proc/priv/init: merge init into main program

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:47:01 +09:00 · 2025-01-18 11:47:01 +09:00 · 27d2914286
commit 27d2914286
parent ea8f228af3
8 changed files with 25 additions and 24 deletions
--- a/dist/install.sh
+++ b/dist/install.sh
@ -4,7 +4,6 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
 install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg"

-install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
 install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"

 install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"
--- a/dist/release.sh
+++ b/dist/release.sh
@ -13,7 +13,6 @@ go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-s
  -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
  -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
  -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
-  -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
  -X main.Fmain=/usr/bin/fortify" ./...

 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
--- a/internal/path.go
+++ b/internal/path.go
@ -5,7 +5,6 @@ import "path"
 var (
 	Fortify = compPoison
 	Fsu     = compPoison
-	Finit   = compPoison
 )

 func Path(p string) (string, bool) {
--- a/internal/proc/priv/init/main.go
+++ b/internal/proc/priv/init/main.go
@ -1,4 +1,4 @@
-package main
+package init0

 import (
 	"errors"
@ -9,7 +9,6 @@ import (
 	"syscall"
 	"time"

-	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
@ -23,7 +22,7 @@ const (
 // everything beyond this point runs within pid namespace
 // proceed with caution!

-func main() {
+func Main() {
 	// sharing stdout with shim
 	// USE WITH CAUTION
 	fmsg.SetPrefix("init")
@ -40,8 +39,8 @@ func main() {
 	}

 	// re-exec
-	if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
-		if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil {
+	if len(os.Args) > 0 && (os.Args[0] != "fortify" || os.Args[1] != "init" || len(os.Args) != 2) && path.IsAbs(os.Args[0]) {
+		if err := syscall.Exec(os.Args[0], []string{"fortify", "init"}, os.Environ()); err != nil {
 			fmsg.Println("cannot re-exec self:", err)
 			// continue anyway
 		}
@ -49,10 +48,10 @@ func main() {

 	// receive setup payload
 	var (
-		payload    init0.Payload
+		payload    Payload
 		closeSetup func() error
 	)
-	if f, err := proc.Receive(init0.Env, &payload); err != nil {
+	if f, err := proc.Receive(Env, &payload); err != nil {
 		if errors.Is(err, proc.ErrInvalid) {
 			fmsg.Fatal("invalid config descriptor")
 		}
@ -67,8 +66,8 @@ func main() {
 		closeSetup = f

 		// child does not need to see this
-		if err = os.Unsetenv(init0.Env); err != nil {
-			fmsg.Printf("cannot unset %s: %v", init0.Env, err)
+		if err = os.Unsetenv(Env); err != nil {
+			fmsg.Printf("cannot unset %s: %v", Env, err)
 			// not fatal
 		} else {
 			fmsg.VPrintln("received configuration")
--- a/internal/proc/priv/init/payload.go
+++ b/internal/proc/priv/init/payload.go
--- a/internal/proc/priv/shim/main.go
+++ b/internal/proc/priv/shim/main.go
@ -7,12 +7,12 @@ import (
 	"strconv"
 	"syscall"

-	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
+	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
 )

 // everything beyond this point runs as unconstrained target user
@ -37,12 +37,12 @@ func Main() {
 		}
 	}

-	// check path to finit
-	var finitPath string
-	if p, ok := internal.Path(internal.Finit); !ok {
-		fmsg.Fatal("invalid finit path, this copy of fortify is not compiled correctly")
+	// check path to fortify
+	var fortifyPath string
+	if p, ok := internal.Path(internal.Fortify); !ok {
+		fmsg.Fatal("invalid fortify path, this copy of fortify is not compiled correctly")
 	} else {
-		finitPath = p
+		fortifyPath = p
 	}

 	// receive setup payload
@ -132,13 +132,15 @@ func Main() {
 		}()
 	}

-	// bind finit inside sandbox
-	finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
-	conf.Bind(finitPath, finitInnerPath)
+	// bind fortify inside sandbox
+	innerSbin := path.Join(fst.Tmp, "sbin")
+	fortifyInnerPath := path.Join(innerSbin, "fortify")
+	conf.Bind(fortifyPath, fortifyInnerPath)
+	conf.Symlink(fortifyInnerPath, path.Join(innerSbin, "init"))

 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
-		func(int, int) []string { return make([]string, 0) }); err != nil {
+	if b, err := helper.NewBwrap(conf, nil, fortifyInnerPath,
+		func(int, int) []string { return []string{"init"} }); err != nil {
 		fmsg.Fatalf("malformed sandbox config: %v", err)
 	} else {
 		cmd := b.Unwrap()
--- a/main.go
+++ b/main.go
@ -20,6 +20,7 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
+	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
 	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
@ -289,6 +290,9 @@ func main() {
 	case "shim":
 		shim.Main()
 		fmsg.Exit(0)
+	case "init":
+		init0.Main()
+		fmsg.Exit(0)

 	default:
 		fmsg.Fatalf("%q is not a valid command", args[0])
--- a/package.nix
+++ b/package.nix
@ -37,7 +37,6 @@ buildGoModule rec {
      {
        Version = "v${version}";
        Fsu = "/run/wrappers/bin/fsu";
-        Finit = "${placeholder "out"}/libexec/finit";
        Fortify = "${placeholder "out"}/bin/fortify";
      };