|
{Path: "/var/lib/fortify/u0", Ensure: true, Execute: true},
|
|
{Path: "/var/lib/fortify/u0/org.chromium.Chromium", Read: true, Write: true, Execute: true},
|
|
},
|
|
SystemBus: &dbus.Config{
|
|
See: nil,
|
|
Talk: []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
|
|
Own: nil,
|
|
Call: nil,
|
|
Broadcast: nil,
|
|
Log: false,
|
|
Filter: true,
|
|
},
|
|
SessionBus: &dbus.Config{
|
|
See: nil,
|
|
Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver",
|
|
"org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"},
|
|
Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
|
"org.mpris.MediaPlayer2.chromium.*"},
|
|
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
|
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
|
Log: false,
|
|
Filter: true,
|
|
},
|
|
Enablements: system.EWayland | system.EDBus | system.EPulse,
|
|
},
|
|
}
|
|
}
|