cmd/fpkg: app bundle helper

This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk>
internal: include path to fortify main program
2024-12-28 00:56:28 +09:00 · 2024-12-26 12:48:48 +09:00
10 changed files with 449 additions and 470 deletions
--- a/fst/config.go
+++ b/fst/config.go
@ -35,8 +35,6 @@ type ConfinementConfig struct {
 	Outer string `json:"home"`
 	// bwrap sandbox confinement configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
 	// extra acl entries to append
 	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
 	// reference to a system D-Bus proxy configuration,
 	// nil value disables system bus proxy
@ -80,29 +78,6 @@ type SandboxConfig struct {
 	Override []string `json:"override"`
 }
 type ExtraPermConfig struct {
 	Path    string `json:"path"`
 	Read    bool   `json:"r,omitempty"`
 	Write   bool   `json:"w,omitempty"`
 	Execute bool   `json:"x,omitempty"`
 }
 func (e *ExtraPermConfig) String() string {
 	buf := make([]byte, 0, 4+len(e.Path))
 	buf = append(buf, '-', '-', '-', ':')
 	buf = append(buf, []byte(e.Path)...)
 	if e.Read {
 		buf[0] = 'r'
 	}
 	if e.Write {
 		buf[1] = 'w'
 	}
 	if e.Execute {
 		buf[2] = 'x'
 	}
 	return string(buf)
 }
 type FilesystemConfig struct {
 	// mount point in sandbox, same as src if empty
 	Dst string `json:"dst,omitempty"`
@ -247,7 +222,6 @@ func Template() *Config {
 					{Src: "/dev/dri", Device: true},
 				},
 				Link:     [][2]string{{"/run/user/65534", "/run/user/150"}},
 				Etc:      "/etc",
 				AutoEtc:  true,
 				Override: []string{"/var/run/nscd"},
 			},
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -8,7 +8,6 @@ import (
 	"regexp"
 	"strconv"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
@ -49,8 +48,6 @@ type appSeal struct {
 	et system.Enablements
 	// wayland socket direct access
 	directWayland bool
 	// extra UpdatePerm ops
 	extraPerms []*sealedExtraPerm
 	// prevents sharing from happening twice
 	shared bool
@ -62,11 +59,6 @@ type appSeal struct {
 	// protected by upstream mutex
 }
 type sealedExtraPerm struct {
 	name  string
 	perms acl.Perms
 }
 // Seal seals the app launch context
 func (a *app) Seal(config *fst.Config) error {
 	a.lock.Lock()
@ -108,65 +100,46 @@ func (a *app) Seal(config *fst.Config) error {
 	if config.Confinement.AppID < 0 || config.Confinement.AppID > 9999 {
 		return fmsg.WrapError(ErrUser,
 			fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
 	}
 	seal.sys.user = appUser{
 		aid:      config.Confinement.AppID,
 		as:       strconv.Itoa(config.Confinement.AppID),
 		data:     config.Confinement.Outer,
 		home:     config.Confinement.Inner,
 		username: config.Confinement.Username,
 	}
 	if seal.sys.user.username == "" {
 		seal.sys.user.username = "chronos"
 	} else if !posixUsername.MatchString(seal.sys.user.username) {
 		return fmsg.WrapError(ErrName,
 			fmt.Sprintf("invalid user name %q", seal.sys.user.username))
 	}
 	if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
 		return fmsg.WrapError(ErrHome,
 			fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
 	}
 	if seal.sys.user.home == "" {
 		seal.sys.user.home = seal.sys.user.data
 	}
 	// invoke fsu for full uid
 	if u, err := a.os.Uid(seal.sys.user.aid); err != nil {
 		return fmsg.WrapErrorSuffix(err,
 			"cannot obtain uid from fsu:")
 	} else {
-		seal.sys.user.uid = u
+		seal.sys.user = appUser{
-		seal.sys.user.us = strconv.Itoa(u)
+			aid:      config.Confinement.AppID,
-	}
+			as:       strconv.Itoa(config.Confinement.AppID),
