app: remove share method

This is yet another implementation detail from before system.I, getting rid of this vastly cuts down on redundant seal state.

Signed-off-by: Ophestra <cat@gensokyo.uk>

fst/app.go

@@ -24,10 +24,10 @@ type RunState struct {
 
 // Paths contains environment-dependent paths used by fortify.
 type Paths struct {
-	// path to shared directory e.g. /tmp/fortify.%d
+	// path to shared directory (usually `/tmp/fortify.%d`)
 	SharePath string `json:"share_path"`
-	// XDG_RUNTIME_DIR value e.g. /run/user/%d
+	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
 	RuntimePath string `json:"runtime_path"`
-	// application runtime directory e.g. /run/user/%d/fortify
+	// application runtime directory (usually `/run/user/%d/fortify`)
 	RunDirPath string `json:"run_dir_path"`
 }

fst/config.go

@@ -10,9 +10,11 @@ const Tmp = "/.fortify"
 
 // Config is used to seal an app
 type Config struct {
-	// application ID
+	// reverse-DNS style arbitrary identifier string from config;
+	// passed to wayland security-context-v1 as application ID
+	// and used as part of defaults in dbus session proxy
 	ID string `json:"id"`
-	// value passed through to the child process as its argv
+	// final argv, passed to init
 	Command []string `json:"command"`
 
 	Confinement ConfinementConfig `json:"confinement"`
@@ -32,7 +34,7 @@ type ConfinementConfig struct {
 	Outer string `json:"home"`
 	// bwrap sandbox confinement configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
-	// extra acl entries to append
+	// extra acl ops, runs after everything else
 	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
 
 	// reference to a system D-Bus proxy configuration,

fst/sandbox.go

@@ -26,7 +26,8 @@ type SandboxConfig struct {
 	NoNewSession bool `json:"no_new_session,omitempty"`
 	// map target user uid to privileged user uid in the user namespace
 	MapRealUID bool `json:"map_real_uid"`
-	// direct access to wayland socket
+	// direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1
+	// and the bare socket is mounted to the sandbox
 	DirectWayland bool `json:"direct_wayland,omitempty"`
 
 	// final environment variables
@@ -39,7 +40,8 @@ type SandboxConfig struct {
 	Etc string `json:"etc,omitempty"`
 	// automatically set up /etc symlinks
 	AutoEtc bool `json:"auto_etc"`
-	// paths to override by mounting tmpfs over them
+	// mount tmpfs over these paths,
+	// runs right before [ConfinementConfig.ExtraPerms]
 	Override []string `json:"override"`
 }
 
@@ -56,7 +58,7 @@ type SandboxSys interface {
 
 // Bwrap returns the address of the corresponding bwrap.Config to s.
 // Note that remaining tmpfs entries must be queued by the caller prior to launch.
-func (s *SandboxConfig) Bwrap(sys SandboxSys) (*bwrap.Config, error) {
+func (s *SandboxConfig) Bwrap(sys SandboxSys, uid *int) (*bwrap.Config, error) {
 	if s == nil {
 		return nil, errors.New("nil sandbox config")
 	}
@@ -65,16 +67,20 @@ func (s *SandboxConfig) Bwrap(sys SandboxSys) (*bwrap.Config, error) {
 		sys.Println("syscall filter not configured, PROCEED WITH CAUTION")
 	}
 
-	var uid int
 	if !s.MapRealUID {
-		uid = 65534
+		// mapped uid defaults to 65534 to work around file ownership checks due to a bwrap limitation
+		*uid = 65534
 	} else {
-		uid = sys.Geteuid()
+		// some programs fail to connect to dbus session running as a different uid, so a separate workaround
+		// is introduced to map priv-side caller uid in namespace
+		*uid = sys.Geteuid()
 	}
 
 	conf := (&bwrap.Config{
 		Net:      s.Net,
 		UserNS:   s.UserNS,
+		UID:      uid,
+		GID:      uid,
 		Hostname: s.Hostname,
 		Clearenv: true,
 		SetEnv:   s.Env,
@@ -93,7 +99,6 @@ func (s *SandboxConfig) Bwrap(sys SandboxSys) (*bwrap.Config, error) {
 		// for saving such a miniscule amount of memory
 		Chmod: make(bwrap.ChmodConfig),
 	}).
-		SetUID(uid).SetGID(uid).
 		Procfs("/proc").
 		Tmpfs(Tmp, 4*1024)