2024-09-22 00:29:36 +09:00
|
|
|
package app
|
|
|
|
|
|
|
|
import (
|
|
|
|
"sync"
|
2024-12-18 13:45:55 +09:00
|
|
|
"sync/atomic"
|
2024-10-23 21:46:21 +09:00
|
|
|
|
2024-11-02 03:03:44 +09:00
|
|
|
"git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim"
|
2024-12-18 13:45:55 +09:00
|
|
|
"git.ophivana.moe/security/fortify/fipc"
|
2024-11-02 03:03:44 +09:00
|
|
|
"git.ophivana.moe/security/fortify/internal/linux"
|
2024-09-22 00:29:36 +09:00
|
|
|
)
|
|
|
|
|
|
|
|
type App interface {
|
2024-10-20 00:07:48 +09:00
|
|
|
// ID returns a copy of App's unique ID.
|
|
|
|
ID() ID
|
|
|
|
// Start sets up the system and starts the App.
|
2024-09-22 00:29:36 +09:00
|
|
|
Start() error
|
2024-10-20 00:07:48 +09:00
|
|
|
// Wait waits for App's process to exit and reverts system setup.
|
2024-09-22 00:29:36 +09:00
|
|
|
Wait() (int, error)
|
2024-10-20 00:07:48 +09:00
|
|
|
// WaitErr returns error returned by the underlying wait syscall.
|
2024-09-22 00:29:36 +09:00
|
|
|
WaitErr() error
|
2024-10-20 00:07:48 +09:00
|
|
|
|
2024-12-18 13:45:55 +09:00
|
|
|
Seal(config *fipc.Config) error
|
2024-09-22 00:29:36 +09:00
|
|
|
String() string
|
|
|
|
}
|
|
|
|
|
|
|
|
type app struct {
|
2024-12-18 13:45:55 +09:00
|
|
|
// single-use config reference
|
|
|
|
ct *appCt
|
|
|
|
|
2024-10-20 00:07:48 +09:00
|
|
|
// application unique identifier
|
|
|
|
id *ID
|
2024-10-23 21:46:21 +09:00
|
|
|
// operating system interface
|
2024-11-02 03:03:44 +09:00
|
|
|
os linux.System
|
2024-10-27 00:46:15 +09:00
|
|
|
// shim process manager
|
|
|
|
shim *shim.Shim
|
2024-09-22 00:29:36 +09:00
|
|
|
// child process related information
|
|
|
|
seal *appSeal
|
|
|
|
// error returned waiting for process
|
2024-10-20 00:07:48 +09:00
|
|
|
waitErr error
|
2024-09-22 00:29:36 +09:00
|
|
|
|
|
|
|
lock sync.RWMutex
|
|
|
|
}
|
|
|
|
|
2024-10-20 00:07:48 +09:00
|
|
|
func (a *app) ID() ID {
|
|
|
|
return *a.id
|
|
|
|
}
|
|
|
|
|
2024-09-22 00:29:36 +09:00
|
|
|
func (a *app) String() string {
|
|
|
|
if a == nil {
|
|
|
|
return "(invalid fortified app)"
|
|
|
|
}
|
|
|
|
|
|
|
|
a.lock.RLock()
|
|
|
|
defer a.lock.RUnlock()
|
|
|
|
|
2024-10-27 00:46:15 +09:00
|
|
|
if a.shim != nil {
|
|
|
|
return a.shim.String()
|
2024-09-22 00:29:36 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
if a.seal != nil {
|
2024-11-16 21:19:45 +09:00
|
|
|
return "(sealed fortified app as uid " + a.seal.sys.user.us + ")"
|
2024-09-22 00:29:36 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
return "(unsealed fortified app)"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *app) WaitErr() error {
|
2024-10-20 00:07:48 +09:00
|
|
|
return a.waitErr
|
2024-09-22 00:29:36 +09:00
|
|
|
}
|
|
|
|
|
2024-11-02 03:03:44 +09:00
|
|
|
func New(os linux.System) (App, error) {
|
2024-10-20 00:07:48 +09:00
|
|
|
a := new(app)
|
|
|
|
a.id = new(ID)
|
2024-10-23 21:46:21 +09:00
|
|
|
a.os = os
|
2024-10-20 00:07:48 +09:00
|
|
|
return a, newAppID(a.id)
|
2024-09-22 00:29:36 +09:00
|
|
|
}
|
2024-12-18 13:45:55 +09:00
|
|
|
|
|
|
|
// appCt ensures its wrapped val is only accessed once
|
|
|
|
type appCt struct {
|
|
|
|
val *fipc.Config
|
|
|
|
done *atomic.Bool
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *appCt) Unwrap() *fipc.Config {
|
|
|
|
if !a.done.Load() {
|
|
|
|
defer a.done.Store(true)
|
|
|
|
return a.val
|
|
|
|
}
|
|
|
|
panic("attempted to access config reference twice")
|
|
|
|
}
|
|
|
|
|
|
|
|
func newAppCt(config *fipc.Config) (ct *appCt) {
|
|
|
|
ct = new(appCt)
|
|
|
|
ct.done = new(atomic.Bool)
|
|
|
|
ct.val = config
|
|
|
|
return ct
|
|
|
|
}
|