security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

cmd/fpkg: call app in-process
All checks were successful
Test / Create distribution (push) Successful in 28s
Details
Test / Fortify (push) Successful in 2m31s
Details
Test / Data race detector (push) Successful in 3m25s
Details
Test / Fpkg (push) Successful in 3m29s
Details
Test / Flake checks (push) Successful in 55s
Details

Browse Source 
Wrapping fortify is slow, painful and error-prone. Start apps in-process instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-02-26 19:46:43 +09:00
parent 45ad788c6d
commit 673b648bd3
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
10 changed files with 121 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
cmd/fpkg/main.go
View File

@ -1,23 +1,32 @@
package main package main
import ( import (
"context"
"encoding/json" "encoding/json"
"errors" "errors"
"log" "log"
"os" "os"
"os/signal"
"path" "path"
"syscall" "syscall"
"git.gensokyo.uk/security/fortify/command" "git.gensokyo.uk/security/fortify/command"
"git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/helper/bwrap" "git.gensokyo.uk/security/fortify/helper/bwrap"
"git.gensokyo.uk/security/fortify/helper/seccomp"
"git.gensokyo.uk/security/fortify/internal"
init0 "git.gensokyo.uk/security/fortify/internal/app/init"
"git.gensokyo.uk/security/fortify/internal/app/shim"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/sys"
) )
const shellPath = "/run/current-system/sw/bin/bash" const shellPath = "/run/current-system/sw/bin/bash"
var ( var (
errSuccess = errors.New("success") errSuccess = errors.New("success")
std sys.State = new(sys.Std)
) )
func init() { func init() {
@ -28,14 +37,40 @@ func init() {
} }
func main() { func main() {
// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
init0.TryArgv0()
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
// not fatal: this program runs as the privileged user
}
if os.Geteuid() == 0 {
log.Fatal("this program must not run as root")
}
ctx, stop := signal.NotifyContext(context.Background(),
syscall.SIGINT, syscall.SIGTERM)
defer stop() // unreachable
var ( var (
flagVerbose bool flagVerbose bool
flagDropShell bool flagDropShell bool
) )
c := command.New(os.Stderr, log.Printf, "fpkg", func([]string) error { fmsg.Store(flagVerbose); return nil }). c := command.New(os.Stderr, log.Printf, "fpkg", func([]string) error {
fmsg.Store(flagVerbose)
if flagVerbose {
seccomp.CPrintln = log.Println
}
return nil
}).
Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console"). Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next fortify action") Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next fortify action")
// internal commands
c.Command("shim", command.UsageInternal, func([]string) error { shim.Main(); return errSuccess })
c.Command("init", command.UsageInternal, func([]string) error { init0.Main(); return errSuccess })
{ {
var ( var (
flagDropShellActivate bool flagDropShellActivate bool
@ -149,7 +184,7 @@ func main() {
Setup steps for files owned by the target user. Setup steps for files owned by the target user.
*/ */
withCacheDir("install", []string{ withCacheDir(ctx, "install", []string{
// export inner bundle path in the environment // export inner bundle path in the environment
"export BUNDLE=" + fst.Tmp + "/bundle", "export BUNDLE=" + fst.Tmp + "/bundle",
// replace inner /etc // replace inner /etc
@ -171,7 +206,7 @@ func main() {
}, workDir, bundle, pathSet, flagDropShell, cleanup) }, workDir, bundle, pathSet, flagDropShell, cleanup)
if bundle.GPU { if bundle.GPU {
withCacheDir("mesa-wrappers", []string{ withCacheDir(ctx, "mesa-wrappers", []string{
// link nixGL mesa wrappers // link nixGL mesa wrappers
"mkdir -p nix/.nixGL", "mkdir -p nix/.nixGL",
"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL", "ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
@ -183,7 +218,7 @@ func main() {
Activate home-manager generation. Activate home-manager generation.
*/ */
withNixDaemon("activate", []string{ withNixDaemon(ctx, "activate", []string{
// clean up broken links // clean up broken links
"mkdir -p .local/state/{nix,home-manager}", "mkdir -p .local/state/{nix,home-manager}",
"chmod -R +w .local/state/{nix,home-manager}", "chmod -R +w .local/state/{nix,home-manager}",
@ -251,7 +286,7 @@ func main() {
*/ */
if app.GPU && flagAutoDrivers { if app.GPU && flagAutoDrivers {
withNixDaemon("nix-gl", []string{ withNixDaemon(ctx, "nix-gl", []string{
"mkdir -p /nix/.nixGL/auto", "mkdir -p /nix/.nixGL/auto",
"rm -rf /nix/.nixGL/auto", "rm -rf /nix/.nixGL/auto",
"export NIXPKGS_ALLOW_UNFREE=1", "export NIXPKGS_ALLOW_UNFREE=1",
@ -349,7 +384,7 @@ func main() {
Spawn app. Spawn app.
*/ */
fortifyApp(config, func() {}) mustRunApp(ctx, config, func() {})
return errSuccess return errSuccess
}). }).
Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build"). Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build").

