app: support mapping target uid as privileged uid in sandbox

Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 03:15:39 +09:00
parent 7962681f4a
commit af15b1c048
4 changed files with 25 additions and 11 deletions
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@@ -129,6 +129,15 @@ func (a *app) Seal(config *Config) error {
 	// create seal system component
 	seal.sys = new(appSealSys)

+	// mapped uid
+	if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.UseRealUID {
+		seal.sys.mappedID = a.os.Geteuid()
+	} else {
+		seal.sys.mappedID = 65534
+	}
+	seal.sys.mappedIDString = strconv.Itoa(seal.sys.mappedID)
+	seal.sys.runtime = path.Join("/run/user", seal.sys.mappedIDString)
+
 	// look up user from system
 	if u, err := a.os.Lookup(config.User); err != nil {
 		if errors.As(err, new(user.UnknownUserError)) {
@@ -139,7 +148,6 @@ func (a *app) Seal(config *Config) error {
 		}
 	} else {
 		seal.sys.user = u
-		seal.sys.runtime = path.Join("/run/user", mappedIDString)
 	}

 	// map sandbox config to bwrap
@@ -228,7 +236,7 @@ func (a *app) Seal(config *Config) error {

 		config.Confinement.Sandbox = conf
 	}
-	seal.sys.bwrap = config.Confinement.Sandbox.Bwrap()
+	seal.sys.bwrap = config.Confinement.Sandbox.Bwrap(a.os.Geteuid())
 	seal.sys.override = config.Confinement.Sandbox.Override
 	if seal.sys.bwrap.SetEnv == nil {
 		seal.sys.bwrap.SetEnv = make(map[string]string)