app: set up acl on X11 socket
All checks were successful
Test / Create distribution (push) Successful in 32s
Test / Hakurei (push) Successful in 42s
Test / Hakurei (race detector) (push) Successful in 43s
Test / Hpkg (push) Successful in 42s
Test / Sandbox (push) Successful in 1m50s
Test / Sandbox (race detector) (push) Successful in 2m37s
Test / Flake checks (push) Successful in 1m32s
All checks were successful
Test / Create distribution (push) Successful in 32s
Test / Hakurei (push) Successful in 42s
Test / Hakurei (race detector) (push) Successful in 43s
Test / Hpkg (push) Successful in 42s
Test / Sandbox (push) Successful in 1m50s
Test / Sandbox (race detector) (push) Successful in 2m37s
Test / Flake checks (push) Successful in 1m32s
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging #1. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -15,6 +15,7 @@ import (
|
||||
"errors"
|
||||
"io/fs"
|
||||
"log"
|
||||
"net"
|
||||
"os"
|
||||
"syscall"
|
||||
)
|
||||
@@ -33,6 +34,10 @@ type TestCase struct {
|
||||
FS *FS `json:"fs"`
|
||||
Mount []*MountinfoEntry `json:"mount"`
|
||||
Seccomp bool `json:"seccomp"`
|
||||
|
||||
TrySocket string `json:"try_socket,omitempty"`
|
||||
SocketAbstract bool `json:"socket_abstract,omitempty"`
|
||||
SocketPathname bool `json:"socket_pathname,omitempty"`
|
||||
}
|
||||
|
||||
type T struct {
|
||||
@@ -125,6 +130,47 @@ func (t *T) MustCheck(want *TestCase) {
|
||||
} else {
|
||||
printf("[SKIP] skipping seccomp check")
|
||||
}
|
||||
|
||||
if want.TrySocket != "" {
|
||||
abstractConn, abstractErr := net.Dial("unix", "@"+want.TrySocket)
|
||||
pathnameConn, pathnameErr := net.Dial("unix", want.TrySocket)
|
||||
ok := true
|
||||
|
||||
if abstractErr == nil {
|
||||
if err := abstractConn.Close(); err != nil {
|
||||
ok = false
|
||||
log.Printf("Close: %v", err)
|
||||
}
|
||||
}
|
||||
if pathnameErr == nil {
|
||||
if err := pathnameConn.Close(); err != nil {
|
||||
ok = false
|
||||
log.Printf("Close: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
abstractWantErr := error(syscall.EPERM)
|
||||
pathnameWantErr := error(syscall.ENOENT)
|
||||
if want.SocketAbstract {
|
||||
abstractWantErr = nil
|
||||
}
|
||||
if want.SocketPathname {
|
||||
pathnameWantErr = nil
|
||||
}
|
||||
|
||||
if !errors.Is(abstractErr, abstractWantErr) {
|
||||
ok = false
|
||||
log.Printf("abstractErr: %v, want %v", abstractErr, abstractWantErr)
|
||||
}
|
||||
if !errors.Is(pathnameErr, pathnameWantErr) {
|
||||
ok = false
|
||||
log.Printf("pathnameErr: %v, want %v", pathnameErr, pathnameWantErr)
|
||||
}
|
||||
|
||||
if !ok {
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func MustCheckFilter(pid int, want string) {
|
||||
|
||||
@@ -50,6 +50,9 @@ let
|
||||
useCommonPaths
|
||||
userns
|
||||
;
|
||||
enablements = {
|
||||
inherit (tc) x11;
|
||||
};
|
||||
share = testProgram;
|
||||
packages = [ ];
|
||||
path = "${testProgram}/bin/hakurei-test";
|
||||
|
||||
@@ -25,6 +25,7 @@ in
|
||||
mapRealUid = false;
|
||||
useCommonPaths = true;
|
||||
userns = false;
|
||||
x11 = true;
|
||||
|
||||
# 0, PresetStrict
|
||||
expectedFilter = {
|
||||
@@ -35,6 +36,7 @@ in
|
||||
want = {
|
||||
env = [