 			data:     config.Confinement.Outer,
 			home:     config.Confinement.Inner,
 			username: config.Confinement.Username,
 		}
 		if seal.sys.user.username == "" {
 			seal.sys.user.username = "chronos"
 		} else if !posixUsername.MatchString(seal.sys.user.username) {
 			return fmsg.WrapError(ErrName,
 				fmt.Sprintf("invalid user name %q", seal.sys.user.username))
 		}
 		if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
 			return fmsg.WrapError(ErrHome,
 				fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
 		}
 		if seal.sys.user.home == "" {
 			seal.sys.user.home = seal.sys.user.data
 		}
-	// resolve supplementary group ids from names
+		// invoke fsu for full uid
-	seal.sys.user.supp = make([]string, len(config.Confinement.Groups))
+		if u, err := a.os.Uid(seal.sys.user.aid); err != nil {
-	for i, name := range config.Confinement.Groups {
+			return fmsg.WrapErrorSuffix(err,
-		if g, err := a.os.LookupGroup(name); err != nil {
+				"cannot obtain uid from fsu:")
 			return fmsg.WrapError(err,
 				fmt.Sprintf("unknown group %q", name))
 		} else {
-			seal.sys.user.supp[i] = g.Gid
+			seal.sys.user.uid = u
-		}
+			seal.sys.user.us = strconv.Itoa(u)
 	}
 	// build extra perms
 	seal.extraPerms = make([]*sealedExtraPerm, len(config.Confinement.ExtraPerms))
 	for i, p := range config.Confinement.ExtraPerms {
 		if p == nil {
 			continue
 		}
-		seal.extraPerms[i].name = p.Path
+		// resolve supplementary group ids from names
-		seal.extraPerms[i].perms = make(acl.Perms, 0, 3)
+		seal.sys.user.supp = make([]string, len(config.Confinement.Groups))
-		if p.Read {
+		for i, name := range config.Confinement.Groups {
-			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Read)
+			if g, err := a.os.LookupGroup(name); err != nil {
-		}
+				return fmsg.WrapError(err,
-		if p.Write {
+					fmt.Sprintf("unknown group %q", name))
-			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Write)
+			} else {
-		}
+				seal.sys.user.supp[i] = g.Gid
-		if p.Execute {
+			}
 			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
 		}
 	}
@ -256,7 +229,7 @@ func (a *app) Seal(config *fst.Config) error {
 	seal.et = config.Confinement.Enablements
 	// this method calls all share methods in sequence
-	if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
+	if err := seal.shareAll([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
 		return err
 	}
--- a/internal/app/share.dbus.go
+++ b/internal/app/share.dbus.go
@ -0,0 +1,44 @@
 package app
 import (
 	"path"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 const (
 	dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
 	dbusSystemBusAddress  = "DBUS_SYSTEM_BUS_ADDRESS"
 )
 func (seal *appSeal) shareDBus(config [2]*dbus.Config) error {
 	if !seal.et.Has(system.EDBus) {
 		return nil
 	}
 	// downstream socket paths
 	sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
 	// configure dbus proxy
 	if f, err := seal.sys.ProxyDBus(config[0], config[1], sessionPath, systemPath); err != nil {
 		return err
 	} else {
 		seal.dbusMsg = f
 	}
 	// share proxy sockets
 	sessionInner := path.Join(seal.sys.runtime, "bus")
 	seal.sys.bwrap.SetEnv[dbusSessionBusAddress] = "unix:path=" + sessionInner
 	seal.sys.bwrap.Bind(sessionPath, sessionInner)
 	seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
 	if config[1] != nil {
 		systemInner := "/run/dbus/system_bus_socket"
 		seal.sys.bwrap.SetEnv[dbusSystemBusAddress] = "unix:path=" + systemInner
 		seal.sys.bwrap.Bind(systemPath, systemInner)
