From 5369c66533b3c0e6527eed5819ad8a06c2677942 Mon Sep 17 00:00:00 2001 From: Ningyuan Li Date: Mon, 18 Nov 2024 23:43:01 +0900 Subject: [PATCH 1/4] populate native apps' jailer on install --- services/better-jail.ts | 6 ++++++ services/service.ts | 18 +++++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 services/better-jail.ts diff --git a/services/better-jail.ts b/services/better-jail.ts new file mode 100644 index 0000000..f4b5e40 --- /dev/null +++ b/services/better-jail.ts @@ -0,0 +1,6 @@ +import { asyncExecFile } from './adapter'; + +export async function buildBetterJail(id: string, appDir: string) { + // Populate the jail with `native` instead of `native_devmode`, to gain higher privileges + await asyncExecFile('jailer', ['-t', 'native', '-p', appDir, '-i', id, '/bin/true']); +} diff --git a/services/service.ts b/services/service.ts index 2160fce..20392fb 100644 --- a/services/service.ts +++ b/services/service.ts @@ -13,6 +13,7 @@ import Service, { Message } from 'webos-service'; import { asyncStat, asyncExecFile, asyncPipeline, asyncUnlink, asyncWriteFile, asyncReadFile, asyncChmod, asyncMkdir } from './adapter'; import { fetchWrapper } from './fetch-wrapper'; +import { buildBetterJail } from './better-jail'; import rootAppInfo from '../appinfo.json'; import serviceInfo from './services.json'; @@ -406,8 +407,14 @@ function runService(): void { return serviceRemote as Service; } - async function getAppInfo(appId: string): Promise> { - const appList = await asyncCall<{ apps: { id: string }[] }>( + interface AppInfo { + id: string; + title: string; + type: string; + folderPath: string; + } + async function getAppInfo(appId: string): Promise { + const appList = await asyncCall<{ apps: AppInfo[] }>( getInstallerService(), 'luna://com.webos.applicationManager/dev/listApps', {}, @@ -491,7 +498,12 @@ function runService(): void { try { const appInfo = await getAppInfo(installedPackageId); - await createToast(`Application installed: ${appInfo['title']}`, service); + if (appInfo.type === 'native') { + await createToast(`Updating jailer config for ${appInfo.title}…`, service); + await buildBetterJail(appInfo.id, appInfo.folderPath) + .catch((err) => console.warn('jailer execution failed:', err)); + } + await createToast(`Application installed: ${appInfo.title}`, service); } catch (err: unknown) { console.warn('appinfo fetch failed:', err); await createToast(`Application installed: ${installedPackageId}`, service); From 7942fc49c22c8a3bf8a425277b454b325514be01 Mon Sep 17 00:00:00 2001 From: Ningyuan Li Date: Mon, 18 Nov 2024 23:45:20 +0900 Subject: [PATCH 2/4] don't update jailer without root --- services/service.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/service.ts b/services/service.ts index 20392fb..3d4635c 100644 --- a/services/service.ts +++ b/services/service.ts @@ -498,7 +498,7 @@ function runService(): void { try { const appInfo = await getAppInfo(installedPackageId); - if (appInfo.type === 'native') { + if (appInfo.type === 'native' && runningAsRoot) { await createToast(`Updating jailer config for ${appInfo.title}…`, service); await buildBetterJail(appInfo.id, appInfo.folderPath) .catch((err) => console.warn('jailer execution failed:', err)); From 0af2e3b243d4d3fd03c5062f4ca932a284fa7fb4 Mon Sep 17 00:00:00 2001 From: Ningyuan Li Date: Wed, 25 Dec 2024 16:33:49 +0900 Subject: [PATCH 3/4] fixed lint issues --- services/service.ts | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/services/service.ts b/services/service.ts index 3d4635c..db9ca59 100644 --- a/services/service.ts +++ b/services/service.ts @@ -413,12 +413,9 @@ function runService(): void { type: string; folderPath: string; } + type AppsResponse = { apps: AppInfo[] }; async function getAppInfo(appId: string): Promise { - const appList = await asyncCall<{ apps: AppInfo[] }>( - getInstallerService(), - 'luna://com.webos.applicationManager/dev/listApps', - {}, - ); + const appList = await asyncCall(getInstallerService(), 'luna://com.webos.applicationManager/dev/listApps', {}); const appInfo = appList.apps.find((app) => app.id === appId); if (!appInfo) throw new Error(`Invalid appId, or unsupported application type: ${appId}`); return appInfo; @@ -500,8 +497,9 @@ function runService(): void { const appInfo = await getAppInfo(installedPackageId); if (appInfo.type === 'native' && runningAsRoot) { await createToast(`Updating jailer config for ${appInfo.title}…`, service); - await buildBetterJail(appInfo.id, appInfo.folderPath) - .catch((err) => console.warn('jailer execution failed:', err)); + await buildBetterJail(appInfo.id, appInfo.folderPath).catch((err) => { + console.warn('jailer execution failed:', err); + }); } await createToast(`Application installed: ${appInfo.title}`, service); } catch (err: unknown) { From 934a138e05dd9bca1766261cd19e0a498ae31233 Mon Sep 17 00:00:00 2001 From: Ningyuan Li Date: Wed, 25 Dec 2024 16:36:33 +0900 Subject: [PATCH 4/4] renamed AppsResponse -> AppsList --- services/service.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/services/service.ts b/services/service.ts index db9ca59..2835ccf 100644 --- a/services/service.ts +++ b/services/service.ts @@ -413,9 +413,11 @@ function runService(): void { type: string; folderPath: string; } - type AppsResponse = { apps: AppInfo[] }; + interface AppsList { + apps: AppInfo[]; + } async function getAppInfo(appId: string): Promise { - const appList = await asyncCall(getInstallerService(), 'luna://com.webos.applicationManager/dev/listApps', {}); + const appList = await asyncCall(getInstallerService(), 'luna://com.webos.applicationManager/dev/listApps', {}); const appInfo = appList.apps.find((app) => app.id === appId); if (!appInfo) throw new Error(`Invalid appId, or unsupported application type: ${appId}`); return appInfo;