security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

internal/app: rename init to init0
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m27s
Details
Test / Fpkg (push) Successful in 3m21s
Details
Test / Data race detector (push) Successful in 3m40s
Details
Test / Flake checks (push) Successful in 48s
Details

Browse Source 
This makes way for the new container init.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-13 21:57:54 +09:00
parent 9b1a60b5c9
commit 4133b555ba
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
10 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/fpkg/main.go
View File

@ -15,9 +15,10 @@ import (
"git.gensokyo.uk/security/fortify/helper/bwrap"
"git.gensokyo.uk/security/fortify/helper/seccomp"
"git.gensokyo.uk/security/fortify/internal"
init0 "git.gensokyo.uk/security/fortify/internal/app/init"
"git.gensokyo.uk/security/fortify/internal/app/init0"
"git.gensokyo.uk/security/fortify/internal/app/shim"
"git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/sandbox"
"git.gensokyo.uk/security/fortify/internal/sys"
)
@ -37,7 +38,8 @@ func init() {
}
func main() {
// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
// early init path, skips root check and duplicate PR_SET_DUMPABLE
sandbox.TryArgv0()
init0.TryArgv0()
if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil {

2
internal/app/app_nixos_test.go
View File

@ -218,6 +218,6 @@ var testCasesNixos = []sealTestCase{
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket").
Tmpfs("/var/run/nscd", 8192).
Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
Symlink("fortify", "/.fortify/sbin/init"),
Symlink("fortify", "/.fortify/sbin/init0"),
},
}

4
internal/app/app_pd_test.go
View File

@ -158,7 +158,7 @@ var testCasesPd = []sealTestCase{
CopyBind("/etc/group", []byte("fortify:x:65534:\n")).
Tmpfs("/var/run/nscd", 8192).
Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
Symlink("fortify", "/.fortify/sbin/init"),
Symlink("fortify", "/.fortify/sbin/init0"),
},
{
"nixos permissive defaults chromium", new(stubNixOS),
@ -389,6 +389,6 @@ var testCasesPd = []sealTestCase{
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
Tmpfs("/var/run/nscd", 8192).
Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
Symlink("fortify", "/.fortify/sbin/init"),
Symlink("fortify", "/.fortify/sbin/init0"),
},
}

4
internal/app/init/early.go → internal/app/init0/early.go
View File

@ -9,9 +9,9 @@ import (
// used by the parent process
// TryArgv0 calls [Main] if argv0 indicates the process is started from a file named "init".
// TryArgv0 calls [Main] if the last element of argv0 is "init0".
func TryArgv0() {
if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" {
if len(os.Args) > 0 && path.Base(os.Args[0]) == "init0" {
Main()
internal.Exit(0)
}

2
internal/app/init/main.go → internal/app/init0/main.go
View File

@ -25,7 +25,7 @@ const (
func Main() {
// sharing stdout with shim
// USE WITH CAUTION
fmsg.Prepare("init")
fmsg.Prepare("init0")
// setting this prevents ptrace
if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil {

0
internal/app/init/payload.go → internal/app/init0/payload.go
View File

2
internal/app/seal.go
View File

@ -486,7 +486,7 @@ func (seal *outcome) finalise(sys sys.State, config *fst.Config) error {
// mount fortify in sandbox for init
seal.container.Bind(sys.MustExecutable(), path.Join(fst.Tmp, "sbin/fortify"))
seal.container.Symlink("fortify", path.Join(fst.Tmp, "sbin/init"))
seal.container.Symlink("fortify", path.Join(fst.Tmp, "sbin/init0"))
fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, command: %s",
seal.user.uid, seal.user.username, config.Confinement.Groups, config.Command)

4
internal/app/shim/main.go
View File

@ -16,7 +16,7 @@ import (
"git.gensokyo.uk/security/fortify/helper/proc"
"git.gensokyo.uk/security/fortify/helper/seccomp"
"git.gensokyo.uk/security/fortify/internal"
init0 "git.gensokyo.uk/security/fortify/internal/app/init"
"git.gensokyo.uk/security/fortify/internal/app/init0"
"git.gensokyo.uk/security/fortify/internal/fmsg"
)
@ -125,7 +125,7 @@ func Main() {
seccomp.CPrintln = log.Println
}
if b, err := helper.NewBwrap(
conf, path.Join(fst.Tmp, "sbin/init"), false,
conf, path.Join(fst.Tmp, "sbin/init0"), false,
nil, func(int, int) []string { return make([]string, 0) },
extraFiles,
syncFd,

6
main.go
View File

@ -21,9 +21,10 @@ import (
"git.gensokyo.uk/security/fortify/helper/seccomp"
"git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/app"
init0 "git.gensokyo.uk/security/fortify/internal/app/init"
"git.gensokyo.uk/security/fortify/internal/app/init0"
"git.gensokyo.uk/security/fortify/internal/app/shim"
"git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/sandbox"
"git.gensokyo.uk/security/fortify/internal/state"
"git.gensokyo.uk/security/fortify/internal/sys"
"git.gensokyo.uk/security/fortify/system"
@ -41,7 +42,8 @@ func init() { fmsg.Prepare("fortify") }
var std sys.State = new(sys.Std)
func main() {
// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
// early init path, skips root check and duplicate PR_SET_DUMPABLE
sandbox.TryArgv0()
init0.TryArgv0()
if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil {

2
test/sandbox/fs.nix
View File

@ -21,7 +21,7 @@ let
etc = fs "800001ed" null null;
sbin = fs "800001c0" {
fortify = fs "16d" null null;
init = fs "80001ff" null null;
init0 = fs "80001ff" null null;
} null;
host-mounts = fs "124" null null;
} null;