system/wayland: sync file at caller specified address
Storing this in sys is incredibly ugly: sys should be stateless and Ops must keep track of their state. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -4,7 +4,6 @@ import (
|
||||
"context"
|
||||
"errors"
|
||||
"log"
|
||||
"os"
|
||||
"sync"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
@@ -60,8 +59,6 @@ type I struct {
|
||||
uid int
|
||||
ops []Op
|
||||
ctx context.Context
|
||||
// sync fd passed to bwrap
|
||||
sp *os.File
|
||||
|
||||
// whether sys has been reverted
|
||||
state bool
|
||||
@@ -73,10 +70,6 @@ func (sys *I) UID() int {
|
||||
return sys.uid
|
||||
}
|
||||
|
||||
func (sys *I) Sync() *os.File {
|
||||
return sys.sp
|
||||
}
|
||||
|
||||
func (sys *I) Equal(v *I) bool {
|
||||
if v == nil || sys.uid != v.uid || len(sys.ops) != len(v.ops) {
|
||||
return false
|
||||
|
||||
@@ -11,79 +11,80 @@ import (
|
||||
)
|
||||
|
||||
// Wayland sets up a wayland socket with a security context attached.
|
||||
func (sys *I) Wayland(dst, src, appID, instanceID string) *I {
|
||||
func (sys *I) Wayland(syncFd **os.File, dst, src, appID, instanceID string) *I {
|
||||
sys.lock.Lock()
|
||||
defer sys.lock.Unlock()
|
||||
|
||||
sys.ops = append(sys.ops, Wayland{[2]string{dst, src}, new(wl.Conn), appID, instanceID})
|
||||
sys.ops = append(sys.ops, &Wayland{syncFd, dst, src, appID, instanceID, wl.Conn{}})
|
||||
|
||||
return sys
|
||||
}
|
||||
|
||||
type Wayland struct {
|
||||
pair [2]string
|
||||
conn *wl.Conn
|
||||
|
||||
sync **os.File
|
||||
dst, src string
|
||||
appID, instanceID string
|
||||
|
||||
conn wl.Conn
|
||||
}
|
||||
|
||||
func (w Wayland) Type() Enablement {
|
||||
return Process
|
||||
}
|
||||
func (w *Wayland) Type() Enablement { return Process }
|
||||
|
||||
func (w *Wayland) apply(sys *I) error {
|
||||
if w.sync == nil {
|
||||
// this is a misuse of the API; do not return an error message
|
||||
return errors.New("invalid sync")
|
||||
}
|
||||
|
||||
func (w Wayland) apply(sys *I) error {
|
||||
// the Wayland op is not repeatable
|
||||
if sys.sp != nil {
|
||||
if *w.sync != nil {
|
||||
// this is a misuse of the API; do not return an error message
|
||||
return errors.New("attempted to attach multiple wayland sockets")
|
||||
}
|
||||
|
||||
if err := w.conn.Attach(w.pair[1]); err != nil {
|
||||
if err := w.conn.Attach(w.src); err != nil {
|
||||
// make console output less nasty
|
||||
if errors.Is(err, os.ErrNotExist) {
|
||||
err = os.ErrNotExist
|
||||
}
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot attach to wayland on %q:", w.pair[1]))
|
||||
fmt.Sprintf("cannot attach to wayland on %q:", w.src))
|
||||
} else {
|
||||
fmsg.Verbosef("wayland attached on %q", w.pair[1])
|
||||
fmsg.Verbosef("wayland attached on %q", w.src)
|
||||
}
|
||||
|
||||
if sp, err := w.conn.Bind(w.pair[0], w.appID, w.instanceID); err != nil {
|
||||
if sp, err := w.conn.Bind(w.dst, w.appID, w.instanceID); err != nil {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot bind to socket on %q:", w.pair[0]))
|
||||
fmt.Sprintf("cannot bind to socket on %q:", w.dst))
|
||||
} else {
|
||||
sys.sp = sp
|
||||
fmsg.Verbosef("wayland listening on %q", w.pair[0])
|
||||
return fmsg.WrapErrorSuffix(errors.Join(os.Chmod(w.pair[0], 0), acl.UpdatePerm(w.pair[0], sys.uid, acl.Read, acl.Write, acl.Execute)),
|
||||
fmt.Sprintf("cannot chmod socket on %q:", w.pair[0]))
|
||||
*w.sync = sp
|
||||
fmsg.Verbosef("wayland listening on %q", w.dst)
|
||||
return fmsg.WrapErrorSuffix(errors.Join(os.Chmod(w.dst, 0), acl.UpdatePerm(w.dst, sys.uid, acl.Read, acl.Write, acl.Execute)),
|
||||
fmt.Sprintf("cannot chmod socket on %q:", w.dst))
|
||||
}
|
||||
}
|
||||
|
||||
func (w Wayland) revert(_ *I, ec *Criteria) error {
|
||||
func (w *Wayland) revert(_ *I, ec *Criteria) error {
|
||||
if ec.hasType(w) {
|
||||
fmsg.Verbosef("removing wayland socket on %q", w.pair[0])
|
||||
if err := os.Remove(w.pair[0]); err != nil && !errors.Is(err, os.ErrNotExist) {
|
||||
fmsg.Verbosef("removing wayland socket on %q", w.dst)
|
||||
if err := os.Remove(w.dst); err != nil && !errors.Is(err, os.ErrNotExist) {
|
||||
return err
|
||||
}
|
||||
|
||||
fmsg.Verbosef("detaching from wayland on %q", w.pair[1])
|
||||
fmsg.Verbosef("detaching from wayland on %q", w.src)
|
||||
return fmsg.WrapErrorSuffix(w.conn.Close(),
|
||||
fmt.Sprintf("cannot detach from wayland on %q:", w.pair[1]))
|
||||
fmt.Sprintf("cannot detach from wayland on %q:", w.src))
|
||||
} else {
|
||||
fmsg.Verbosef("skipping wayland cleanup on %q", w.pair[0])
|
||||
fmsg.Verbosef("skipping wayland cleanup on %q", w.dst)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func (w Wayland) Is(o Op) bool {
|
||||
w0, ok := o.(Wayland)
|
||||
return ok && w.pair == w0.pair
|
||||
func (w *Wayland) Is(o Op) bool {
|
||||
w0, ok := o.(*Wayland)
|
||||
return ok && w.dst == w0.dst && w.src == w0.src &&
|
||||
w.appID == w0.appID && w.instanceID == w0.instanceID
|
||||
}
|
||||
|
||||
func (w Wayland) Path() string {
|
||||
return w.pair[0]
|
||||
}
|
||||
|
||||
func (w Wayland) String() string {
|
||||
return fmt.Sprintf("wayland socket at %q", w.pair[0])
|
||||
}
|
||||
func (w *Wayland) Path() string { return w.dst }
|
||||
func (w *Wayland) String() string { return fmt.Sprintf("wayland socket at %q", w.dst) }
|
||||
|
||||
Reference in New Issue
Block a user