security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 12 Wiki Activity

system/wayland: sync file at caller specified address
All checks were successful
Test / Create distribution (push) Successful in 24s
Details
Test / Run NixOS test (push) Successful in 3m14s
Details

Browse Source 
Storing this in sys is incredibly ugly: sys should be stateless and Ops must keep track of their state.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-02-17 13:24:17 +09:00
parent db71fbe22b
commit 3ae2ab652e
6 changed files with 45 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/app/app_pd_test.go
View File

@@ -1,6 +1,8 @@
package app_test
import (
"os"
"git.gensokyo.uk/security/fortify/acl"
"git.gensokyo.uk/security/fortify/dbus"
"git.gensokyo.uk/security/fortify/fst"
@@ -217,7 +219,7 @@ var testCasesPd = []sealTestCase{
Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
Ensure("/tmp/fortify.1971/wayland", 0711).
Wayland("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
Wayland(new(*os.File), "/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{

2
internal/app/share.go
View File

@@ -163,7 +163,7 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
// use instance ID in case app id is not set
appID = "uk.gensokyo.fortify." + seal.id
}
seal.sys.Wayland(outerPath, socketPath, appID, seal.id)
seal.sys.Wayland(&seal.sys.sp, outerPath, socketPath, appID, seal.id)
seal.sys.bwrap.Bind(outerPath, innerPath)
} else { // bind mount wayland socket (insecure)
fmsg.Verbose("direct wayland access, PROCEED WITH CAUTION")

2
internal/app/start.go
View File

@@ -58,7 +58,7 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
if startTime, err := a.shim.Start(
a.seal.sys.user.as,
a.seal.sys.user.supp,
a.seal.sys.Sync(),
a.seal.sys.sp,
); err != nil {
return err
} else {

4
internal/app/system.go
View File

@@ -1,6 +1,8 @@
package app
import (
"os"
"git.gensokyo.uk/security/fortify/helper/bwrap"
"git.gensokyo.uk/security/fortify/internal/system"
)
@@ -8,6 +10,8 @@ import (
// appSealSys encapsulates app seal behaviour with OS interactions
type appSealSys struct {
bwrap *bwrap.Config
// bwrap sync fd
sp *os.File
// paths to override by mounting tmpfs over them
override []string