From 0a2aa5823bb0a9f04bd910d63b6ef934c6d4f533 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Fri, 27 Dec 2024 14:44:57 +0900
Subject: [PATCH] cmd/fshim: bind finit inside sandbox

The outer finit executable is normally inaccessible inside the sandbox. This was obscured by the current Nix-based setup exposing /nix/store to the sandbox.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/fshim/main.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cmd/fshim/main.go b/cmd/fshim/main.go
index 05b7280..6b27122 100644
--- a/cmd/fshim/main.go
+++ b/cmd/fshim/main.go
@@ -9,6 +9,7 @@ import (
 
 	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
+	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
@@ -117,8 +118,12 @@ func main() {
 		}()
 	}
 
+	// bind finit inside sandbox
+	finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
+	conf.Bind(finitPath, finitInnerPath)
+
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, finitPath,
+	if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
 		func(int, int) []string { return make([]string, 0) }); err != nil {
 		fmsg.Fatalf("malformed sandbox config: %v", err)
 	} else {