fst: rename from fipc

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 15:50:46 +09:00 · 2024-12-18 15:50:46 +09:00 · 2f676c9d6e
commit 2f676c9d6e
parent bbace8f84b
10 changed files with 48 additions and 48 deletions
--- a/fipc/config.go
+++ b/fipc/config.go
@ -1,4 +1,4 @@
-package fipc
+package fst

 import (
 	"errors"
--- a/internal/app/id.go
+++ b/internal/app/id.go
@ -1,4 +1,5 @@
-package app
+// Package fst exports shared fortify types.
+package fst

 import (
 	"crypto/rand"
@ -11,7 +12,7 @@ func (a *ID) String() string {
 	return hex.EncodeToString(a[:])
 }

-func newAppID(id *ID) error {
+func NewAppID(id *ID) error {
 	_, err := rand.Read(id[:])
 	return err
 }
--- a/internal/app/app.go
+++ b/internal/app/app.go
@ -5,13 +5,13 @@ import (
 	"sync/atomic"

 	"git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim"
-	"git.ophivana.moe/security/fortify/fipc"
+	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/internal/linux"
 )

 type App interface {
 	// ID returns a copy of App's unique ID.
-	ID() ID
+	ID() fst.ID
 	// Start sets up the system and starts the App.
 	Start() error
 	// Wait waits for App's process to exit and reverts system setup.
@ -19,7 +19,7 @@ type App interface {
 	// WaitErr returns error returned by the underlying wait syscall.
 	WaitErr() error

-	Seal(config *fipc.Config) error
+	Seal(config *fst.Config) error
 	String() string
 }

@ -28,7 +28,7 @@ type app struct {
 	ct *appCt

 	// application unique identifier
-	id *ID
+	id *fst.ID
 	// operating system interface
 	os linux.System
 	// shim process manager
@ -41,7 +41,7 @@ type app struct {
 	lock sync.RWMutex
 }

-func (a *app) ID() ID {
+func (a *app) ID() fst.ID {
 	return *a.id
 }

@ -70,18 +70,18 @@ func (a *app) WaitErr() error {

 func New(os linux.System) (App, error) {
 	a := new(app)
-	a.id = new(ID)
+	a.id = new(fst.ID)
 	a.os = os
-	return a, newAppID(a.id)
+	return a, fst.NewAppID(a.id)
 }

 // appCt ensures its wrapped val is only accessed once
 type appCt struct {
-	val  *fipc.Config
+	val  *fst.Config
 	done *atomic.Bool
 }

-func (a *appCt) Unwrap() *fipc.Config {
+func (a *appCt) Unwrap() *fst.Config {
 	if !a.done.Load() {
 		defer a.done.Store(true)
 		return a.val
@ -89,7 +89,7 @@ func (a *appCt) Unwrap() *fipc.Config {
 	panic("attempted to access config reference twice")
 }

-func newAppCt(config *fipc.Config) (ct *appCt) {
+func newAppCt(config *fst.Config) (ct *appCt) {
 	ct = new(appCt)
 	ct.done = new(atomic.Bool)
 	ct.val = config
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -3,24 +3,23 @@ package app_test
 import (
 	"git.ophivana.moe/security/fortify/acl"
 	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/fipc"
+	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/app"
 	"git.ophivana.moe/security/fortify/internal/system"
 )

 var testCasesNixos = []sealTestCase{
 	{
 		"nixos chromium direct wayland", new(stubNixOS),
-		&fipc.Config{
+		&fst.Config{
 			ID:      "org.chromium.Chromium",
 			Command: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
-			Confinement: fipc.ConfinementConfig{
+			Confinement: fst.ConfinementConfig{
 				AppID: 1, Groups: []string{}, Username: "u0_a1",
 				Outer: "/var/lib/persist/module/fortify/0/1",
-				Sandbox: &fipc.SandboxConfig{
+				Sandbox: &fst.SandboxConfig{
 					UserNS: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil,
-					Filesystem: []*fipc.FilesystemConfig{
+					Filesystem: []*fst.FilesystemConfig{
 						{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
 						{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
 						{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
@ -49,7 +48,7 @@ var testCasesNixos = []sealTestCase{
 				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
 			},
 		},
-		app.ID{
+		fst.ID{
 			0x8e, 0x2c, 0x76, 0xb0,
 			0x66, 0xda, 0xbe, 0x57,
 			0x4c, 0xf0, 0x73, 0xbd,
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -3,24 +3,23 @@ package app_test
 import (
 	"git.ophivana.moe/security/fortify/acl"
 	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/fipc"
+	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/app"
 	"git.ophivana.moe/security/fortify/internal/system"
 )

