From 2f676c9d6e7baac289409cbcabde5b6e53b32ec3 Mon Sep 17 00:00:00 2001 From: Ophestra Umiker Date: Wed, 18 Dec 2024 15:50:46 +0900 Subject: [PATCH] fst: rename from fipc Signed-off-by: Ophestra Umiker --- {fipc => fst}/config.go | 2 +- internal/app/id.go => fst/shared.go | 5 +++-- internal/app/app.go | 20 ++++++++++---------- internal/app/app_nixos_test.go | 13 ++++++------- internal/app/app_pd_test.go | 15 +++++++-------- internal/app/app_test.go | 6 +++--- internal/app/export_test.go | 3 ++- internal/app/seal.go | 16 ++++++++-------- internal/state/state.go | 6 +++--- main.go | 10 +++++----- 10 files changed, 48 insertions(+), 48 deletions(-) rename {fipc => fst}/config.go (99%) rename internal/app/id.go => fst/shared.go (66%) diff --git a/fipc/config.go b/fst/config.go similarity index 99% rename from fipc/config.go rename to fst/config.go index 472d22f..b1a2240 100644 --- a/fipc/config.go +++ b/fst/config.go @@ -1,4 +1,4 @@ -package fipc +package fst import ( "errors" diff --git a/internal/app/id.go b/fst/shared.go similarity index 66% rename from internal/app/id.go rename to fst/shared.go index 6ca4831..3954486 100644 --- a/internal/app/id.go +++ b/fst/shared.go @@ -1,4 +1,5 @@ -package app +// Package fst exports shared fortify types. +package fst import ( "crypto/rand" @@ -11,7 +12,7 @@ func (a *ID) String() string { return hex.EncodeToString(a[:]) } -func newAppID(id *ID) error { +func NewAppID(id *ID) error { _, err := rand.Read(id[:]) return err } diff --git a/internal/app/app.go b/internal/app/app.go index 5cb1ddf..4c6ae9e 100644 --- a/internal/app/app.go +++ b/internal/app/app.go @@ -5,13 +5,13 @@ import ( "sync/atomic" "git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim" - "git.ophivana.moe/security/fortify/fipc" + "git.ophivana.moe/security/fortify/fst" "git.ophivana.moe/security/fortify/internal/linux" ) type App interface { // ID returns a copy of App's unique ID. - ID() ID + ID() fst.ID // Start sets up the system and starts the App. Start() error // Wait waits for App's process to exit and reverts system setup. @@ -19,7 +19,7 @@ type App interface { // WaitErr returns error returned by the underlying wait syscall. WaitErr() error - Seal(config *fipc.Config) error + Seal(config *fst.Config) error String() string } @@ -28,7 +28,7 @@ type app struct { ct *appCt // application unique identifier - id *ID + id *fst.ID // operating system interface os linux.System // shim process manager @@ -41,7 +41,7 @@ type app struct { lock sync.RWMutex } -func (a *app) ID() ID { +func (a *app) ID() fst.ID { return *a.id } @@ -70,18 +70,18 @@ func (a *app) WaitErr() error { func New(os linux.System) (App, error) { a := new(app) - a.id = new(ID) + a.id = new(fst.ID) a.os = os - return a, newAppID(a.id) + return a, fst.NewAppID(a.id) } // appCt ensures its wrapped val is only accessed once type appCt struct { - val *fipc.Config + val *fst.Config done *atomic.Bool } -func (a *appCt) Unwrap() *fipc.Config { +func (a *appCt) Unwrap() *fst.Config { if !a.done.Load() { defer a.done.Store(true) return a.val @@ -89,7 +89,7 @@ func (a *appCt) Unwrap() *fipc.Config { panic("attempted to access config reference twice") } -func newAppCt(config *fipc.Config) (ct *appCt) { +func newAppCt(config *fst.Config) (ct *appCt) { ct = new(appCt) ct.done = new(atomic.Bool) ct.val = config diff --git a/internal/app/app_nixos_test.go b/internal/app/app_nixos_test.go index 1d92ece..1a716cc 100644 --- a/internal/app/app_nixos_test.go +++ b/internal/app/app_nixos_test.go @@ -3,24 +3,23 @@ package app_test import ( "git.ophivana.moe/security/fortify/acl" "git.ophivana.moe/security/fortify/dbus" - "git.ophivana.moe/security/fortify/fipc" + "git.ophivana.moe/security/fortify/fst" "git.ophivana.moe/security/fortify/helper/bwrap" - "git.ophivana.moe/security/fortify/internal/app" "git.ophivana.moe/security/fortify/internal/system" ) var testCasesNixos = []sealTestCase{ { "nixos chromium direct wayland", new(stubNixOS), - &fipc.Config{ + &fst.Config{ ID: "org.chromium.Chromium", Command: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"}, - Confinement: fipc.ConfinementConfig{ + Confinement: fst.ConfinementConfig{ AppID: 1, Groups: []string{}, Username: "u0_a1", Outer: "/var/lib/persist/module/fortify/0/1", - Sandbox: &fipc.SandboxConfig{ + Sandbox: &fst.SandboxConfig{ UserNS: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil, - Filesystem: []*fipc.FilesystemConfig{ + Filesystem: []*fst.FilesystemConfig{ {Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true}, {Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true}, {Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"}, @@ -49,7 +48,7 @@ var testCasesNixos = []sealTestCase{ Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(), }, }, - app.ID{ + fst.ID{ 0x8e, 0x2c, 0x76, 0xb0, 0x66, 0xda, 0xbe, 0x57, 0x4c, 0xf0, 0x73, 0xbd, diff --git a/internal/app/app_pd_test.go b/internal/app/app_pd_test.go index 3a55180..af4b505 100644 --- a/internal/app/app_pd_test.go +++ b/internal/app/app_pd_test.go @@ -3,24 +3,23 @@ package app_test import ( "git.ophivana.moe/security/fortify/acl" "git.ophivana.moe/security/fortify/dbus" - "git.ophivana.moe/security/fortify/fipc" + "git.ophivana.moe/security/fortify/fst" "git.ophivana.moe/security/fortify/helper/bwrap" - "git.ophivana.moe/security/fortify/internal/app" "git.ophivana.moe/security/fortify/internal/system" ) var testCasesPd = []sealTestCase{ { "nixos permissive defaults no enablements", new(stubNixOS), - &fipc.Config{ + &fst.Config{ Command: make([]string, 0), - Confinement: fipc.ConfinementConfig{ + Confinement: fst.ConfinementConfig{ AppID: 0, Username: "chronos", Outer: "/home/chronos", }, }, - app.ID{ + fst.ID{ 0x4a, 0x45, 0x0b, 0x65, 0x96, 0xd7, 0xbc, 0x15, 0xbd, 0x01, 0x78, 0x0e, @@ -191,10 +190,10 @@ var testCasesPd = []sealTestCase{ }, { "nixos permissive defaults chromium", new(stubNixOS), - &fipc.Config{ + &fst.Config{ ID: "org.chromium.Chromium", Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "}, - Confinement: fipc.ConfinementConfig{ + Confinement: fst.ConfinementConfig{ AppID: 9, Groups: []string{"video"}, Username: "chronos", @@ -233,7 +232,7 @@ var testCasesPd = []sealTestCase{ Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(), }, }, - app.ID{ + fst.ID{ 0xeb, 0xf0, 0x83, 0xd1, 0xb1, 0x75, 0x91, 0x17, 0x82, 0xd4, 0x13, 0x36, diff --git a/internal/app/app_test.go b/internal/app/app_test.go index 21db186..b60295f 100644 --- a/internal/app/app_test.go +++ b/internal/app/app_test.go @@ -6,7 +6,7 @@ import ( "testing" "time" - "git.ophivana.moe/security/fortify/fipc" + "git.ophivana.moe/security/fortify/fst" "git.ophivana.moe/security/fortify/helper/bwrap" "git.ophivana.moe/security/fortify/internal/app" "git.ophivana.moe/security/fortify/internal/linux" @@ -16,8 +16,8 @@ import ( type sealTestCase struct { name string os linux.System - config *fipc.Config - id app.ID + config *fst.Config + id fst.ID wantSys *system.I wantBwrap *bwrap.Config } diff --git a/internal/app/export_test.go b/internal/app/export_test.go index 56eb4a3..90886e1 100644 --- a/internal/app/export_test.go +++ b/internal/app/export_test.go @@ -1,12 +1,13 @@ package app import ( + "git.ophivana.moe/security/fortify/fst" "git.ophivana.moe/security/fortify/helper/bwrap" "git.ophivana.moe/security/fortify/internal/linux" "git.ophivana.moe/security/fortify/internal/system" ) -func NewWithID(id ID, os linux.System) App { +func NewWithID(id fst.ID, os linux.System) App { a := new(app) a.id = &id a.os = os diff --git a/internal/app/seal.go b/internal/app/seal.go index b01befc..d71553a 100644 --- a/internal/app/seal.go +++ b/internal/app/seal.go @@ -9,7 +9,7 @@ import ( "strconv" "git.ophivana.moe/security/fortify/dbus" - "git.ophivana.moe/security/fortify/fipc" + "git.ophivana.moe/security/fortify/fst" "git.ophivana.moe/security/fortify/internal/fmsg" "git.ophivana.moe/security/fortify/internal/linux" "git.ophivana.moe/security/fortify/internal/state" @@ -60,7 +60,7 @@ type appSeal struct { } // Seal seals the app launch context -func (a *app) Seal(config *fipc.Config) error { +func (a *app) Seal(config *fst.Config) error { a.lock.Lock() defer a.lock.Unlock() @@ -148,7 +148,7 @@ func (a *app) Seal(config *fipc.Config) error { fmsg.VPrintln("sandbox configuration not supplied, PROCEED WITH CAUTION") // permissive defaults - conf := &fipc.SandboxConfig{ + conf := &fst.SandboxConfig{ UserNS: true, Net: true, NoNewSession: true, @@ -158,7 +158,7 @@ func (a *app) Seal(config *fipc.Config) error { if d, err := a.os.ReadDir("/"); err != nil { return err } else { - b := make([]*fipc.FilesystemConfig, 0, len(d)) + b := make([]*fst.FilesystemConfig, 0, len(d)) for _, ent := range d { p := "/" + ent.Name() switch p { @@ -170,7 +170,7 @@ func (a *app) Seal(config *fipc.Config) error { case "/etc": default: - b = append(b, &fipc.FilesystemConfig{Src: p, Write: true, Must: true}) + b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true}) } } conf.Filesystem = append(conf.Filesystem, b...) @@ -179,7 +179,7 @@ func (a *app) Seal(config *fipc.Config) error { if d, err := a.os.ReadDir("/run"); err != nil { return err } else { - b := make([]*fipc.FilesystemConfig, 0, len(d)) + b := make([]*fst.FilesystemConfig, 0, len(d)) for _, ent := range d { name := ent.Name() switch name { @@ -187,7 +187,7 @@ func (a *app) Seal(config *fipc.Config) error { case "dbus": default: p := "/run/" + name - b = append(b, &fipc.FilesystemConfig{Src: p, Write: true, Must: true}) + b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true}) } } conf.Filesystem = append(conf.Filesystem, b...) @@ -199,7 +199,7 @@ func (a *app) Seal(config *fipc.Config) error { } // bind GPU stuff if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) { - conf.Filesystem = append(conf.Filesystem, &fipc.FilesystemConfig{Src: "/dev/dri", Device: true}) + conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true}) } config.Confinement.Sandbox = conf diff --git a/internal/state/state.go b/internal/state/state.go index bb23932..cf345aa 100644 --- a/internal/state/state.go +++ b/internal/state/state.go @@ -3,7 +3,7 @@ package state import ( "time" - "git.ophivana.moe/security/fortify/fipc" + "git.ophivana.moe/security/fortify/fst" ) type Store interface { @@ -27,11 +27,11 @@ type Backend interface { // State is the on-disk format for a fortified process's state information type State struct { // fortify instance id - ID [16]byte `json:"instance"` + ID fst.ID `json:"instance"` // child process PID value PID int `json:"pid"` // sealed app configuration - Config *fipc.Config `json:"config"` + Config *fst.Config `json:"config"` // process start time Time time.Time diff --git a/main.go b/main.go index 3087cd5..e391435 100644 --- a/main.go +++ b/main.go @@ -12,7 +12,7 @@ import ( "text/tabwriter" "git.ophivana.moe/security/fortify/dbus" - "git.ophivana.moe/security/fortify/fipc" + "git.ophivana.moe/security/fortify/fst" "git.ophivana.moe/security/fortify/internal" "git.ophivana.moe/security/fortify/internal/app" "git.ophivana.moe/security/fortify/internal/fmsg" @@ -103,7 +103,7 @@ func main() { fmt.Println(license) fmsg.Exit(0) case "template": // print full template configuration - if s, err := json.MarshalIndent(fipc.Template(), "", " "); err != nil { + if s, err := json.MarshalIndent(fst.Template(), "", " "); err != nil { fmsg.Fatalf("cannot generate template: %v", err) panic("unreachable") } else { @@ -130,7 +130,7 @@ func main() { fmsg.Fatal("app requires at least 1 argument") } - config := new(fipc.Config) + config := new(fst.Config) if f, err := os.Open(args[1]); err != nil { fmsg.Fatalf("cannot access config file %q: %s", args[1], err) panic("unreachable") @@ -180,7 +180,7 @@ func main() { _ = set.Parse(args[1:]) // initialise config from flags - config := &fipc.Config{ + config := &fst.Config{ ID: fid, Command: set.Args(), } @@ -276,7 +276,7 @@ func main() { panic("unreachable") } -func runApp(config *fipc.Config) { +func runApp(config *fst.Config) { if os.SdBooted() { fmsg.VPrintln("system booted with systemd as init system") }