From 717771ae8023ea3d00b794b8a89babe70fe773e6 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Sun, 8 Jun 2025 03:24:48 +0900 Subject: [PATCH] app: share runtime dir This allows apps with the same identity to access the same runtime dir. Signed-off-by: Ophestra --- internal/app/internal/setuid/app_nixos_test.go | 4 +++- internal/app/internal/setuid/app_pd_test.go | 8 ++++++-- internal/app/internal/setuid/seal.go | 15 ++++++++++++--- test/sandbox/case/device.nix | 4 ++-- test/sandbox/case/mapuid.nix | 4 ++-- test/sandbox/case/preset.nix | 4 ++-- test/sandbox/case/tty.nix | 4 ++-- 7 files changed, 29 insertions(+), 14 deletions(-) diff --git a/internal/app/internal/setuid/app_nixos_test.go b/internal/app/internal/setuid/app_nixos_test.go index 0e649ad..08f7fe7 100644 --- a/internal/app/internal/setuid/app_nixos_test.go +++ b/internal/app/internal/setuid/app_nixos_test.go @@ -59,6 +59,8 @@ var testCasesNixos = []sealTestCase{ }, system.New(1000001). Ensure("/tmp/fortify.1971", 0711). + Ensure("/tmp/fortify.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime", acl.Execute). + Ensure("/tmp/fortify.1971/runtime/1", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime/1", acl.Read, acl.Write, acl.Execute). Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute). Ensure("/tmp/fortify.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute). Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute). @@ -129,7 +131,7 @@ var testCasesNixos = []sealTestCase{ Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional). Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1"). Tmpfs("/run/user", 4096, 0755). - Tmpfs("/run/user/1971", 8388608, 0700). + Bind("/tmp/fortify.1971/runtime/1", "/run/user/1971", sandbox.BindWritable). Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", sandbox.BindWritable). Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", sandbox.BindWritable). Place("/etc/passwd", []byte("u0_a1:x:1971:100:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n")). diff --git a/internal/app/internal/setuid/app_pd_test.go b/internal/app/internal/setuid/app_pd_test.go index b331684..6ee026f 100644 --- a/internal/app/internal/setuid/app_pd_test.go +++ b/internal/app/internal/setuid/app_pd_test.go @@ -23,6 +23,8 @@ var testCasesPd = []sealTestCase{ }, system.New(1000000). Ensure("/tmp/fortify.1971", 0711). + Ensure("/tmp/fortify.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime", acl.Execute). + Ensure("/tmp/fortify.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime/0", acl.Read, acl.Write, acl.Execute). Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute). Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute), &sandbox.Params{ @@ -60,7 +62,7 @@ var testCasesPd = []sealTestCase{ Tmpfs("/run/dbus", 8192, 0755). Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac"). Tmpfs("/run/user", 4096, 0755). - Tmpfs("/run/user/65534", 8388608, 0700). + Bind("/tmp/fortify.1971/runtime/0", "/run/user/65534", sandbox.BindWritable). Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", sandbox.BindWritable). Bind("/home/chronos", "/home/chronos", sandbox.BindWritable). Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")). @@ -118,6 +120,8 @@ var testCasesPd = []sealTestCase{ }, system.New(1000009). Ensure("/tmp/fortify.1971", 0711). + Ensure("/tmp/fortify.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime", acl.Execute). + Ensure("/tmp/fortify.1971/runtime/9", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime/9", acl.Read, acl.Write, acl.Execute). Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute). Ensure("/tmp/fortify.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute). Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711). @@ -200,7 +204,7 @@ var testCasesPd = []sealTestCase{ Tmpfs("/run/dbus", 8192, 0755). Etc("/etc", "ebf083d1b175911782d413369b64ce7c"). Tmpfs("/run/user", 4096, 0755). - Tmpfs("/run/user/65534", 8388608, 0700). + Bind("/tmp/fortify.1971/runtime/9", "/run/user/65534", sandbox.BindWritable). Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", sandbox.BindWritable). Bind("/home/chronos", "/home/chronos", sandbox.BindWritable). Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")). diff --git a/internal/app/internal/setuid/seal.go b/internal/app/internal/setuid/seal.go index 91a3926..13d9ad8 100644 --- a/internal/app/internal/setuid/seal.go +++ b/internal/app/internal/setuid/seal.go @@ -317,8 +317,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co // inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid innerRuntimeDir := path.Join("/run/user", mapuid.String()) - seal.container.Tmpfs("/run/user", 1<<12, 0755) - seal.container.Tmpfs(innerRuntimeDir, 1<<23, 0700) seal.env[xdgRuntimeDir] = innerRuntimeDir seal.env[xdgSessionClass] = "user" seal.env[xdgSessionType] = "tty" @@ -326,9 +324,20 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co share := &shareHost{seal: seal, sc: sys.Paths()} seal.runDirPath = share.sc.RunDirPath seal.sys = system.New(seal.user.uid.unwrap()) + seal.sys.Ensure(share.sc.SharePath, 0711) + + { + runtimeDir := path.Join(share.sc.SharePath, "runtime") + seal.sys.Ensure(runtimeDir, 0700) + seal.sys.UpdatePermType(system.User, runtimeDir, acl.Execute) + runtimeDirInst := path.Join(runtimeDir, seal.user.aid.String()) + seal.sys.Ensure(runtimeDirInst, 0700) + seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute) + seal.container.Tmpfs("/run/user", 1<<12, 0755) + seal.container.Bind(runtimeDirInst, innerRuntimeDir, sandbox.BindWritable) + } { - seal.sys.Ensure(share.sc.SharePath, 0711) tmpdir := path.Join(share.sc.SharePath, "tmpdir") seal.sys.Ensure(tmpdir, 0700) seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute) diff --git a/test/sandbox/case/device.nix b/test/sandbox/case/device.nix index 802e2e3..ef3b549 100644 --- a/test/sandbox/case/device.nix +++ b/test/sandbox/case/device.nix @@ -105,7 +105,7 @@ current-system = fs "80001ff" null null; opengl-driver = fs "80001ff" null null; user = fs "800001ed" { - "65534" = fs "800001c0" { + "65534" = fs "800001f8" { bus = fs "10001fd" null null; pulse = fs "800001c0" { native = fs "10001b6" null null; } null; wayland-0 = fs "1000038" null null; @@ -204,7 +204,7 @@ (ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004") - (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000004,gid=1000004") + (ent "/tmp/fortify.1000/runtime/4" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/fortify.1000/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/var/lib/fortify/u0/a4" "/var/lib/fortify/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004") diff --git a/test/sandbox/case/mapuid.nix b/test/sandbox/case/mapuid.nix index 228532c..1f78708 100644 --- a/test/sandbox/case/mapuid.nix +++ b/test/sandbox/case/mapuid.nix @@ -129,7 +129,7 @@ current-system = fs "80001ff" null null; opengl-driver = fs "80001ff" null null; user = fs "800001ed" { - "1000" = fs "800001c0" { + "1000" = fs "800001f8" { bus = fs "10001fd" null null; pulse = fs "800001c0" { native = fs "10001b6" null null; } null; wayland-0 = fs "1000038" null null; @@ -232,7 +232,7 @@ (ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003") - (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000003,gid=1000003") + (ent "/tmp/fortify.1000/runtime/3" "/run/user/1000" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/fortify.1000/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/var/lib/fortify/u0/a3" "/var/lib/fortify/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003") diff --git a/test/sandbox/case/preset.nix b/test/sandbox/case/preset.nix index 455ce8a..f1c996d 100644 --- a/test/sandbox/case/preset.nix +++ b/test/sandbox/case/preset.nix @@ -129,7 +129,7 @@ current-system = fs "80001ff" null null; opengl-driver = fs "80001ff" null null; user = fs "800001ed" { - "65534" = fs "800001c0" { + "65534" = fs "800001f8" { bus = fs "10001fd" null null; pulse = fs "800001c0" { native = fs "10001b6" null null; } null; wayland-0 = fs "1000038" null null; @@ -230,7 +230,7 @@ (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001") - (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000001,gid=1000001") + (ent "/tmp/fortify.1000/runtime/1" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/fortify.1000/tmpdir/1" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/var/lib/fortify/u0/a1" "/var/lib/fortify/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001") diff --git a/test/sandbox/case/tty.nix b/test/sandbox/case/tty.nix index 6077ea4..8a54907 100644 --- a/test/sandbox/case/tty.nix +++ b/test/sandbox/case/tty.nix @@ -130,7 +130,7 @@ current-system = fs "80001ff" null null; opengl-driver = fs "80001ff" null null; user = fs "800001ed" { - "65534" = fs "800001c0" { + "65534" = fs "800001f8" { bus = fs "10001fd" null null; pulse = fs "800001c0" { native = fs "10001b6" null null; } null; wayland-0 = fs "1000038" null null; @@ -234,7 +234,7 @@ (ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002") - (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000002,gid=1000002") + (ent "/tmp/fortify.1000/runtime/2" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/fortify.1000/tmpdir/2" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/var/lib/fortify/u0/a2" "/var/lib/fortify/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")