diff --git a/cmd/fpkg/main.go b/cmd/fpkg/main.go index 268c2d4..f3310c6 100644 --- a/cmd/fpkg/main.go +++ b/cmd/fpkg/main.go @@ -13,7 +13,7 @@ import ( "git.gensokyo.uk/security/fortify/command" "git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/internal" - "git.gensokyo.uk/security/fortify/internal/app/shim" + "git.gensokyo.uk/security/fortify/internal/app" "git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/sys" "git.gensokyo.uk/security/fortify/sandbox" @@ -62,7 +62,7 @@ func main() { Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console"). Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next fortify action") - c.Command("shim", command.UsageInternal, func([]string) error { shim.Main(); return errSuccess }) + c.Command("shim", command.UsageInternal, func([]string) error { app.ShimMain(); return errSuccess }) { var ( @@ -122,7 +122,7 @@ func main() { bundle := loadAppInfo(path.Join(workDir, "bundle.json"), cleanup) pathSet := pathSetByApp(bundle.ID) - app := bundle + a := bundle if s, err := os.Stat(pathSet.metaPath); err != nil { if !os.IsNotExist(err) { cleanup() @@ -135,39 +135,39 @@ func main() { log.Printf("metadata path %q is not a file", pathSet.metaPath) return syscall.EBADMSG } else { - app = loadAppInfo(pathSet.metaPath, cleanup) - if app.ID != bundle.ID { + a = loadAppInfo(pathSet.metaPath, cleanup) + if a.ID != bundle.ID { cleanup() log.Printf("app %q claims to have identifier %q", - bundle.ID, app.ID) + bundle.ID, a.ID) return syscall.EBADE } // sec: should verify credentials } - if app != bundle { + if a != bundle { // do not try to re-install - if app.NixGL == bundle.NixGL && - app.CurrentSystem == bundle.CurrentSystem && - app.Launcher == bundle.Launcher && - app.ActivationPackage == bundle.ActivationPackage { + if a.NixGL == bundle.NixGL && + a.CurrentSystem == bundle.CurrentSystem && + a.Launcher == bundle.Launcher && + a.ActivationPackage == bundle.ActivationPackage { cleanup() log.Printf("package %q is identical to local application %q", - pkgPath, app.ID) + pkgPath, a.ID) return errSuccess } // AppID determines uid - if app.AppID != bundle.AppID { + if a.AppID != bundle.AppID { cleanup() log.Printf("package %q app id %d differs from installed %d", - pkgPath, bundle.AppID, app.AppID) + pkgPath, bundle.AppID, a.AppID) return syscall.EBADE } // sec: should compare version string fmsg.Verbosef("installing application %q version %q over local %q", - bundle.ID, bundle.Version, app.Version) + bundle.ID, bundle.Version, a.Version) } else { fmsg.Verbosef("application %q clean installation", bundle.ID) // sec: should install credentials @@ -268,9 +268,9 @@ func main() { id := args[0] pathSet := pathSetByApp(id) - app := loadAppInfo(pathSet.metaPath, func() {}) - if app.ID != id { - log.Printf("app %q claims to have identifier %q", id, app.ID) + a := loadAppInfo(pathSet.metaPath, func() {}) + if a.ID != id { + log.Printf("app %q claims to have identifier %q", id, a.ID) return syscall.EBADE } @@ -278,7 +278,7 @@ func main() { Prepare nixGL. */ - if app.GPU && flagAutoDrivers { + if a.GPU && flagAutoDrivers { withNixDaemon(ctx, "nix-gl", []string{ "mkdir -p /nix/.nixGL/auto", "rm -rf /nix/.nixGL/auto", @@ -286,11 +286,11 @@ func main() { "nix build --impure " + "--out-link /nix/.nixGL/auto/opengl " + "--override-input nixpkgs path:/etc/nixpkgs " + - "path:" + app.NixGL, + "path:" + a.NixGL, "nix build --impure " + "--out-link /nix/.nixGL/auto/vulkan " + "--override-input nixpkgs path:/etc/nixpkgs " + - "path:" + app.NixGL + "#nixVulkanNvidia", + "path:" + a.NixGL + "#nixVulkanNvidia", }, true, func(config *fst.Config) *fst.Config { config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{ {Src: "/etc/resolv.conf"}, @@ -302,7 +302,7 @@ func main() { }...) appendGPUFilesystem(config) return config - }, app, pathSet, flagDropShellNixGL, func() {}) + }, a, pathSet, flagDropShellNixGL, func() {}) } /* @@ -311,19 +311,19 @@ func main() { argv := make([]string, 1, len(args)) if !flagDropShell { - argv[0] = app.Launcher + argv[0] = a.Launcher } else { argv[0] = shellPath } argv = append(argv, args[1:]...) - config := app.toFst(pathSet, argv, flagDropShell) + config := a.toFst(pathSet, argv, flagDropShell) /* Expose GPU devices. */ - if app.GPU { + if a.GPU { config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, &fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")}) appendGPUFilesystem(config) diff --git a/internal/app/process.go b/internal/app/process.go index 00f6643..69a66e5 100644 --- a/internal/app/process.go +++ b/internal/app/process.go @@ -9,7 +9,6 @@ import ( "git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/internal" - "git.gensokyo.uk/security/fortify/internal/app/shim" "git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/state" "git.gensokyo.uk/security/fortify/system" @@ -95,7 +94,7 @@ func (seal *outcome) Run(rs *fst.RunState) error { */ waitErr := make(chan error, 1) - cmd := new(shim.Shim) + cmd := new(shimProcess) if startTime, err := cmd.Start( seal.user.aid.String(), seal.user.supp, @@ -115,7 +114,7 @@ func (seal *outcome) Run(rs *fst.RunState) error { cancel() }() - if err := cmd.Serve(ctx, &shim.Params{ + if err := cmd.Serve(ctx, &shimParams{ Container: seal.container, Home: seal.user.data, diff --git a/internal/app/shim.go b/internal/app/shim.go new file mode 100644 index 0000000..0c12606 --- /dev/null +++ b/internal/app/shim.go @@ -0,0 +1,212 @@ +package app + +import ( + "context" + "encoding/gob" + "errors" + "log" + "os" + "os/exec" + "os/signal" + "strconv" + "strings" + "syscall" + "time" + + "git.gensokyo.uk/security/fortify/internal" + "git.gensokyo.uk/security/fortify/internal/fmsg" + "git.gensokyo.uk/security/fortify/sandbox" +) + +const shimEnv = "FORTIFY_SHIM" + +type shimParams struct { + // finalised container params + Container *sandbox.Params + // path to outer home directory + Home string + + // verbosity pass through + Verbose bool +} + +// ShimMain is the main function of the shim process and runs as the unconstrained target user. +func ShimMain() { + fmsg.Prepare("shim") + + if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil { + log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err) + } + + var ( + params shimParams + closeSetup func() error + ) + if f, err := sandbox.Receive(shimEnv, ¶ms, nil); err != nil { + if errors.Is(err, sandbox.ErrInvalid) { + log.Fatal("invalid config descriptor") + } + if errors.Is(err, sandbox.ErrNotSet) { + log.Fatal("FORTIFY_SHIM not set") + } + + log.Fatalf("cannot receive shim setup params: %v", err) + } else { + internal.InstallFmsg(params.Verbose) + closeSetup = f + } + + if params.Container == nil || params.Container.Ops == nil { + log.Fatal("invalid container params") + } + + // close setup socket + if err := closeSetup(); err != nil { + log.Printf("cannot close setup pipe: %v", err) + // not fatal + } + + // ensure home directory as target user + if s, err := os.Stat(params.Home); err != nil { + if os.IsNotExist(err) { + if err = os.Mkdir(params.Home, 0700); err != nil { + log.Fatalf("cannot create home directory: %v", err) + } + } else { + log.Fatalf("cannot access home directory: %v", err) + } + + // home directory is created, proceed + } else if !s.IsDir() { + log.Fatalf("path %q is not a directory", params.Home) + } + + var name string + if len(params.Container.Args) > 0 { + name = params.Container.Args[0] + } + ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) + defer stop() // unreachable + container := sandbox.New(ctx, name) + container.Params = *params.Container + container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr + container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) } + container.WaitDelay = 2 * time.Second + + if err := container.Start(); err != nil { + fmsg.PrintBaseError(err, "cannot start container:") + os.Exit(1) + } + if err := container.Serve(); err != nil { + fmsg.PrintBaseError(err, "cannot configure container:") + } + if err := container.Wait(); err != nil { + var exitError *exec.ExitError + if !errors.As(err, &exitError) { + if errors.Is(err, context.Canceled) { + os.Exit(2) + } + log.Printf("wait: %v", err) + os.Exit(127) + } + os.Exit(exitError.ExitCode()) + } +} + +type shimProcess struct { + // user switcher process + cmd *exec.Cmd + // fallback exit notifier with error returned killing the process + killFallback chan error + // monitor to shim encoder + encoder *gob.Encoder +} + +func (s *shimProcess) Unwrap() *exec.Cmd { return s.cmd } +func (s *shimProcess) Fallback() chan error { return s.killFallback } + +func (s *shimProcess) String() string { + if s.cmd == nil { + return "(unused shim manager)" + } + return s.cmd.String() +} + +func (s *shimProcess) Start( + aid string, + supp []string, +) (*time.Time, error) { + // prepare user switcher invocation + fsuPath := internal.MustFsuPath() + s.cmd = exec.Command(fsuPath) + + // pass shim setup pipe + if fd, e, err := sandbox.Setup(&s.cmd.ExtraFiles); err != nil { + return nil, fmsg.WrapErrorSuffix(err, + "cannot create shim setup pipe:") + } else { + s.encoder = e + s.cmd.Env = []string{ + shimEnv + "=" + strconv.Itoa(fd), + "FORTIFY_APP_ID=" + aid, + } + } + + // format fsu supplementary groups + if len(supp) > 0 { + fmsg.Verbosef("attaching supplementary group ids %s", supp) + s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(supp, " ")) + } + s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr + s.cmd.Dir = "/" + + fmsg.Verbose("starting shim via fsu:", s.cmd) + // withhold messages to stderr + fmsg.Suspend() + if err := s.cmd.Start(); err != nil { + return nil, fmsg.WrapErrorSuffix(err, + "cannot start fsu:") + } + startTime := time.Now().UTC() + + return &startTime, nil +} + +func (s *shimProcess) Serve(ctx context.Context, params *shimParams) error { + // kill shim if something goes wrong and an error is returned + s.killFallback = make(chan error, 1) + killShim := func() { + if err := s.cmd.Process.Signal(os.Interrupt); err != nil { + s.killFallback <- err + } + } + defer func() { killShim() }() + + encodeErr := make(chan error) + go func() { encodeErr <- s.encoder.Encode(params) }() + + select { + // encode return indicates setup completion + case err := <-encodeErr: + if err != nil { + return fmsg.WrapErrorSuffix(err, + "cannot transmit shim config:") + } + killShim = func() {} + return nil + + // setup canceled before payload was accepted + case <-ctx.Done(): + err := ctx.Err() + if errors.Is(err, context.Canceled) { + return fmsg.WrapError(syscall.ECANCELED, + "shim setup canceled") + } + if errors.Is(err, context.DeadlineExceeded) { + return fmsg.WrapError(syscall.ETIMEDOUT, + "deadline exceeded waiting for shim") + } + // unreachable + return err + } +} diff --git a/internal/app/shim/main.go b/internal/app/shim/main.go deleted file mode 100644 index 17f346a..0000000 --- a/internal/app/shim/main.go +++ /dev/null @@ -1,115 +0,0 @@ -package shim - -import ( - "context" - "errors" - "log" - "os" - "os/exec" - "os/signal" - "syscall" - "time" - - "git.gensokyo.uk/security/fortify/internal" - "git.gensokyo.uk/security/fortify/internal/fmsg" - "git.gensokyo.uk/security/fortify/sandbox" -) - -const Env = "FORTIFY_SHIM" - -type Params struct { - // finalised container params - Container *sandbox.Params - // path to outer home directory - Home string - - // verbosity pass through - Verbose bool -} - -// everything beyond this point runs as unconstrained target user -// proceed with caution! - -func Main() { - // sharing stdout with fortify - // USE WITH CAUTION - fmsg.Prepare("shim") - - if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil { - log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err) - } - - var ( - params Params - closeSetup func() error - ) - if f, err := sandbox.Receive(Env, ¶ms, nil); err != nil { - if errors.Is(err, sandbox.ErrInvalid) { - log.Fatal("invalid config descriptor") - } - if errors.Is(err, sandbox.ErrNotSet) { - log.Fatal("FORTIFY_SHIM not set") - } - - log.Fatalf("cannot receive shim setup params: %v", err) - } else { - internal.InstallFmsg(params.Verbose) - closeSetup = f - } - - if params.Container == nil || params.Container.Ops == nil { - log.Fatal("invalid container params") - } - - // close setup socket - if err := closeSetup(); err != nil { - log.Printf("cannot close setup pipe: %v", err) - // not fatal - } - - // ensure home directory as target user - if s, err := os.Stat(params.Home); err != nil { - if os.IsNotExist(err) { - if err = os.Mkdir(params.Home, 0700); err != nil { - log.Fatalf("cannot create home directory: %v", err) - } - } else { - log.Fatalf("cannot access home directory: %v", err) - } - - // home directory is created, proceed - } else if !s.IsDir() { - log.Fatalf("path %q is not a directory", params.Home) - } - - var name string - if len(params.Container.Args) > 0 { - name = params.Container.Args[0] - } - ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) - defer stop() // unreachable - container := sandbox.New(ctx, name) - container.Params = *params.Container - container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr - container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) } - container.WaitDelay = 2 * time.Second - - if err := container.Start(); err != nil { - fmsg.PrintBaseError(err, "cannot start container:") - os.Exit(1) - } - if err := container.Serve(); err != nil { - fmsg.PrintBaseError(err, "cannot configure container:") - } - if err := container.Wait(); err != nil { - var exitError *exec.ExitError - if !errors.As(err, &exitError) { - if errors.Is(err, context.Canceled) { - os.Exit(2) - } - log.Printf("wait: %v", err) - os.Exit(127) - } - os.Exit(exitError.ExitCode()) - } -} diff --git a/internal/app/shim/proc.go b/internal/app/shim/proc.go deleted file mode 100644 index 8c73e69..0000000 --- a/internal/app/shim/proc.go +++ /dev/null @@ -1,117 +0,0 @@ -package shim - -import ( - "context" - "encoding/gob" - "errors" - "os" - "os/exec" - "strconv" - "strings" - "syscall" - "time" - - "git.gensokyo.uk/security/fortify/internal" - "git.gensokyo.uk/security/fortify/internal/fmsg" - "git.gensokyo.uk/security/fortify/sandbox" -) - -// used by the parent process - -type Shim struct { - // user switcher process - cmd *exec.Cmd - // fallback exit notifier with error returned killing the process - killFallback chan error - // monitor to shim encoder - encoder *gob.Encoder -} - -func (s *Shim) Unwrap() *exec.Cmd { return s.cmd } -func (s *Shim) Fallback() chan error { return s.killFallback } - -func (s *Shim) String() string { - if s.cmd == nil { - return "(unused shim manager)" - } - return s.cmd.String() -} - -func (s *Shim) Start( - aid string, - supp []string, -) (*time.Time, error) { - // prepare user switcher invocation - fsuPath := internal.MustFsuPath() - s.cmd = exec.Command(fsuPath) - - // pass shim setup pipe - if fd, e, err := sandbox.Setup(&s.cmd.ExtraFiles); err != nil { - return nil, fmsg.WrapErrorSuffix(err, - "cannot create shim setup pipe:") - } else { - s.encoder = e - s.cmd.Env = []string{ - Env + "=" + strconv.Itoa(fd), - "FORTIFY_APP_ID=" + aid, - } - } - - // format fsu supplementary groups - if len(supp) > 0 { - fmsg.Verbosef("attaching supplementary group ids %s", supp) - s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(supp, " ")) - } - s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr - s.cmd.Dir = "/" - - fmsg.Verbose("starting shim via fsu:", s.cmd) - // withhold messages to stderr - fmsg.Suspend() - if err := s.cmd.Start(); err != nil { - return nil, fmsg.WrapErrorSuffix(err, - "cannot start fsu:") - } - startTime := time.Now().UTC() - - return &startTime, nil -} - -func (s *Shim) Serve(ctx context.Context, params *Params) error { - // kill shim if something goes wrong and an error is returned - s.killFallback = make(chan error, 1) - killShim := func() { - if err := s.cmd.Process.Signal(os.Interrupt); err != nil { - s.killFallback <- err - } - } - defer func() { killShim() }() - - encodeErr := make(chan error) - go func() { encodeErr <- s.encoder.Encode(params) }() - - select { - // encode return indicates setup completion - case err := <-encodeErr: - if err != nil { - return fmsg.WrapErrorSuffix(err, - "cannot transmit shim config:") - } - killShim = func() {} - return nil - - // setup canceled before payload was accepted - case <-ctx.Done(): - err := ctx.Err() - if errors.Is(err, context.Canceled) { - return fmsg.WrapError(syscall.ECANCELED, - "shim setup canceled") - } - if errors.Is(err, context.DeadlineExceeded) { - return fmsg.WrapError(syscall.ETIMEDOUT, - "deadline exceeded waiting for shim") - } - // unreachable - return err - } -} diff --git a/main.go b/main.go index 9890b52..237574a 100644 --- a/main.go +++ b/main.go @@ -20,7 +20,6 @@ import ( "git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/app" - "git.gensokyo.uk/security/fortify/internal/app/shim" "git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/state" "git.gensokyo.uk/security/fortify/internal/sys" @@ -74,7 +73,7 @@ func buildCommand(out io.Writer) command.Command { Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console"). Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output as JSON when applicable") - c.Command("shim", command.UsageInternal, func([]string) error { shim.Main(); return errSuccess }) + c.Command("shim", command.UsageInternal, func([]string) error { app.ShimMain(); return errSuccess }) c.Command("app", "Launch app defined by the specified config file", func(args []string) error { if len(args) < 1 {