proc/priv/init: merge init into main program

Signed-off-by: Ophestra <cat@gensokyo.uk>

dist/install.sh

@@ -4,7 +4,6 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
 install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg"
 
-install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
 install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
 
 install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"

dist/release.sh

@@ -13,7 +13,6 @@ go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-s
   -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
   -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
   -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
-  -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
   -X main.Fmain=/usr/bin/fortify" ./...
 
 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"

internal/path.go

@@ -5,7 +5,6 @@ import "path"
 var (
 	Fortify = compPoison
 	Fsu     = compPoison
-	Finit   = compPoison
 )
 
 func Path(p string) (string, bool) {

internal/proc/priv/init/main.go

@@ -1,4 +1,4 @@
-package main
+package init0
 
 import (
 	"errors"
@@ -9,7 +9,6 @@ import (
 	"syscall"
 	"time"
 
-	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
@@ -23,7 +22,7 @@ const (
 // everything beyond this point runs within pid namespace
 // proceed with caution!
 
-func main() {
+func Main() {
 	// sharing stdout with shim
 	// USE WITH CAUTION
 	fmsg.SetPrefix("init")
@@ -40,8 +39,8 @@ func main() {
 	}
 
 	// re-exec
-	if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
+	if len(os.Args) > 0 && (os.Args[0] != "fortify" || os.Args[1] != "init" || len(os.Args) != 2) && path.IsAbs(os.Args[0]) {
-		if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil {
+		if err := syscall.Exec(os.Args[0], []string{"fortify", "init"}, os.Environ()); err != nil {
 			fmsg.Println("cannot re-exec self:", err)
 			// continue anyway
 		}
@@ -49,10 +48,10 @@ func main() {
 
 	// receive setup payload
 	var (
-		payload    init0.Payload
+		payload    Payload
 		closeSetup func() error
 	)
-	if f, err := proc.Receive(init0.Env, &payload); err != nil {
+	if f, err := proc.Receive(Env, &payload); err != nil {
 		if errors.Is(err, proc.ErrInvalid) {
 			fmsg.Fatal("invalid config descriptor")
 		}
@@ -67,8 +66,8 @@ func main() {
 		closeSetup = f
 
 		// child does not need to see this
-		if err = os.Unsetenv(init0.Env); err != nil {
+		if err = os.Unsetenv(Env); err != nil {
-			fmsg.Printf("cannot unset %s: %v", init0.Env, err)
+			fmsg.Printf("cannot unset %s: %v", Env, err)
 			// not fatal
 		} else {
 			fmsg.VPrintln("received configuration")

internal/proc/priv/shim/main.go

@@ -7,12 +7,12 @@ import (
 	"strconv"
 	"syscall"
 
-	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
+	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
 )
 
 // everything beyond this point runs as unconstrained target user
@@ -37,12 +37,12 @@ func Main() {
 		}
 	}
 
-	// check path to finit
+	// check path to fortify
-	var finitPath string
+	var fortifyPath string
-	if p, ok := internal.Path(internal.Finit); !ok {
+	if p, ok := internal.Path(internal.Fortify); !ok {
-		fmsg.Fatal("invalid finit path, this copy of fortify is not compiled correctly")
+		fmsg.Fatal("invalid fortify path, this copy of fortify is not compiled correctly")
 	} else {
-		finitPath = p
+		fortifyPath = p
 	}
 
 	// receive setup payload
@@ -132,13 +132,15 @@ func Main() {
 		}()
 	}
 
-	// bind finit inside sandbox
+	// bind fortify inside sandbox
-	finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
+	innerSbin := path.Join(fst.Tmp, "sbin")
-	conf.Bind(finitPath, finitInnerPath)
+	fortifyInnerPath := path.Join(innerSbin, "fortify")
+	conf.Bind(fortifyPath, fortifyInnerPath)
+	conf.Symlink(fortifyInnerPath, path.Join(innerSbin, "init"))
 
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
+	if b, err := helper.NewBwrap(conf, nil, fortifyInnerPath,
-		func(int, int) []string { return make([]string, 0) }); err != nil {
+		func(int, int) []string { return []string{"init"} }); err != nil {
 		fmsg.Fatalf("malformed sandbox config: %v", err)
 	} else {
 		cmd := b.Unwrap()

main.go

@@ -20,6 +20,7 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
+	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
 	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
@@ -289,6 +290,9 @@ func main() {
 	case "shim":
 		shim.Main()
 		fmsg.Exit(0)
+	case "init":
+		init0.Main()
+		fmsg.Exit(0)
 
 	default:
 		fmsg.Fatalf("%q is not a valid command", args[0])

package.nix

@@ -37,7 +37,6 @@ buildGoModule rec {
       {
         Version = "v${version}";
         Fsu = "/run/wrappers/bin/fsu";
-        Finit = "${placeholder "out"}/libexec/finit";
         Fortify = "${placeholder "out"}/bin/fortify";
       };