 		seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
 	}
 	return nil
 }
--- a/internal/app/share.display.go
+++ b/internal/app/share.display.go
@ -0,0 +1,81 @@
 package app
 import (
 	"errors"
 	"path"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 const (
 	term    = "TERM"
 	display = "DISPLAY"
 	// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html
 	waylandDisplay = "WAYLAND_DISPLAY"
 )
 var (
 	ErrWayland  = errors.New(waylandDisplay + " unset")
 	ErrXDisplay = errors.New(display + " unset")
 )
 func (seal *appSeal) shareDisplay(os linux.System) error {
 	// pass $TERM to launcher
 	if t, ok := os.LookupEnv(term); ok {
 		seal.sys.bwrap.SetEnv[term] = t
 	}
 	// set up wayland
 	if seal.et.Has(system.EWayland) {
 		var wp string
 		if wd, ok := os.LookupEnv(waylandDisplay); !ok {
 			return fmsg.WrapError(ErrWayland,
 				"WAYLAND_DISPLAY is not set")
 		} else {
 			wp = path.Join(seal.RuntimePath, wd)
 		}
 		w := path.Join(seal.sys.runtime, "wayland-0")
 		seal.sys.bwrap.SetEnv[waylandDisplay] = w
 		if seal.directWayland {
 			// hardlink wayland socket
 			wpi := path.Join(seal.shareLocal, "wayland")
 			seal.sys.Link(wp, wpi)
 			seal.sys.bwrap.Bind(wpi, w)
 			// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
 			seal.sys.UpdatePermType(system.EWayland, wp, acl.Read, acl.Write, acl.Execute)
 		} else {
 			wc := path.Join(seal.SharePath, "wayland")
 			wt := path.Join(wc, seal.id)
 			seal.sys.Ensure(wc, 0711)
 			appID := seal.fid
 			if appID == "" {
 				// use instance ID in case app id is not set
 				appID = "moe.ophivana.fortify." + seal.id
 			}
 			seal.sys.Wayland(wt, wp, appID, seal.id)
 			seal.sys.bwrap.Bind(wt, w)
 		}
 	}
 	// set up X11
 	if seal.et.Has(system.EX11) {
 		// discover X11 and grant user permission via the `ChangeHosts` command
 		if d, ok := os.LookupEnv(display); !ok {
 			return fmsg.WrapError(ErrXDisplay,
 				"DISPLAY is not set")
 		} else {
 			seal.sys.ChangeHosts("#" + seal.sys.user.us)
 			seal.sys.bwrap.SetEnv[display] = d
 			seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
 		}
 	}
 	return nil
 }
--- a/internal/app/share.go
+++ b/internal/app/share.go
@ -1,343 +0,0 @@
 package app
 import (
 	"errors"
 	"fmt"
 	"io/fs"
 	"path"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 const (
 	home  = "HOME"
 	shell = "SHELL"
 	xdgConfigHome   = "XDG_CONFIG_HOME"
 	xdgRuntimeDir   = "XDG_RUNTIME_DIR"
 	xdgSessionClass = "XDG_SESSION_CLASS"
 	xdgSessionType  = "XDG_SESSION_TYPE"
 	term    = "TERM"
 	display = "DISPLAY"
 	// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html
 	waylandDisplay = "WAYLAND_DISPLAY"
 	pulseServer = "PULSE_SERVER"
 	pulseCookie = "PULSE_COOKIE"
 	dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
 	dbusSystemBusAddress  = "DBUS_SYSTEM_BUS_ADDRESS"
 )
 var (
 	ErrWayland  = errors.New(waylandDisplay + " unset")
 	ErrXDisplay = errors.New(display + " unset")
 	ErrPulseCookie = errors.New("pulse cookie not present")
 	ErrPulseSocket = errors.New("pulse socket not present")
 	ErrPulseMode   = errors.New("unexpected pulse socket mode")
 )
 func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
 	if seal.shared {
 		panic("seal shared twice")
 	}
 	seal.shared = true
 	/*
 		Tmpdir-based share directory
 	*/
 	// ensure Share (e.g. `/tmp/fortify.%d`)
 	// acl is unnecessary as this directory is world executable
 	seal.sys.Ensure(seal.SharePath, 0711)
 	// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
 	// acl is unnecessary as this directory is world executable
