cmd/fsu: allow switch from fpkg
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
56539d8db5
commit
45ad788c6d
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
cmd/fsu
@ -13,7 +13,6 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
|
||||
fsuConfFile = "/etc/fsurc"
|
||||
envShim = "FORTIFY_SHIM"
|
||||
envAID = "FORTIFY_APP_ID"
|
||||
@ -22,10 +21,6 @@ const (
|
||||
PR_SET_NO_NEW_PRIVS = 0x26
|
||||
)
|
||||
|
||||
var (
|
||||
Fmain = compPoison
|
||||
)
|
||||
|
||||
func main() {
|
||||
log.SetFlags(0)
|
||||
log.SetPrefix("fsu: ")
|
||||
@ -40,20 +35,16 @@ func main() {
|
||||
log.Fatal("this program must not be started by root")
|
||||
}
|
||||
|
||||
var fmain string
|
||||
if p, ok := checkPath(Fmain); !ok {
|
||||
log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
|
||||
} else {
|
||||
fmain = p
|
||||
}
|
||||
|
||||
var toolPath string
|
||||
pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
|
||||
if p, err := os.Readlink(pexe); err != nil {
|
||||
log.Fatalf("cannot read parent executable path: %v", err)
|
||||
} else if strings.HasSuffix(p, " (deleted)") {
|
||||
log.Fatal("fortify executable has been deleted")
|
||||
} else if p != fmain {
|
||||
} else if p != mustCheckPath(fmain) && p != mustCheckPath(fpkg) {
|
||||
log.Fatal("this program must be started by fortify")
|
||||
} else {
|
||||
toolPath = p
|
||||
}
|
||||
|
||||
// uid = 1000000 +
|
||||
@ -147,13 +138,9 @@ func main() {
|
||||
if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
|
||||
log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
|
||||
}
|
||||
if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
|
||||
if err := syscall.Exec(toolPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
|
||||
log.Fatalf("cannot start shim: %v", err)
|
||||
}
|
||||
|
||||
panic("unreachable")
|
||||
}
|
||||
|
||||
func checkPath(p string) (string, bool) {
|
||||
return p, p != compPoison && p != "" && path.IsAbs(p)
|
||||
}
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
{
|
||||
lib,
|
||||
buildGoModule,
|
||||
fortify ? abort "fortify package required",
|
||||
}:
|
||||
@ -15,5 +16,15 @@ buildGoModule {
|
||||
go mod init fsu >& /dev/null
|
||||
'';
|
||||
|
||||
ldflags = [ "-X main.Fmain=${fortify}/libexec/fortify" ];
|
||||
ldflags =
|
||||
lib.attrsets.foldlAttrs
|
||||
(
|
||||
ldflags: name: value:
|
||||
ldflags ++ [ "-X main.${name}=${value}" ]
|
||||
)
|
||||
[ "-s -w" ]
|
||||
{
|
||||
fmain = "${fortify}/libexec/fortify";
|
||||
fpkg = "${fortify}/libexec/fpkg";
|
||||
};
|
||||
}
|
||||
|
||||
21
cmd/fsu/path.go
Normal file
21
cmd/fsu/path.go
Normal file
@ -0,0 +1,21 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"log"
|
||||
"path"
|
||||
)
|
||||
|
||||
const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
|
||||
|
||||
var (
|
||||
fmain = compPoison
|
||||
fpkg = compPoison
|
||||
)
|
||||
|
||||
func mustCheckPath(p string) string {
|
||||
if p != compPoison && p != "" && path.IsAbs(p) {
|
||||
return p
|
||||
}
|
||||
log.Fatal("this program is compiled incorrectly")
|
||||
return compPoison
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user