app: alternative inner home path

Support binding home to an alternative path in the mount namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 00:18:21 +09:00
parent 866270ff05
commit 05b7dbf066
6 changed files with 19 additions and 10 deletions
--- a/internal/app/config.go
+++ b/internal/app/config.go
@@ -30,8 +30,10 @@ type ConfinementConfig struct {
 	Groups []string `json:"groups"`
 	// passwd username in the sandbox, defaults to chronos
 	Username string `json:"username,omitempty"`
-	// home directory in sandbox
-	Home string `json:"home"`
+	// home directory in sandbox, empty for outer
+	Inner string `json:"home_inner"`
+	// home directory in init namespace
+	Outer string `json:"home"`
 	// bwrap sandbox confinement configuration
 	Sandbox *SandboxConfig `json:"sandbox"`

@@ -185,7 +187,8 @@ func Template() *Config {
 			AppID:    9,
 			Groups:   []string{"video"},
 			Username: "chronos",
-			Home:     "/var/lib/persist/home/org.chromium.Chromium",
+			Outer:    "/var/lib/persist/home/org.chromium.Chromium",
+			Inner:    "/var/lib/fortify",
 			Sandbox: &SandboxConfig{
 				Hostname:     "localhost",
 				UserNS:       true,