security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

app: set up acl on X11 socket
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m24s
Details
Test / Hakurei (push) Successful in 3m18s
Details
Test / Hpkg (push) Successful in 4m11s
Details
Test / Sandbox (race detector) (push) Successful in 4m23s
Details
Test / Hakurei (race detector) (push) Successful in 5m4s
Details
Test / Flake checks (push) Successful in 1m40s
Details

Browse Source 
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging #1.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-08-18 02:24:56 +09:00
parent 0ac6e99818
commit cf38a00ecc
10 changed files with 126 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
internal/app/seal_linux.go
View File

@@ -12,6 +12,7 @@ import (
"path"
"regexp"
"slices"
"strconv"
"strings"
"sync/atomic"
"syscall"
@@ -390,6 +391,22 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
seal.env[display] = d
socketDir := container.AbsFHSTmp.Append(".X11-unix")
seal.container.Bind(socketDir, socketDir, 0)
// the socket file at `/tmp/.X11-unix/X%d` is typically owned by the priv user
// and not accessible by the target user
var socketPath *container.Absolute
if len(d) > 1 && d[0] == ':' { // `:%d`
if n, err := strconv.Atoi(d[1:]); err == nil && n >= 0 {
socketPath = socketDir.Append("X" + strconv.Itoa(n))
}
} else if len(d) > 5 && strings.HasPrefix(d, "unix:") { // `unix:%s`
if a, err := container.NewAbs(d[5:]); err == nil {
socketPath = a
}
}
if socketPath != nil {
seal.sys.UpdatePermTypeOptional(system.EX11, socketPath.String(), acl.Read, acl.Write, acl.Execute)
}
}
}