 	seal.share = path.Join(seal.SharePath, seal.id)
 	seal.sys.Ephemeral(system.Process, seal.share, 0711)
 	// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
 	targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
 	seal.sys.Ensure(targetTmpdirParent, 0700)
 	seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
 	// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
 	targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.as)
 	seal.sys.Ensure(targetTmpdir, 01700)
 	seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
 	seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
 	/*
 		XDG runtime directory
 	*/
 	// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
 	seal.sys.bwrap.Tmpfs("/run/user", 1*1024*1024)
 	seal.sys.bwrap.Tmpfs(seal.sys.runtime, 8*1024*1024)
 	// point to inner runtime path `/run/user/%d`
 	seal.sys.bwrap.SetEnv[xdgRuntimeDir] = seal.sys.runtime
 	seal.sys.bwrap.SetEnv[xdgSessionClass] = "user"
 	seal.sys.bwrap.SetEnv[xdgSessionType] = "tty"
 	// ensure RunDir (e.g. `/run/user/%d/fortify`)
 	seal.sys.Ensure(seal.RunDirPath, 0700)
 	seal.sys.UpdatePermType(system.User, seal.RunDirPath, acl.Execute)
 	// ensure runtime directory ACL (e.g. `/run/user/%d`)
 	seal.sys.Ensure(seal.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
 	seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
 	// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
 	seal.shareLocal = path.Join(seal.RunDirPath, seal.id)
 	seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
 	seal.sys.UpdatePerm(seal.shareLocal, acl.Execute)
 	/*
 		Inner passwd database
 	*/
 	// look up shell
 	sh := "/bin/sh"
 	if s, ok := os.LookupEnv(shell); ok {
 		seal.sys.bwrap.SetEnv[shell] = s
 		sh = s
 	}
 	// generate /etc/passwd
 	passwdPath := path.Join(seal.share, "passwd")
 	username := "chronos"
 	if seal.sys.user.username != "" {
 		username = seal.sys.user.username
 	}
 	homeDir := "/var/empty"
 	if seal.sys.user.home != "" {
 		homeDir = seal.sys.user.home
 	}
 	// bind home directory
 	seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
 	seal.sys.bwrap.Chdir = homeDir
 	seal.sys.bwrap.SetEnv["USER"] = username
 	seal.sys.bwrap.SetEnv["HOME"] = homeDir
 	passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
 	seal.sys.Write(passwdPath, passwd)
 	// write /etc/group
 	groupPath := path.Join(seal.share, "group")
 	seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")
 	// bind /etc/passwd and /etc/group
 	seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
 	seal.sys.bwrap.Bind(groupPath, "/etc/group")
 	/*
 		Display servers
 	*/
 	// pass $TERM to launcher
 	if t, ok := os.LookupEnv(term); ok {
 		seal.sys.bwrap.SetEnv[term] = t
 	}
 	// set up wayland
 	if seal.et.Has(system.EWayland) {
 		var wp string
 		if wd, ok := os.LookupEnv(waylandDisplay); !ok {
 			return fmsg.WrapError(ErrWayland,
 				"WAYLAND_DISPLAY is not set")
 		} else {
 			wp = path.Join(seal.RuntimePath, wd)
 		}
 		w := path.Join(seal.sys.runtime, "wayland-0")
 		seal.sys.bwrap.SetEnv[waylandDisplay] = w
 		if !seal.directWayland { // set up security-context-v1
 			wc := path.Join(seal.SharePath, "wayland")
 			wt := path.Join(wc, seal.id)
 			seal.sys.Ensure(wc, 0711)
 			appID := seal.fid
 			if appID == "" {
 				// use instance ID in case app id is not set
 				appID = "moe.ophivana.fortify." + seal.id
 			}
 			seal.sys.Wayland(wt, wp, appID, seal.id)
 			seal.sys.bwrap.Bind(wt, w)
 		} else { // bind mount wayland socket (insecure)
 			// hardlink wayland socket
