From 4133b555ba8dd38accb272d86c01898ac4b99f95 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Thu, 13 Mar 2025 21:57:54 +0900 Subject: [PATCH] internal/app: rename init to init0 This makes way for the new container init. Signed-off-by: Ophestra --- cmd/fpkg/main.go | 6 ++++-- internal/app/app_nixos_test.go | 2 +- internal/app/app_pd_test.go | 4 ++-- internal/app/{init => init0}/early.go | 4 ++-- internal/app/{init => init0}/main.go | 2 +- internal/app/{init => init0}/payload.go | 0 internal/app/seal.go | 2 +- internal/app/shim/main.go | 4 ++-- main.go | 6 ++++-- test/sandbox/fs.nix | 2 +- 10 files changed, 18 insertions(+), 14 deletions(-) rename internal/app/{init => init0}/early.go (52%) rename internal/app/{init => init0}/main.go (99%) rename internal/app/{init => init0}/payload.go (100%) diff --git a/cmd/fpkg/main.go b/cmd/fpkg/main.go index 62ad7cd..70f4293 100644 --- a/cmd/fpkg/main.go +++ b/cmd/fpkg/main.go @@ -15,9 +15,10 @@ import ( "git.gensokyo.uk/security/fortify/helper/bwrap" "git.gensokyo.uk/security/fortify/helper/seccomp" "git.gensokyo.uk/security/fortify/internal" - init0 "git.gensokyo.uk/security/fortify/internal/app/init" + "git.gensokyo.uk/security/fortify/internal/app/init0" "git.gensokyo.uk/security/fortify/internal/app/shim" "git.gensokyo.uk/security/fortify/internal/fmsg" + "git.gensokyo.uk/security/fortify/internal/sandbox" "git.gensokyo.uk/security/fortify/internal/sys" ) @@ -37,7 +38,8 @@ func init() { } func main() { - // early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE + // early init path, skips root check and duplicate PR_SET_DUMPABLE + sandbox.TryArgv0() init0.TryArgv0() if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil { diff --git a/internal/app/app_nixos_test.go b/internal/app/app_nixos_test.go index 7ebd32e..683b179 100644 --- a/internal/app/app_nixos_test.go +++ b/internal/app/app_nixos_test.go @@ -218,6 +218,6 @@ var testCasesNixos = []sealTestCase{ Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket"). Tmpfs("/var/run/nscd", 8192). Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify"). - Symlink("fortify", "/.fortify/sbin/init"), + Symlink("fortify", "/.fortify/sbin/init0"), }, } diff --git a/internal/app/app_pd_test.go b/internal/app/app_pd_test.go index 2a03d35..602965c 100644 --- a/internal/app/app_pd_test.go +++ b/internal/app/app_pd_test.go @@ -158,7 +158,7 @@ var testCasesPd = []sealTestCase{ CopyBind("/etc/group", []byte("fortify:x:65534:\n")). Tmpfs("/var/run/nscd", 8192). Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify"). - Symlink("fortify", "/.fortify/sbin/init"), + Symlink("fortify", "/.fortify/sbin/init0"), }, { "nixos permissive defaults chromium", new(stubNixOS), @@ -389,6 +389,6 @@ var testCasesPd = []sealTestCase{ Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket"). Tmpfs("/var/run/nscd", 8192). Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify"). - Symlink("fortify", "/.fortify/sbin/init"), + Symlink("fortify", "/.fortify/sbin/init0"), }, } diff --git a/internal/app/init/early.go b/internal/app/init0/early.go similarity index 52% rename from internal/app/init/early.go rename to internal/app/init0/early.go index ac2fedb..0bcf094 100644 --- a/internal/app/init/early.go +++ b/internal/app/init0/early.go @@ -9,9 +9,9 @@ import ( // used by the parent process -// TryArgv0 calls [Main] if argv0 indicates the process is started from a file named "init". +// TryArgv0 calls [Main] if the last element of argv0 is "init0". func