From b932ac826023a7cc2df09a81462f8b93420e107f Mon Sep 17 00:00:00 2001 From: Ophestra Umiker Date: Fri, 25 Oct 2024 13:29:01 +0900 Subject: [PATCH] app/config: support creating symlinks within sandbox This is already supported by the underlying bwrap helper. This change exposes access to it in Config. Signed-off-by: Ophestra Umiker --- internal/app/config.go | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/internal/app/config.go b/internal/app/config.go index 90a99c8..4946525 100644 --- a/internal/app/config.go +++ b/internal/app/config.go @@ -1,7 +1,6 @@ package app import ( - "encoding/gob" "os" "git.ophivana.moe/security/fortify/dbus" @@ -9,10 +8,6 @@ import ( "git.ophivana.moe/security/fortify/internal/system" ) -func init() { - gob.Register(new(bwrap.PermConfig[*bwrap.TmpfsConfig])) -} - // Config is used to seal an *App type Config struct { // D-Bus application ID @@ -61,6 +56,8 @@ type SandboxConfig struct { Env map[string]string `json:"env"` // sandbox host filesystem access Filesystem []*FilesystemConfig `json:"filesystem"` + // symlinks created inside the sandbox + Link [][2]string `json:"symlink"` // paths to override by mounting tmpfs over them Override []string `json:"override"` } @@ -99,7 +96,8 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config { Chmod: make(map[string]os.FileMode), }). SetUID(65534).SetGID(65534). - Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue") + Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue"). + Tmpfs("/dev/fortify", 4*1024) for _, c := range s.Filesystem { if c == nil { @@ -113,6 +111,10 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config { conf.Bind(src, dest, !c.Must, c.Write, c.Device) } + for _, l := range s.Link { + conf.Symlink(l[0], l[1]) + } + return conf } @@ -149,6 +151,7 @@ func Template() *Config { {Src: "/data/user/0", Dst: "/data/data", Write: true, Must: true}, {Src: "/var/tmp", Write: true}, }, + Link: [][2]string{{"/dev/fortify/etc", "/etc"}}, Override: []string{"/var/run/nscd"}, }, SystemBus: &dbus.Config{