 			wpi := path.Join(seal.shareLocal, "wayland")
 			seal.sys.Link(wp, wpi)
 			seal.sys.bwrap.Bind(wpi, w)
 			// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
 			seal.sys.UpdatePermType(system.EWayland, wp, acl.Read, acl.Write, acl.Execute)
 		}
 	}
 	// set up X11
 	if seal.et.Has(system.EX11) {
 		// discover X11 and grant user permission via the `ChangeHosts` command
 		if d, ok := os.LookupEnv(display); !ok {
 			return fmsg.WrapError(ErrXDisplay,
 				"DISPLAY is not set")
 		} else {
 			seal.sys.ChangeHosts("#" + seal.sys.user.us)
 			seal.sys.bwrap.SetEnv[display] = d
 			seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
 		}
 	}
 	/*
 		PulseAudio server and authentication
 	*/
 	if seal.et.Has(system.EPulse) {
 		// check PulseAudio directory presence (e.g. `/run/user/%d/pulse`)
 		pd := path.Join(seal.RuntimePath, "pulse")
 		ps := path.Join(pd, "native")
 		if _, err := os.Stat(pd); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio directory %q:", pd))
 			}
 			return fmsg.WrapError(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q not found", pd))
 		}
 		// check PulseAudio socket permission (e.g. `/run/user/%d/pulse/native`)
 		if s, err := os.Stat(ps); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio socket %q:", ps))
 			}
 			return fmsg.WrapError(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pd))
 		} else {
 			if m := s.Mode(); m&0o006 != 0o006 {
 				return fmsg.WrapError(ErrPulseMode,
 					fmt.Sprintf("unexpected permissions on %q:", ps), m)
 			}
 		}
 		// hard link pulse socket into target-executable share
 		psi := path.Join(seal.shareLocal, "pulse")
 		p := path.Join(seal.sys.runtime, "pulse", "native")
 		seal.sys.Link(ps, psi)
 		seal.sys.bwrap.Bind(psi, p)
 		seal.sys.bwrap.SetEnv[pulseServer] = "unix:" + p
 		// publish current user's pulse cookie for target user
 		if src, err := discoverPulseCookie(os); err != nil {
 			// not fatal
 			fmsg.VPrintln(err.(*fmsg.BaseError).Message())
 		} else {
 			dst := path.Join(seal.share, "pulse-cookie")
 			innerDst := fst.Tmp + "/pulse-cookie"
 			seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
 			seal.sys.CopyFile(dst, src)
 			seal.sys.bwrap.Bind(dst, innerDst)
 		}
 	}
 	/*
 		D-Bus proxy
 	*/
 	if seal.et.Has(system.EDBus) {
 		// ensure dbus session bus defaults
 		if bus[0] == nil {
 			bus[0] = dbus.NewConfig(seal.fid, true, true)
 		}
 		// downstream socket paths
 		sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
 		// configure dbus proxy
 		if f, err := seal.sys.ProxyDBus(bus[0], bus[1], sessionPath, systemPath); err != nil {
 			return err
 		} else {
 			seal.dbusMsg = f
 		}
 		// share proxy sockets
 		sessionInner := path.Join(seal.sys.runtime, "bus")
 		seal.sys.bwrap.SetEnv[dbusSessionBusAddress] = "unix:path=" + sessionInner
 		seal.sys.bwrap.Bind(sessionPath, sessionInner)
 		seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
 		if bus[1] != nil {
 			systemInner := "/run/dbus/system_bus_socket"
 			seal.sys.bwrap.SetEnv[dbusSystemBusAddress] = "unix:path=" + systemInner
 			seal.sys.bwrap.Bind(systemPath, systemInner)
 			seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
 		}
 	}
 	/*
 		Miscellaneous
 	*/
 	// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
 	for _, dest := range seal.sys.override {
 		seal.sys.bwrap.Tmpfs(dest, 8*1024)
 	}
 	// append extra perms
 	for _, p := range seal.extraPerms {
 		if p == nil {
 			continue
 		}
 		seal.sys.UpdatePermType(system.User, p.name, p.perms...)
