security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

app: set up acl on X11 socket
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Hakurei (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 43s
Details
Test / Hpkg (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 1m50s
Details
Test / Sandbox (race detector) (push) Successful in 2m37s
Details
Test / Flake checks (push) Successful in 1m32s
Details

Browse Source 
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging #1.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-08-18 02:24:56 +09:00
parent 0ac6e99818
commit 551ec8c27d
10 changed files with 126 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
internal/app/seal_linux.go
View File

@@ -12,6 +12,7 @@ import (
"path"
"regexp"
"slices"
"strconv"
"strings"
"sync/atomic"
"syscall"
@@ -390,6 +391,22 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
seal.env[display] = d
socketDir := container.AbsFHSTmp.Append(".X11-unix")
seal.container.Bind(socketDir, socketDir, 0)
// the socket file at `/tmp/.X11-unix/X%d` is typically owned by the priv user
// and not accessible by the target user
var socketPath *container.Absolute
if len(d) > 1 && d[0] == ':' { // `:%d`
if n, err := strconv.Atoi(d[1:]); err == nil && n >= 0 {
socketPath = socketDir.Append("X" + strconv.Itoa(n))
}
} else if len(d) > 5 && strings.HasPrefix(d, "unix:") { // `unix:%s`
if a, err := container.NewAbs(d[5:]); err == nil {
socketPath = a
}
}
if socketPath != nil {
seal.sys.UpdatePermTypeOptional(system.EX11, socketPath.String(), acl.Read, acl.Write, acl.Execute)
}
}
}