TryArgv0() { - if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" { + if len(os.Args) > 0 && path.Base(os.Args[0]) == "init0" { Main() internal.Exit(0) } diff --git a/internal/app/init/main.go b/internal/app/init0/main.go similarity index 99% rename from internal/app/init/main.go rename to internal/app/init0/main.go index 6fa2293..fe2f9ae 100644 --- a/internal/app/init/main.go +++ b/internal/app/init0/main.go @@ -25,7 +25,7 @@ const ( func Main() { // sharing stdout with shim // USE WITH CAUTION - fmsg.Prepare("init") + fmsg.Prepare("init0") // setting this prevents ptrace if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil { diff --git a/internal/app/init/payload.go b/internal/app/init0/payload.go similarity index 100% rename from internal/app/init/payload.go rename to internal/app/init0/payload.go diff --git a/internal/app/seal.go b/internal/app/seal.go index b133b46..7c4ba4b 100644 --- a/internal/app/seal.go +++ b/internal/app/seal.go @@ -486,7 +486,7 @@ func (seal *outcome) finalise(sys sys.State, config *fst.Config) error { // mount fortify in sandbox for init seal.container.Bind(sys.MustExecutable(), path.Join(fst.Tmp, "sbin/fortify")) - seal.container.Symlink("fortify", path.Join(fst.Tmp, "sbin/init")) + seal.container.Symlink("fortify", path.Join(fst.Tmp, "sbin/init0")) fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, command: %s", seal.user.uid, seal.user.username, config.Confinement.Groups, config.Command) diff --git a/internal/app/shim/main.go b/internal/app/shim/main.go index ed1cb98..360c89b 100644 --- a/internal/app/shim/main.go +++ b/internal/app/shim/main.go @@ -16,7 +16,7 @@ import ( "git.gensokyo.uk/security/fortify/helper/proc" "git.gensokyo.uk/security/fortify/helper/seccomp" "git.gensokyo.uk/security/fortify/internal" - init0 "git.gensokyo.uk/security/fortify/internal/app/init" + "git.gensokyo.uk/security/fortify/internal/app/init0" "git.gensokyo.uk/security/fortify/internal/fmsg" ) @@ -125,7 +125,7 @@ func Main() { seccomp.CPrintln = log.Println } if b, err := helper.NewBwrap( - conf, path.Join(fst.Tmp, "sbin/init"), false, + conf, path.Join(fst.Tmp, "sbin/init0"), false, nil, func(int, int) []string { return make([]string, 0) }, extraFiles, syncFd, diff --git a/main.go b/main.go index d4fc3d9..ecf5bc7 100644 --- a/main.go +++ b/main.go @@ -21,9 +21,10 @@ import ( "git.gensokyo.uk/security/fortify/helper/seccomp" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/app" - init0 "git.gensokyo.uk/security/fortify/internal/app/init" + "git.gensokyo.uk/security/fortify/internal/app/init0" "git.gensokyo.uk/security/fortify/internal/app/shim" "git.gensokyo.uk/security/fortify/internal/fmsg" + "git.gensokyo.uk/security/fortify/internal/sandbox" "git.gensokyo.uk/security/fortify/internal/state" "git.gensokyo.uk/security/fortify/internal/sys" "git.gensokyo.uk/security/fortify/system" @@ -41,7 +42,8 @@ func init() { fmsg.Prepare("fortify") } var std sys.State = new(sys.Std) func main() { - // early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE + // early init path, skips root check and duplicate PR_SET_DUMPABLE + sandbox.TryArgv0() init0.TryArgv0() if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil { diff --git a/test/sandbox/fs.nix b/test/sandbox/fs.nix index 0673c61..8f2ea50 100644 --- a/test/sandbox/fs.nix +++ b/test/sandbox/fs.nix @@ -21,7 +21,7 @@ let etc = fs "800001ed" null null; sbin = fs "800001c0" { fortify = fs "16d" null null; - init = fs "80001ff" null null; + init0 = fs "80001ff" null null; } null; host-mounts = fs "124" null null; } null;