 	}
 	return nil
 }
 // discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
 func discoverPulseCookie(os linux.System) (string, error) {
 	if p, ok := os.LookupEnv(pulseCookie); ok {
 		return p, nil
 	}
 	// dotfile $HOME/.pulse-cookie
 	if p, ok := os.LookupEnv(home); ok {
 		p = path.Join(p, ".pulse-cookie")
 		if s, err := os.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	// $XDG_CONFIG_HOME/pulse/cookie
 	if p, ok := os.LookupEnv(xdgConfigHome); ok {
 		p = path.Join(p, "pulse", "cookie")
 		if s, err := os.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	return "", fmsg.WrapError(ErrPulseCookie,
 		fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
 			pulseCookie, xdgConfigHome, home))
 }
--- a/internal/app/share.pulse.go
+++ b/internal/app/share.pulse.go
@ -0,0 +1,119 @@
 package app
 import (
 	"errors"
 	"fmt"
 	"io/fs"
 	"path"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 const (
 	pulseServer = "PULSE_SERVER"
 	pulseCookie = "PULSE_COOKIE"
 	home          = "HOME"
 	xdgConfigHome = "XDG_CONFIG_HOME"
 )
 var (
 	ErrPulseCookie = errors.New("pulse cookie not present")
 	ErrPulseSocket = errors.New("pulse socket not present")
 	ErrPulseMode   = errors.New("unexpected pulse socket mode")
 )
 func (seal *appSeal) sharePulse(os linux.System) error {
 	if !seal.et.Has(system.EPulse) {
 		return nil
 	}
 	// check PulseAudio directory presence (e.g. `/run/user/%d/pulse`)
 	pd := path.Join(seal.RuntimePath, "pulse")
 	ps := path.Join(pd, "native")
 	if _, err := os.Stat(pd); err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
 			return fmsg.WrapErrorSuffix(err,
 				fmt.Sprintf("cannot access PulseAudio directory %q:", pd))
 		}
 		return fmsg.WrapError(ErrPulseSocket,
 			fmt.Sprintf("PulseAudio directory %q not found", pd))
 	}
 	// check PulseAudio socket permission (e.g. `/run/user/%d/pulse/native`)
 	if s, err := os.Stat(ps); err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
 			return fmsg.WrapErrorSuffix(err,
 				fmt.Sprintf("cannot access PulseAudio socket %q:", ps))
 		}
 		return fmsg.WrapError(ErrPulseSocket,
 			fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pd))
 	} else {
 		if m := s.Mode(); m&0o006 != 0o006 {
 			return fmsg.WrapError(ErrPulseMode,
 				fmt.Sprintf("unexpected permissions on %q:", ps), m)
 		}
 	}
 	// hard link pulse socket into target-executable share
 	psi := path.Join(seal.shareLocal, "pulse")
 	p := path.Join(seal.sys.runtime, "pulse", "native")
 	seal.sys.Link(ps, psi)
 	seal.sys.bwrap.Bind(psi, p)
 	seal.sys.bwrap.SetEnv[pulseServer] = "unix:" + p
 	// publish current user's pulse cookie for target user
 	if src, err := discoverPulseCookie(os); err != nil {
 		fmsg.VPrintln(err.(*fmsg.BaseError).Message())
 	} else {
 		dst := path.Join(seal.share, "pulse-cookie")
 		innerDst := fst.Tmp + "/pulse-cookie"
 		seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
 		seal.sys.CopyFile(dst, src)
 		seal.sys.bwrap.Bind(dst, innerDst)
 	}
 	return nil
 }
 // discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
 func discoverPulseCookie(os linux.System) (string, error) {
 	if p, ok := os.LookupEnv(pulseCookie); ok {
 		return p, nil
 	}
 	// dotfile $HOME/.pulse-cookie
 	if p, ok := os.LookupEnv(home); ok {
 		p = path.Join(p, ".pulse-cookie")
 		if s, err := os.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	// $XDG_CONFIG_HOME/pulse/cookie
 	if p, ok := os.LookupEnv(xdgConfigHome); ok {
 		p = path.Join(p, "pulse", "cookie")
