Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More robust checks #59

Merged
merged 4 commits into from Mar 31, 2021
Merged

More robust checks #59

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
984d90d
More robust checks
madaidan Mar 20, 2021
2e5de68
Reordering
madaidan Mar 20, 2021
392aabd
Use sal_is_run_with_root instead of extra id calls
madaidan Mar 20, 2021
f176e5e
Indentation
madaidan Mar 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
55 changes: 46 additions & 9 deletions usr/bin/sandbox-app-launcher
View file
Open in desktop
Expand Up @@ -108,6 +108,10 @@ fi

wrapper_script="${wrapper_dir}/${app_name}"

if [ "$(id -u)" = "0" ]; then
sal_is_run_with_root=true
fi

error_handler() {
echo "
## sandbox-app-launcher BUG.
Expand All @@ -119,20 +123,43 @@ error_handler() {

trap "error_handler" ERR

run_if_root() {
if [ "${sal_is_run_with_root}" = "true" ]; then
"${@}"
else
echo "ERROR: The setup for this program is incomplete. To fix, please execute:

sudo sandbox-app-launcher setup ${app_name}

(Debugging information: ${@})" >&2
exit 1
fi
}

setup() {
if ! [ "$(id -u)" = "0" ]; then
if ! [ "${sal_is_run_with_root}" = "true" ]; then
echo "ERROR: The setup must be run as root." >&2
exit 1
fi

for dir in "${main_app_dir}" "${auto_dir}" "${wrapper_dir}" "${wrapper_dir_wx}" "${appdata_dir}"; do
if ! [ "$(stat -c %a "${dir}")" = "755" ]; then
chmod 755 "${dir}"
## Check if the required directories exist.
if ! [ -d "${dir}" ]; then
echo "ERROR: Directory '${dir}' does not exist. This package was not installed properly." >&2
exit 1
## Fix permissions.
elif ! [ "$(stat -c %a "${dir}")" = "755" ]; then
chmod 755 "${dir}"
fi
done

if ! [ "$(stat -c %a "${shared_dir}")" = "1777" ]; then
chmod 1777 "${dir}"
## Check if the shared directory exists.
if ! [ -d "${shared_dir}" ]; then
echo "ERROR: Directory '${shared_dir}' does not exist. This package was not installed properly." >&2
exit 1
## Fix permissions.
elif ! [ "$(stat -c %a "${shared_dir}")" = "1777" ]; then
chmod 1777 "${shared_dir}"
fi

## Create the user that the sandboxed application will run as.
Expand Down Expand Up @@ -240,6 +267,16 @@ EOF
}

run_program() {
## Fix permissions if running as root.
for dir in "${main_app_dir}" "${auto_dir}" "${wrapper_dir}" "${wrapper_dir_wx}" "${appdata_dir}"; do
if ! [ "$(stat -c %a "${dir}")" = "755" ]; then
run_if_root chmod 755 "${dir}"
fi
done
if ! [ "$(stat -c %a "${shared_dir}")" = "1777" ]; then
run_if_root chmod 1777 "${shared_dir}"
fi

## TODO: X11 sandbox - not needed if we switch to wayland
## TODO: IPC namespace
## TODO: Network namespace - probably via ip netns
Expand Down Expand Up @@ -347,21 +384,21 @@ run_program() {
}

remove_app() {
if ! [ "$(id -u)" = "0" ]; then
if ! [ "${sal_is_run_with_root}" = "true" ]; then
echo "ERROR: The removal process must be run as root." >&2
exit 1
fi

if getent passwd | grep -q "${app_user}"; then
userdel --remove --force "${app_user}"
else
echo "ERROR: User '${app_user}' does not exist."
echo "ERROR: User '${app_user}' does not exist." >&2
fi

if [ -f "${wrapper_script}" ]; then
rm "${wrapper_script}"
else
echo "ERROR: File '${wrapper_script}' does not exist."
echo "ERROR: File '${wrapper_script}' does not exist." >&2
fi
}

Expand All @@ -373,7 +410,7 @@ elif [ "${start_program}" = "1" ]; then
else
echo "ERROR: The sandbox for this program has not been set up yet. Please execute:

sudo sandbox-app-launcher setup ${app_name}"
sudo sandbox-app-launcher setup ${app_name}" >&2
fi
elif [ "${remove}" = "1" ]; then
remove_app
Expand Down