 var testCasesPd = []sealTestCase{
 	{
 		"nixos permissive defaults no enablements", new(stubNixOS),
-		&fipc.Config{
+		&fst.Config{
 			Command: make([]string, 0),
-			Confinement: fipc.ConfinementConfig{
+			Confinement: fst.ConfinementConfig{
 				AppID:    0,
 				Username: "chronos",
 				Outer:    "/home/chronos",
 			},
 		},
-		app.ID{
+		fst.ID{
 			0x4a, 0x45, 0x0b, 0x65,
 			0x96, 0xd7, 0xbc, 0x15,
 			0xbd, 0x01, 0x78, 0x0e,
@ -191,10 +190,10 @@ var testCasesPd = []sealTestCase{
 	},
 	{
 		"nixos permissive defaults chromium", new(stubNixOS),
-		&fipc.Config{
+		&fst.Config{
 			ID:      "org.chromium.Chromium",
 			Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "},
-			Confinement: fipc.ConfinementConfig{
+			Confinement: fst.ConfinementConfig{
 				AppID:    9,
 				Groups:   []string{"video"},
 				Username: "chronos",
@ -233,7 +232,7 @@ var testCasesPd = []sealTestCase{
 				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
 			},
 		},
-		app.ID{
+		fst.ID{
 			0xeb, 0xf0, 0x83, 0xd1,
 			0xb1, 0x75, 0x91, 0x17,
 			0x82, 0xd4, 0x13, 0x36,
--- a/internal/app/app_test.go
+++ b/internal/app/app_test.go
@ -6,7 +6,7 @@ import (
 	"testing"
 	"time"

-	"git.ophivana.moe/security/fortify/fipc"
+	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/helper/bwrap"
 	"git.ophivana.moe/security/fortify/internal/app"
 	"git.ophivana.moe/security/fortify/internal/linux"
@ -16,8 +16,8 @@ import (
 type sealTestCase struct {
 	name      string
 	os        linux.System
-	config    *fipc.Config
-	id        app.ID
+	config    *fst.Config
+	id        fst.ID
 	wantSys   *system.I
 	wantBwrap *bwrap.Config
 }
--- a/internal/app/export_test.go
+++ b/internal/app/export_test.go
@ -1,12 +1,13 @@
 package app

 import (
+	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/helper/bwrap"
 	"git.ophivana.moe/security/fortify/internal/linux"
 	"git.ophivana.moe/security/fortify/internal/system"
 )

-func NewWithID(id ID, os linux.System) App {
+func NewWithID(id fst.ID, os linux.System) App {
 	a := new(app)
 	a.id = &id
 	a.os = os
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -9,7 +9,7 @@ import (
 	"strconv"

 	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/fipc"
+	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
 	"git.ophivana.moe/security/fortify/internal/linux"
 	"git.ophivana.moe/security/fortify/internal/state"
@ -60,7 +60,7 @@ type appSeal struct {
 }

 // Seal seals the app launch context
-func (a *app) Seal(config *fipc.Config) error {
+func (a *app) Seal(config *fst.Config) error {
 	a.lock.Lock()
 	defer a.lock.Unlock()

@ -148,7 +148,7 @@ func (a *app) Seal(config *fipc.Config) error {
 		fmsg.VPrintln("sandbox configuration not supplied, PROCEED WITH CAUTION")