 		if s, err := os.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	return "", fmsg.WrapError(ErrPulseCookie,
 		fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
 			pulseCookie, xdgConfigHome, home))
 }
--- a/internal/app/share.runtime.go
+++ b/internal/app/share.runtime.go
@ -0,0 +1,39 @@
 package app
 import (
 	"path"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 const (
 	xdgRuntimeDir   = "XDG_RUNTIME_DIR"
 	xdgSessionClass = "XDG_SESSION_CLASS"
 	xdgSessionType  = "XDG_SESSION_TYPE"
 )
 // shareRuntime queues actions for sharing/ensuring the runtime and share directories
 func (seal *appSeal) shareRuntime() {
 	// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
 	seal.sys.bwrap.Tmpfs("/run/user", 1*1024*1024)
 	seal.sys.bwrap.Tmpfs(seal.sys.runtime, 8*1024*1024)
 	// point to inner runtime path `/run/user/%d`
 	seal.sys.bwrap.SetEnv[xdgRuntimeDir] = seal.sys.runtime
 	seal.sys.bwrap.SetEnv[xdgSessionClass] = "user"
 	seal.sys.bwrap.SetEnv[xdgSessionType] = "tty"
 	// ensure RunDir (e.g. `/run/user/%d/fortify`)
 	seal.sys.Ensure(seal.RunDirPath, 0700)
 	seal.sys.UpdatePermType(system.User, seal.RunDirPath, acl.Execute)
 	// ensure runtime directory ACL (e.g. `/run/user/%d`)
 	seal.sys.Ensure(seal.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
 	seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
 	// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
 	seal.shareLocal = path.Join(seal.RunDirPath, seal.id)
 	seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
 	seal.sys.UpdatePerm(seal.shareLocal, acl.Execute)
 }
--- a/internal/app/share.system.go
+++ b/internal/app/share.system.go
@ -0,0 +1,74 @@
 package app
 import (
 	"path"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/internal/linux"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 const (
 	shell = "SHELL"
 )
 // shareSystem queues various system-related actions
 func (seal *appSeal) shareSystem() {
 	// ensure Share (e.g. `/tmp/fortify.%d`)
 	// acl is unnecessary as this directory is world executable
 	seal.sys.Ensure(seal.SharePath, 0711)
 	// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
 	// acl is unnecessary as this directory is world executable
 	seal.share = path.Join(seal.SharePath, seal.id)
 	seal.sys.Ephemeral(system.Process, seal.share, 0711)
 	// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
 	targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
 	seal.sys.Ensure(targetTmpdirParent, 0700)
 	seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
 	// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
 	targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.as)
 	seal.sys.Ensure(targetTmpdir, 01700)
 	seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
 	seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
 }
 func (seal *appSeal) sharePasswd(os linux.System) {
 	// look up shell
 	sh := "/bin/sh"
 	if s, ok := os.LookupEnv(shell); ok {
 		seal.sys.bwrap.SetEnv[shell] = s
 		sh = s
 	}
 	// generate /etc/passwd
 	passwdPath := path.Join(seal.share, "passwd")
 	username := "chronos"
 	if seal.sys.user.username != "" {
 		username = seal.sys.user.username
 	}
 	homeDir := "/var/empty"
 	if seal.sys.user.home != "" {
 		homeDir = seal.sys.user.home
 	}
 	// bind home directory
 	seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
 	seal.sys.bwrap.Chdir = homeDir
 	seal.sys.bwrap.SetEnv["USER"] = username
 	seal.sys.bwrap.SetEnv["HOME"] = homeDir
 	passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
 	seal.sys.Write(passwdPath, passwd)
 	// write /etc/group
 	groupPath := path.Join(seal.share, "group")
 	seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")
 	// bind /etc/passwd and /etc/group
 	seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
 	seal.sys.bwrap.Bind(groupPath, "/etc/group")
 }
--- a/internal/app/system.go
+++ b/internal/app/system.go
@ -1,7 +1,9 @@
 package app
 import (
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal/linux"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
@ -49,3 +51,37 @@ type appUser struct {
 	// passwd database username
 	username string
 }
 // shareAll calls all share methods in sequence
 func (seal *appSeal) shareAll(bus [2]*dbus.Config, os linux.System) error {
 	if seal.shared {
 		panic("seal shared twice")
 	}
 	seal.shared = true
 	seal.shareSystem()
 	seal.shareRuntime()
 	seal.sharePasswd(os)
 	if err := seal.shareDisplay(os); err != nil {
 		return err
 	}
 	if err := seal.sharePulse(os); err != nil {
 		return err
 	}
 	// ensure dbus session bus defaults
 	if bus[0] == nil {
 		bus[0] = dbus.NewConfig(seal.fid, true, true)
 	}
 	if err := seal.shareDBus(bus); err != nil {
 		return err
 	}
 	// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
 	for _, dest := range seal.sys.override {
 		seal.sys.bwrap.Tmpfs(dest, 8*1024)
 	}
 	return nil
 }
--- a/print.go
+++ b/print.go
@ -90,47 +90,29 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
 	fmt.Fprintf(w, " Command:\t%s\n", strings.Join(config.Command, " "))
 	fmt.Fprintf(w, "\n")
-	if !short {
+	if !short && config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
-		if config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
+		fmt.Fprintf(w, "Filesystem:\n")
-			fmt.Fprintf(w, "Filesystem\n")
+		for _, f := range config.Confinement.Sandbox.Filesystem {
-			for _, f := range config.Confinement.Sandbox.Filesystem {
+			expr := new(strings.Builder)
-				if f == nil {
+			if f.Device {
-					continue
+				expr.WriteString(" d")
-				}
+			} else if f.Write {
-
+				expr.WriteString(" w")
-				expr := new(strings.Builder)
+			} else {
-				expr.Grow(3 + len(f.Src) + 1 + len(f.Dst))
+				expr.WriteString(" ")
 				if f.Device {
 					expr.WriteString(" d")
 				} else if f.Write {
 					expr.WriteString(" w")
 				} else {
 					expr.WriteString(" ")
 				}
 				if f.Must {
 					expr.WriteString("*")
 				} else {
 					expr.WriteString("+")
 				}
 				expr.WriteString(f.Src)
 				if f.Dst != "" {
 					expr.WriteString(":" + f.Dst)
 				}
 				fmt.Fprintf(w, "%s\n", expr.String())
 			}
-			fmt.Fprintf(w, "\n")
+			if f.Must {
-		}
+				expr.WriteString("*")
-		if len(config.Confinement.ExtraPerms) > 0 {
+			} else {
-			fmt.Fprintf(w, "Extra ACL\n")
+				expr.WriteString("+")
 			for _, p := range config.Confinement.ExtraPerms {
 				if p == nil {
 					continue
 				}
 				fmt.Fprintf(w, " %s\n", p.String())
 			}
-			fmt.Fprintf(w, "\n")
+			expr.WriteString(f.Src)
 			if f.Dst != "" {
 				expr.WriteString(":" + f.Dst)
 			}
 			fmt.Fprintf(w, "%s\n", expr.String())
 		}
 		fmt.Fprintf(w, "\n")
 	}
 	printDBus := func(c *dbus.Config) {
Author	SHA1	Message	Date
Ophestra	c6d813b737	cmd/fpkg: app bundle helper All checks were successful Tests / Go tests (push) Successful in 57s Details Nix / NixOS tests (push) Successful in 4m5s Details This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 00:56:28 +09:00
Ophestra	22b435a88b	internal: include path to fortify main program Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 12:48:48 +09:00