app: share runtime dir

This allows apps with the same identity to access the same runtime dir. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-06-08 03:24:48 +09:00
parent bf5772bd8a
commit 717771ae80
7 changed files with 29 additions and 14 deletions
--- a/internal/app/internal/setuid/app_nixos_test.go
+++ b/internal/app/internal/setuid/app_nixos_test.go
@@ -59,6 +59,8 @@ var testCasesNixos = []sealTestCase{
 		},
 		system.New(1000001).
 			Ensure("/tmp/fortify.1971", 0711).
+			Ensure("/tmp/fortify.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime", acl.Execute).
+			Ensure("/tmp/fortify.1971/runtime/1", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime/1", acl.Read, acl.Write, acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
@@ -129,7 +131,7 @@ var testCasesNixos = []sealTestCase{
 				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
 				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
 				Tmpfs("/run/user", 4096, 0755).
-				Tmpfs("/run/user/1971", 8388608, 0700).
+				Bind("/tmp/fortify.1971/runtime/1", "/run/user/1971", sandbox.BindWritable).
 				Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
 				Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", sandbox.BindWritable).
 				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n")).
--- a/internal/app/internal/setuid/app_pd_test.go
+++ b/internal/app/internal/setuid/app_pd_test.go
@@ -23,6 +23,8 @@ var testCasesPd = []sealTestCase{
 		},
 		system.New(1000000).
 			Ensure("/tmp/fortify.1971", 0711).
+			Ensure("/tmp/fortify.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime", acl.Execute).
+			Ensure("/tmp/fortify.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime/0", acl.Read, acl.Write, acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
 		&sandbox.Params{
@@ -60,7 +62,7 @@ var testCasesPd = []sealTestCase{
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
 				Tmpfs("/run/user", 4096, 0755).
-				Tmpfs("/run/user/65534", 8388608, 0700).
+				Bind("/tmp/fortify.1971/runtime/0", "/run/user/65534", sandbox.BindWritable).
 				Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
 				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
@@ -118,6 +120,8 @@ var testCasesPd = []sealTestCase{
 		},
 		system.New(1000009).
 			Ensure("/tmp/fortify.1971", 0711).
+			Ensure("/tmp/fortify.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime", acl.Execute).
+			Ensure("/tmp/fortify.1971/runtime/9", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/runtime/9", acl.Read, acl.Write, acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
@@ -200,7 +204,7 @@ var testCasesPd = []sealTestCase{
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
 				Tmpfs("/run/user", 4096, 0755).
-				Tmpfs("/run/user/65534", 8388608, 0700).
+				Bind("/tmp/fortify.1971/runtime/9", "/run/user/65534", sandbox.BindWritable).
 				Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
 				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
--- a/internal/app/internal/setuid/seal.go
+++ b/internal/app/internal/setuid/seal.go
@@ -317,8 +317,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co

 	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
 	innerRuntimeDir := path.Join("/run/user", mapuid.String())
-	seal.container.Tmpfs("/run/user", 1<<12, 0755)
-	seal.container.Tmpfs(innerRuntimeDir, 1<<23, 0700)
 	seal.env[xdgRuntimeDir] = innerRuntimeDir
 	seal.env[xdgSessionClass] = "user"
 	seal.env[xdgSessionType] = "tty"
@@ -326,9 +324,20 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 	share := &shareHost{seal: seal, sc: sys.Paths()}
 	seal.runDirPath = share.sc.RunDirPath
 	seal.sys = system.New(seal.user.uid.unwrap())
+	seal.sys.Ensure(share.sc.SharePath, 0711)
+
+	{
+		runtimeDir := path.Join(share.sc.SharePath, "runtime")
+		seal.sys.Ensure(runtimeDir, 0700)
+		seal.sys.UpdatePermType(system.User, runtimeDir, acl.Execute)
+		runtimeDirInst := path.Join(runtimeDir, seal.user.aid.String())
+		seal.sys.Ensure(runtimeDirInst, 0700)
+		seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute)
+		seal.container.Tmpfs("/run/user", 1<<12, 0755)
+		seal.container.Bind(runtimeDirInst, innerRuntimeDir, sandbox.BindWritable)
+	}

 	{
-		seal.sys.Ensure(share.sc.SharePath, 0711)
 		tmpdir := path.Join(share.sc.SharePath, "tmpdir")
 		seal.sys.Ensure(tmpdir, 0700)
 		seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute)