-
Notifications
You must be signed in to change notification settings - Fork 2
/
permissions.go
252 lines (203 loc) · 5.92 KB
/
permissions.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
package permissions
import (
"bufio"
"bytes"
"errors"
"io"
"io/ioutil"
"os"
"path/filepath"
"strings"
"strconv"
helpers "github.com/mgord9518/aisap/helpers"
ini "gopkg.in/ini.v1"
xdg "github.com/adrg/xdg"
)
var (
InvalidSocket = errors.New("socket invalid")
)
type File struct {
Source string
Dest string
Writable bool
}
type Socket string
func SocketFromString(socketString string) (Socket, error) {
socket, present := SocketMap[socketString]
if !present {
return socket, InvalidSocket
}
return socket, nil
}
const (
X11 Socket = "x11"
Alsa Socket = "alsa"
Audio Socket = "audio"
PulseAudio Socket = "pulseaudio"
Wayland Socket = "wayland"
Dbus Socket = "dbus"
Cgroup Socket = "cgroup"
Network Socket = "network"
Pid Socket = "pid"
Pipewire Socket = "pipewire"
Session Socket = "session"
User Socket = "user"
Uts Socket = "uts"
)
var (
SocketMap = map[string]Socket{
"x11": X11,
"alsa": Alsa,
"audio": Audio,
"pulseaudio": PulseAudio,
"wayland": Wayland,
"dbus": Dbus,
"cgroup": Cgroup,
"network": Network,
"pid": Pid,
"pipewire": Pipewire,
"session": Session,
"user": User,
"uts": Uts,
}
)
type AppImagePerms struct {
Level int `json:"level"` // How much access to system files
Files []string `json:"filesystem"` // Grant permission to access files
Devices []string `json:"devices"` // Access device files (eg: dri, input)
Sockets []Socket `json:"sockets"` // Use sockets (eg: x11, pulseaudio, network)
// TODO: rename to PersistentHome or something
DataDir bool `json:"data_dir"` // Whether or not a data dir should be created (only
// use if the AppImage saves ZERO data eg: 100% online or a game without
// save files)
// Only intended for unmarshalling, should not be used for other purposes
Names []string `json:"names"`
}
// FromIni attempts to read permissions from a provided *ini.File, if fail, it
// will return an *AppImagePerms with a `Level` value of -1 and and error
func FromIni(e *ini.File) (*AppImagePerms, error) {
p := &AppImagePerms{}
// Get permissions from keys
level := e.Section("X-App Permissions").Key("Level").Value()
filePerms := e.Section("X-App Permissions").Key("Files").Value()
devicePerms := e.Section("X-App Permissions").Key("Devices").Value()
socketPerms := e.Section("X-App Permissions").Key("Sockets").Value()
// Enable saving to a data dir by default
if e.Section("X-App Permissions").Key("DataDir").Value() == "false" {
p.DataDir = false
} else {
p.DataDir = true
}
l, err := strconv.Atoi(level)
if err != nil || l < 0 || l > 3 {
p.Level = -1
return p, err
} else {
p.Level = l
}
// Split string into slices and clean up the names
p.AddFiles(helpers.SplitKey(filePerms)...)
p.AddDevices(helpers.SplitKey(devicePerms)...)
p.AddSockets(helpers.SplitKey(socketPerms)...)
return p, nil
}
// FromSystem attempts to read permissions from a provided desktop entry at
// ~/.local/share/aisap/profiles/[ai.Name]
// This should be the preferred way to get permissions and gives maximum power
// to the user (provided they use a tool to easily edit these permissions, which
// I'm also planning on making)
func FromSystem(name string) (*AppImagePerms, error) {
p := &AppImagePerms{}
var e string
fp := filepath.Join(xdg.DataHome, "aisap", "profiles", name)
f, err := os.Open(fp)
if err != nil {
return p, err
}
scanner := bufio.NewScanner(f)
for scanner.Scan() {
e = e + strings.ReplaceAll(scanner.Text(), ";", ";") + "\n"
}
entry, err := ini.Load([]byte(e))
if err != nil {
return p, err
}
p, err = FromIni(entry)
return p, err
}
func FromReader(r io.Reader) (*AppImagePerms, error) {
b, err := ioutil.ReadAll(r)
if err != nil { return nil, err }
b = bytes.ReplaceAll(b, []byte(";"), []byte(";"))
e, err := ini.Load(b)
if err != nil { return nil, err }
return FromIni(e)
}
func (p *AppImagePerms) AddFiles(s ...string) {
// Remove previous files of the same name if they exist
p.RemoveFiles(s...)
p.Files = append(p.Files, helpers.CleanFiles(s)...)
}
func (p *AppImagePerms) AddDevices(s ...string) {
p.RemoveDevices(s...)
p.Devices = append(p.Devices, helpers.CleanDevices(s)...)
}
func (p *AppImagePerms) AddSockets(socketStrings ...string) error {
if len(socketStrings) == 0 { return nil}
p.RemoveSockets(socketStrings...)
for i := range(socketStrings) {
socket, err := SocketFromString(socketStrings[i])
if err != nil {
return err
}
p.Sockets = append(p.Sockets, socket)
}
return nil
}
func (p *AppImagePerms) removeFile(str string) {
// Done this way to ensure there is an `extension` eg: `:ro` on the string,
// it will then be used to detect if that file already exists
str = helpers.CleanFiles([]string{str})[0]
s := strings.Split(str, ":")
str = strings.Join(s[:len(s)-1], ":")
if i, present := helpers.ContainsAny(p.Files,
[]string{ str + ":ro", str + ":rw" }); present {
p.Files = append(p.Files[:i], p.Files[i+1:]...)
}
}
func (p *AppImagePerms) RemoveFiles(s ...string) {
for i := range(s) {
p.removeFile(s[i])
}
}
func (p *AppImagePerms) removeDevice(str string) {
if i, present := helpers.Contains(p.Devices, str); present {
p.Devices = append(p.Devices[:i], p.Devices[i+1:]...)
}
}
func (p *AppImagePerms) RemoveDevices(s ...string) {
for i := range(s) {
p.removeDevice(s[i])
}
}
// TODO: switch to Socket type
func (p *AppImagePerms) removeSocket(str string) {
for i, socket := range p.Sockets {
if str == string(socket) {
p.Sockets = append(p.Sockets[:i], p.Sockets[i+1:]...)
}
}
}
func (p *AppImagePerms) RemoveSockets(s ...string) {
for i := range(s) {
p.removeSocket(s[i])
}
}
// Set sandbox base permission level
func (p *AppImagePerms) SetLevel(l int) error {
if l < 0 || l > 3 {
return errors.New("permissions level must be int from 0-3")
}
p.Level = l
return nil
}