From 45ad788c6d03bf368010fa8e2a39028bdf0fc078 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 26 Feb 2025 19:42:28 +0900
Subject: [PATCH] cmd/fsu: allow switch from fpkg

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/fsu/main.go     | 23 +++++------------------
 cmd/fsu/package.nix | 13 ++++++++++++-
 cmd/fsu/path.go     | 21 +++++++++++++++++++++
 3 files changed, 38 insertions(+), 19 deletions(-)
 create mode 100644 cmd/fsu/path.go

diff --git a/cmd/fsu/main.go b/cmd/fsu/main.go
index fd3ba1e..33ecbf4 100644
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@@ -13,7 +13,6 @@ import (
 )
 
 const (
-	compPoison  = "INVALIDINVALIDINVALIDINVALIDINVALID"
 	fsuConfFile = "/etc/fsurc"
 	envShim     = "FORTIFY_SHIM"
 	envAID      = "FORTIFY_APP_ID"
@@ -22,10 +21,6 @@ const (
 	PR_SET_NO_NEW_PRIVS = 0x26
 )
 
-var (
-	Fmain = compPoison
-)
-
 func main() {
 	log.SetFlags(0)
 	log.SetPrefix("fsu: ")
@@ -40,20 +35,16 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}
 
-	var fmain string
-	if p, ok := checkPath(Fmain); !ok {
-		log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
-	} else {
-		fmain = p
-	}
-
+	var toolPath string
 	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
 		log.Fatal("fortify executable has been deleted")
-	} else if p != fmain {
+	} else if p != mustCheckPath(fmain) && p != mustCheckPath(fpkg) {
 		log.Fatal("this program must be started by fortify")
+	} else {
+		toolPath = p
 	}
 
 	// uid = 1000000 +
@@ -147,13 +138,9 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+	if err := syscall.Exec(toolPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}
 
 	panic("unreachable")
 }
-
-func checkPath(p string) (string, bool) {
-	return p, p != compPoison && p != "" && path.IsAbs(p)
-}
diff --git a/cmd/fsu/package.nix b/cmd/fsu/package.nix
index e7a7a1e..879c637 100644
--- a/cmd/fsu/package.nix
+++ b/cmd/fsu/package.nix
@@ -1,4 +1,5 @@
 {
+  lib,
   buildGoModule,
   fortify ? abort "fortify package required",
 }:
@@ -15,5 +16,15 @@ buildGoModule {
     go mod init fsu >& /dev/null
   '';
 
-  ldflags = [ "-X main.Fmain=${fortify}/libexec/fortify" ];
+  ldflags =
+    lib.attrsets.foldlAttrs
+      (
+        ldflags: name: value:
+        ldflags ++ [ "-X main.${name}=${value}" ]
+      )
+      [ "-s -w" ]
+      {
+        fmain = "${fortify}/libexec/fortify";
+        fpkg = "${fortify}/libexec/fpkg";
+      };
 }
diff --git a/cmd/fsu/path.go b/cmd/fsu/path.go
new file mode 100644
index 0000000..6ed5600
--- /dev/null
+++ b/cmd/fsu/path.go
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"log"
+	"path"
+)
+
+const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
+
+var (
+	fmain = compPoison
+	fpkg  = compPoison
+)
+
+func mustCheckPath(p string) string {
+	if p != compPoison && p != "" && path.IsAbs(p) {
+		return p
+	}
+	log.Fatal("this program is compiled incorrectly")
+	return compPoison
+}