 		// permissive defaults
-		conf := &fipc.SandboxConfig{
+		conf := &fst.SandboxConfig{
 			UserNS:       true,
 			Net:          true,
 			NoNewSession: true,
@ -158,7 +158,7 @@ func (a *app) Seal(config *fipc.Config) error {
 		if d, err := a.os.ReadDir("/"); err != nil {
 			return err
 		} else {
-			b := make([]*fipc.FilesystemConfig, 0, len(d))
+			b := make([]*fst.FilesystemConfig, 0, len(d))
 			for _, ent := range d {
 				p := "/" + ent.Name()
 				switch p {
@ -170,7 +170,7 @@ func (a *app) Seal(config *fipc.Config) error {
 				case "/etc":

 				default:
-					b = append(b, &fipc.FilesystemConfig{Src: p, Write: true, Must: true})
+					b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true})
 				}
 			}
 			conf.Filesystem = append(conf.Filesystem, b...)
@ -179,7 +179,7 @@ func (a *app) Seal(config *fipc.Config) error {
 		if d, err := a.os.ReadDir("/run"); err != nil {
 			return err
 		} else {
-			b := make([]*fipc.FilesystemConfig, 0, len(d))
+			b := make([]*fst.FilesystemConfig, 0, len(d))
 			for _, ent := range d {
 				name := ent.Name()
 				switch name {
@ -187,7 +187,7 @@ func (a *app) Seal(config *fipc.Config) error {
 				case "dbus":
 				default:
 					p := "/run/" + name
-					b = append(b, &fipc.FilesystemConfig{Src: p, Write: true, Must: true})
+					b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true})
 				}
 			}
 			conf.Filesystem = append(conf.Filesystem, b...)
@ -199,7 +199,7 @@ func (a *app) Seal(config *fipc.Config) error {
 		}
 		// bind GPU stuff
 		if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
-			conf.Filesystem = append(conf.Filesystem, &fipc.FilesystemConfig{Src: "/dev/dri", Device: true})
+			conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
 		}

 		config.Confinement.Sandbox = conf
--- a/internal/state/state.go
+++ b/internal/state/state.go
@ -3,7 +3,7 @@ package state
 import (
 	"time"

-	"git.ophivana.moe/security/fortify/fipc"
+	"git.ophivana.moe/security/fortify/fst"
 )

 type Store interface {
@ -27,11 +27,11 @@ type Backend interface {
 // State is the on-disk format for a fortified process's state information
 type State struct {
 	// fortify instance id
-	ID [16]byte `json:"instance"`
+	ID fst.ID `json:"instance"`
 	// child process PID value
 	PID int `json:"pid"`
 	// sealed app configuration
-	Config *fipc.Config `json:"config"`
+	Config *fst.Config `json:"config"`

 	// process start time
 	Time time.Time
--- a/main.go
+++ b/main.go
@ -12,7 +12,7 @@ import (
 	"text/tabwriter"

 	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/fipc"
+	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/internal"
 	"git.ophivana.moe/security/fortify/internal/app"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
@ -103,7 +103,7 @@ func main() {
 		fmt.Println(license)
 		fmsg.Exit(0)
 	case "template": // print full template configuration
-		if s, err := json.MarshalIndent(fipc.Template(), "", "  "); err != nil {
+		if s, err := json.MarshalIndent(fst.Template(), "", "  "); err != nil {
 			fmsg.Fatalf("cannot generate template: %v", err)
 			panic("unreachable")
 		} else {
@ -130,7 +130,7 @@ func main() {
 			fmsg.Fatal("app requires at least 1 argument")
 		}

-		config := new(fipc.Config)
+		config := new(fst.Config)
 		if f, err := os.Open(args[1]); err != nil {
 			fmsg.Fatalf("cannot access config file %q: %s", args[1], err)
 			panic("unreachable")
@ -180,7 +180,7 @@ func main() {
 		_ = set.Parse(args[1:])

 		// initialise config from flags
-		config := &fipc.Config{
+		config := &fst.Config{
 			ID:      fid,
 			Command: set.Args(),
 		}
@ -276,7 +276,7 @@ func main() {
 	panic("unreachable")
 }

-func runApp(config *fipc.Config) {
+func runApp(config *fst.Config) {
 	if os.SdBooted() {
 		fmsg.VPrintln("system booted with systemd as init system")
 	}