57
cmd/fpkg/proc.go
View File

@ -1,59 +1,28 @@
package main package main
import ( import (
"encoding/json" "context"
"errors"
"io"
"log"
"os" "os"
"os/exec"
"git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/app"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
) )
func fortifyApp(config *fst.Config, beforeFail func()) { func mustRunApp(ctx context.Context, config *fst.Config, beforeFail func()) {
var ( rs := new(fst.RunState)
cmd *exec.Cmd a := app.MustNew(std)
st io.WriteCloser
) if sa, err := a.Seal(config); err != nil {
if p, ok := internal.Path(internal.Fortify); !ok { fmsg.PrintBaseError(err, "cannot seal app:")
beforeFail() rs.ExitCode = 1
log.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly")
} else if r, w, err := os.Pipe(); err != nil {
beforeFail()
log.Fatalf("cannot pipe: %v", err)
} else { } else {
if fmsg.Load() { // this updates ExitCode
cmd = exec.Command(p, "-v", "app", "3") app.PrintRunStateErr(rs, sa.Run(ctx, rs))
} else {
cmd = exec.Command(p, "app", "3")
}
cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
cmd.ExtraFiles = []*os.File{r}
st = w
} }
go func() { if rs.ExitCode != 0 {
if err := json.NewEncoder(st).Encode(config); err != nil {
beforeFail()
log.Fatalf("cannot send configuration: %v", err)
}
}()
if err := cmd.Start(); err != nil {
beforeFail() beforeFail()
log.Fatalf("cannot start fortify: %v", err) os.Exit(rs.ExitCode)
}
if err := cmd.Wait(); err != nil {
var exitError *exec.ExitError
if errors.As(err, &exitError) {
beforeFail()
internal.Exit(exitError.ExitCode())
} else {
beforeFail()
log.Fatalf("cannot wait: %v", err)
}
} }
} }

