security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

system/tmpfiles: implement private tmpfiles
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Run NixOS test (push) Successful in 3m30s
Details

Browse Source 
These are only available within the mount namespace and should significantly reduce attack surface.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-02-17 00:07:52 +09:00
parent 60c10c3f4a
commit 82a072f641
7 changed files with 66 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/app/share.go
View File

@@ -231,11 +231,11 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
// not fatal
fmsg.Verbose(strings.TrimSpace(err.(*fmsg.BaseError).Message()))
} else {
dst := path.Join(seal.share, "pulse-cookie")
innerDst := fst.Tmp + "/pulse-cookie"
seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
seal.sys.CopyFile(dst, src)
seal.sys.bwrap.Bind(dst, innerDst)
payload := new([]byte)
seal.sys.bwrap.CopyBindRef(innerDst, &payload)
seal.sys.CopyFile(payload, src, 256, 256)
}
}