diff --git a/dist/install.sh b/dist/install.sh index c881507..0641226 100755 --- a/dist/install.sh +++ b/dist/install.sh @@ -4,7 +4,6 @@ cd "$(dirname -- "$0")" || exit 1 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify" install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg" -install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit" install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb" install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu" diff --git a/dist/release.sh b/dist/release.sh index 1ebf6e3..53f21dc 100755 --- a/dist/release.sh +++ b/dist/release.sh @@ -13,7 +13,6 @@ go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-s -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION} -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu - -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit -X main.Fmain=/usr/bin/fortify" ./... rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}" diff --git a/internal/path.go b/internal/path.go index b6fbff0..8c6a2e5 100644 --- a/internal/path.go +++ b/internal/path.go @@ -5,7 +5,6 @@ import "path" var ( Fortify = compPoison Fsu = compPoison - Finit = compPoison ) func Path(p string) (string, bool) { diff --git a/cmd/finit/main.go b/internal/proc/priv/init/main.go similarity index 88% rename from cmd/finit/main.go rename to internal/proc/priv/init/main.go index 14283f2..f32fada 100644 --- a/cmd/finit/main.go +++ b/internal/proc/priv/init/main.go @@ -1,4 +1,4 @@ -package main +package init0 import ( "errors" @@ -9,7 +9,6 @@ import ( "syscall" "time" - init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/proc" @@ -23,7 +22,7 @@ const ( // everything beyond this point runs within pid namespace // proceed with caution! -func main() { +func Main() { // sharing stdout with shim // USE WITH CAUTION fmsg.SetPrefix("init") @@ -40,8 +39,8 @@ func main() { } // re-exec - if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) { - if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil { + if len(os.Args) > 0 && (os.Args[0] != "fortify" || os.Args[1] != "init" || len(os.Args) != 2) && path.IsAbs(os.Args[0]) { + if err := syscall.Exec(os.Args[0], []string{"fortify", "init"}, os.Environ()); err != nil { fmsg.Println("cannot re-exec self:", err) // continue anyway } @@ -49,10 +48,10 @@ func main() { // receive setup payload var ( - payload init0.Payload + payload Payload closeSetup func() error ) - if f, err := proc.Receive(init0.Env, &payload); err != nil { + if f, err := proc.Receive(Env, &payload); err != nil { if errors.Is(err, proc.ErrInvalid) { fmsg.Fatal("invalid config descriptor") } @@ -67,8 +66,8 @@ func main() { closeSetup = f // child does not need to see this - if err = os.Unsetenv(init0.Env); err != nil { - fmsg.Printf("cannot unset %s: %v", init0.Env, err) + if err = os.Unsetenv(Env); err != nil { + fmsg.Printf("cannot unset %s: %v", Env, err) // not fatal } else { fmsg.VPrintln("received configuration") diff --git a/cmd/finit/ipc/payload.go b/internal/proc/priv/init/payload.go similarity index 100% rename from cmd/finit/ipc/payload.go rename to internal/proc/priv/init/payload.go diff --git a/internal/proc/priv/shim/main.go b/internal/proc/priv/shim/main.go index e3a819d..91ff8d2 100644 --- a/internal/proc/priv/shim/main.go +++ b/internal/proc/priv/shim/main.go @@ -7,12 +7,12 @@ import ( "strconv" "syscall" - init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc" "git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/helper" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/proc" + init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init" ) // everything beyond this point runs as unconstrained target user @@ -37,12 +37,12 @@ func Main() { } } - // check path to finit - var finitPath string - if p, ok := internal.Path(internal.Finit); !ok { - fmsg.Fatal("invalid finit path, this copy of fortify is not compiled correctly") + // check path to fortify + var fortifyPath string + if p, ok := internal.Path(internal.Fortify); !ok { + fmsg.Fatal("invalid fortify path, this copy of fortify is not compiled correctly") } else { - finitPath = p + fortifyPath = p } // receive setup payload @@ -132,13 +132,15 @@ func Main() { }() } - // bind finit inside sandbox - finitInnerPath := path.Join(fst.Tmp, "sbin", "init") - conf.Bind(finitPath, finitInnerPath) + // bind fortify inside sandbox + innerSbin := path.Join(fst.Tmp, "sbin") + fortifyInnerPath := path.Join(innerSbin, "fortify") + conf.Bind(fortifyPath, fortifyInnerPath) + conf.Symlink(fortifyInnerPath, path.Join(innerSbin, "init")) helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent - if b, err := helper.NewBwrap(conf, nil, finitInnerPath, - func(int, int) []string { return make([]string, 0) }); err != nil { + if b, err := helper.NewBwrap(conf, nil, fortifyInnerPath, + func(int, int) []string { return []string{"init"} }); err != nil { fmsg.Fatalf("malformed sandbox config: %v", err) } else { cmd := b.Unwrap() diff --git a/main.go b/main.go index 21043ea..bb93f8f 100644 --- a/main.go +++ b/main.go @@ -20,6 +20,7 @@ import ( "git.gensokyo.uk/security/fortify/internal/app" "git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/linux" + init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init" "git.gensokyo.uk/security/fortify/internal/proc/priv/shim" "git.gensokyo.uk/security/fortify/internal/system" ) @@ -289,6 +290,9 @@ func main() { case "shim": shim.Main() fmsg.Exit(0) + case "init": + init0.Main() + fmsg.Exit(0) default: fmsg.Fatalf("%q is not a valid command", args[0]) diff --git a/package.nix b/package.nix index 0da2e6e..4c715ec 100644 --- a/package.nix +++ b/package.nix @@ -37,7 +37,6 @@ buildGoModule rec { { Version = "v${version}"; Fsu = "/run/wrappers/bin/fsu"; - Finit = "${placeholder "out"}/libexec/finit"; Fortify = "${placeholder "out"}/bin/fortify"; };