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
||||
"DISPLAY=:0"
|
||||
"HOME=/var/lib/hakurei/u0/a4"
|
||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
@@ -161,7 +163,9 @@ in
|
||||
} null;
|
||||
devices = fs "800001ed" null null;
|
||||
} null;
|
||||
tmp = fs "800001f8" { } null;
|
||||
tmp = fs "800001f8" {
|
||||
".X11-unix" = fs "801001ff" { X0 = fs "10001fd" null null; } null;
|
||||
} null;
|
||||
usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
|
||||
var = fs "800001c0" {
|
||||
lib = fs "800001c0" {
|
||||
@@ -231,10 +235,15 @@ in
|
||||
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
|
||||
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
|
||||
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
try_socket = "/tmp/.X11-unix/X0";
|
||||
socket_abstract = true;
|
||||
socket_pathname = true;
|
||||
};
|
||||
}
|
||||
|
||||
@@ -34,6 +34,7 @@ in
|
||||
mapRealUid = true;
|
||||
useCommonPaths = true;
|
||||
userns = false;
|
||||
x11 = false;
|
||||
|
||||
# 0, PresetStrict
|
||||
expectedFilter = {
|
||||
@@ -266,5 +267,9 @@ in
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
try_socket = "/tmp/.X11-unix/X0";
|
||||
socket_abstract = true;
|
||||
socket_pathname = false;
|
||||
};
|
||||
}
|
||||
|
||||
@@ -34,6 +34,7 @@ in
|
||||
mapRealUid = false;
|
||||
useCommonPaths = false;
|
||||
userns = true;
|
||||
x11 = false;
|
||||
|
||||
# 0, PresetExt | PresetDenyDevel
|
||||
expectedFilter = {
|
||||
@@ -261,5 +262,9 @@ in
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
try_socket = "/tmp/.X11-unix/X0";
|
||||
socket_abstract = true;
|
||||
socket_pathname = false;
|
||||
};
|
||||
}
|
||||
|
||||
@@ -34,6 +34,7 @@ in
|
||||
mapRealUid = false;
|
||||
useCommonPaths = false;
|
||||
userns = false;
|
||||
x11 = false;
|
||||
|
||||
# 0, PresetStrict
|
||||
expectedFilter = {
|
||||
@@ -259,5 +260,9 @@ in
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
try_socket = "/tmp/.X11-unix/X0";
|
||||
socket_abstract = true;
|
||||
socket_pathname = false;
|
||||
};
|
||||
}
|
||||
|
||||
@@ -34,6 +34,7 @@ in
|
||||
mapRealUid = false;
|
||||
useCommonPaths = true;
|
||||
userns = false;
|
||||
x11 = true;
|
||||
|
||||
# 0, PresetExt | PresetDenyNS | PresetDenyDevel
|
||||
expectedFilter = {
|
||||
@@ -44,6 +45,7 @@ in
|
||||
want = {
|
||||
env = [
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
||||
"DISPLAY=:0"
|
||||
"HOME=/var/lib/hakurei/u0/a2"
|
||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
@@ -188,7 +190,9 @@ in
|
||||
} null;
|
||||
devices = fs "800001ed" null null;
|
||||
} null;
|
||||
tmp = fs "800001f8" { } null;
|
||||
tmp = fs "800001f8" {
|
||||
".X11-unix" = fs "801001ff" { X0 = fs "10001fd" null null; } null;
|
||||
} null;
|
||||
usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
|
||||
var = fs "800001c0" {
|
||||
lib = fs "800001c0" {
|
||||
@@ -263,10 +267,15 @@ in
|
||||
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
|
||||
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
|
||||
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
try_socket = "/tmp/.X11-unix/X0";
|
||||
socket_abstract = true;
|
||||
socket_pathname = true;
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user