17
cmd/fpkg/with.go
View File

@ -1,6 +1,7 @@
package main package main
import ( import (
"context"
"path" "path"
"strings" "strings"
@ -10,10 +11,11 @@ import (
) )
func withNixDaemon( func withNixDaemon(
ctx context.Context,
action string, command []string, net bool, updateConfig func(config *fst.Config) *fst.Config, action string, command []string, net bool, updateConfig func(config *fst.Config) *fst.Config,
app *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func(), app *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
) { ) {
fortifyAppDropShell(updateConfig(&fst.Config{ mustRunAppDropShell(ctx, updateConfig(&fst.Config{
ID: app.ID, ID: app.ID,
Command: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " + Command: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
// start nix-daemon // start nix-daemon
@ -56,8 +58,11 @@ func withNixDaemon(
}), dropShell, beforeFail) }), dropShell, beforeFail)
} }
func withCacheDir(action string, command []string, workDir string, app *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) { func withCacheDir(
fortifyAppDropShell(&fst.Config{ ctx context.Context,
action string, command []string, workDir string,
app *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
mustRunAppDropShell(ctx, &fst.Config{
ID: app.ID, ID: app.ID,
Command: []string{shellPath, "-lc", strings.Join(command, " && ")}, Command: []string{shellPath, "-lc", strings.Join(command, " && ")},
Confinement: fst.ConfinementConfig{ Confinement: fst.ConfinementConfig{
@ -90,12 +95,12 @@ func withCacheDir(action string, command []string, workDir string, app *bundleIn
}, dropShell, beforeFail) }, dropShell, beforeFail)
} }
func fortifyAppDropShell(config *fst.Config, dropShell bool, beforeFail func()) { func mustRunAppDropShell(ctx context.Context, config *fst.Config, dropShell bool, beforeFail func()) {
if dropShell { if dropShell {
config.Command = []string{shellPath, "-l"} config.Command = []string{shellPath, "-l"}
fortifyApp(config, beforeFail) mustRunApp(ctx, config, beforeFail)
beforeFail() beforeFail()
internal.Exit(0) internal.Exit(0)
} }
fortifyApp(config, beforeFail) mustRunApp(ctx, config, beforeFail)
} }

8
dist/release.sh vendored
View File

@ -10,10 +10,10 @@ cp -rv "comp" "${out}"
go generate ./... go generate ./...
go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static' go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
-X git.gensokyo.uk/security/fortify/internal.Version=${VERSION} -X git.gensokyo.uk/security/fortify/internal.version=${VERSION}
-X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu -X git.gensokyo.uk/security/fortify/internal.fsu=/usr/bin/fsu
-X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify -X main.fmain=/usr/bin/fortify
-X main.Fmain=/usr/bin/fortify" ./... -X main.fpkg=/usr/bin/fpkg" ./...
rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}" rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
rm -rf "./${out}" rm -rf "./${out}"

10
internal/app/shim/manager.go
View File

@ -52,14 +52,8 @@ func (s *Shim) Start(
syncFd *os.File, syncFd *os.File,
) (*time.Time, error) { ) (*time.Time, error) {
// prepare user switcher invocation // prepare user switcher invocation
var fsu string fsuPath := internal.MustFsuPath()
if p, ok := internal.Path(internal.Fsu); !ok { s.cmd = exec.Command(fsuPath)
return nil, fmsg.WrapError(errors.New("bad fsu path"),
"invalid fsu path, this copy of fortify is not compiled correctly")
} else {
fsu = p
}
s.cmd = exec.Command(fsu)
// pass shim setup pipe // pass shim setup pipe
if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil { if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil {

13
internal/comp.go
View File

@ -3,10 +3,15 @@ package internal
const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID" const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
var ( var (
Version = compPoison version = compPoison
) )
// Check validates string value set at compile time. // check validates string value set at compile time.
func Check(s string) (string, bool) { func check(s string) (string, bool) { return s, s != compPoison && s != "" }
return s, s != compPoison && s != ""
func Version() string {
if v, ok := check(version); ok {
return v
}
return "impure"
} }

23
internal/path.go
View File

@ -1,12 +1,23 @@
package internal package internal
import "path" import (
"log"
"path"
var ( "git.gensokyo.uk/security/fortify/internal/fmsg"
Fsu = compPoison
Fortify = compPoison
) )
func Path(p string) (string, bool) { var (
return p, p != compPoison && p != "" && path.IsAbs(p) fsu = compPoison
)
func MustFsuPath() string {
if name, ok := checkPath(fsu); ok {
return name
}
fmsg.BeforeExit()
log.Fatal("invalid fsu path, this program is compiled incorrectly")
return compPoison
} }
func checkPath(p string) (string, bool) { return p, p != compPoison && p != "" && path.IsAbs(p) }

46
internal/sys/std.go
View File

@ -4,7 +4,6 @@ import (
"errors" "errors"
"fmt" "fmt"
"io/fs" "io/fs"
"log"
"os" "os"
"os/exec" "os/exec"
"os/user" "os/user"
@ -79,32 +78,27 @@ func (s *Std) Uid(aid int) (int, error) {
defer func() { s.uidCopy[aid] = u }() defer func() { s.uidCopy[aid] = u }()
u.uid = -1 u.uid = -1
if fsu, ok := internal.Check(internal.Fsu); !ok { fsuPath := internal.MustFsuPath()
fmsg.BeforeExit()
log.Fatal("invalid fsu path, this copy of fortify is not compiled correctly")
// unreachable
return 0, syscall.EBADE
} else {
cmd := exec.Command(fsu)
cmd.Path = fsu
cmd.Stderr = os.Stderr // pass through fatal messages
cmd.Env = []string{"FORTIFY_APP_ID=" + strconv.Itoa(aid)}
cmd.Dir = "/"
var (
p []byte
exitError *exec.ExitError
)
if p, u.err = cmd.Output(); u.err == nil { cmd := exec.Command(fsuPath)
u.uid, u.err = strconv.Atoi(string(p)) cmd.Path = fsuPath
if u.err != nil { cmd.Stderr = os.Stderr // pass through fatal messages
u.err = fmsg.WrapErrorSuffix(u.err, "cannot parse uid from fsu:") cmd.Env = []string{"FORTIFY_APP_ID=" + strconv.Itoa(aid)}
} cmd.Dir = "/"
} else if errors.As(u.err, &exitError) && exitError != nil && exitError.ExitCode() == 1 { var (
u.err = fmsg.WrapError(syscall.EACCES, "") // fsu prints to stderr in this case p []byte
} else if os.IsNotExist(u.err) { exitError *exec.ExitError
u.err = fmsg.WrapError(os.ErrNotExist, fmt.Sprintf("the setuid helper is missing: %s", fsu)) )
if p, u.err = cmd.Output(); u.err == nil {
u.uid, u.err = strconv.Atoi(string(p))
if u.err != nil {
u.err = fmsg.WrapErrorSuffix(u.err, "cannot parse uid from fsu:")
} }
return u.uid, u.err } else if errors.As(u.err, &exitError) && exitError != nil && exitError.ExitCode() == 1 {
u.err = fmsg.WrapError(syscall.EACCES, "") // fsu prints to stderr in this case
} else if os.IsNotExist(u.err) {
u.err = fmsg.WrapError(os.ErrNotExist, fmt.Sprintf("the setuid helper is missing: %s", fsuPath))
} }
return u.uid, u.err
} }

6
main.go
View File

@ -259,11 +259,7 @@ func buildCommand(out io.Writer) command.Command {
}).Flag(&psFlagShort, "short", command.BoolFlag(false), "Print instance id") }).Flag(&psFlagShort, "short", command.BoolFlag(false), "Print instance id")
c.Command("version", "Show fortify version", func(args []string) error { c.Command("version", "Show fortify version", func(args []string) error {
if v, ok := internal.Check(internal.Version); ok { fmt.Println(internal.Version())
fmt.Println(v)
} else {
fmt.Println("impure")
}
return errSuccess return errSuccess
}) })

9
package.nix
View File

@ -44,18 +44,15 @@ buildGoModule rec {
ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ] ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
) )
( (
[ [ "-s -w" ]
"-s -w"
]
++ lib.optionals withStatic [ ++ lib.optionals withStatic [
"-linkmode external" "-linkmode external"
"-extldflags \"-static\"" "-extldflags \"-static\""
] ]
) )
{ {
Version = "v${version}"; version = "v${version}";
Fsu = "/run/wrappers/bin/fsu"; fsu = "/run/wrappers/bin/fsu";
Fortify = "${placeholder "out"}/libexec/fortify";
}; };
# nix build environment does not allow acls # nix build environment does not allow acls