From 7baca66a56f67fa5722b689cbff747eac12b857e Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Sat, 18 Jan 2025 11:59:33 +0900
Subject: [PATCH] proc: remove duplicate compile-time fortify reference

This is no longer needed since shim and init are now part of the main program.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/fpkg/proc.go                   |  8 +++++++-
 dist/release.sh                    |  1 -
 internal/path.go                   |  3 +--
 internal/proc/priv/shim/main.go    | 10 +---------
 internal/proc/priv/shim/manager.go |  2 +-
 internal/proc/self.go              | 26 ++++++++++++++++++++++++++
 package.nix                        |  1 -
 7 files changed, 36 insertions(+), 15 deletions(-)
 create mode 100644 internal/proc/self.go

diff --git a/cmd/fpkg/proc.go b/cmd/fpkg/proc.go
index a995c9f..7fa6df5 100644
--- a/cmd/fpkg/proc.go
+++ b/cmd/fpkg/proc.go
@@ -12,12 +12,18 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
+const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
+
+var (
+	Fmain = compPoison
+)
+
 func fortifyApp(config *fst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
 	)
-	if p, ok := internal.Check(internal.Fortify); !ok {
+	if p, ok := internal.Path(Fmain); !ok {
 		beforeFail()
 		fmsg.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly")
 		panic("unreachable")
diff --git a/dist/release.sh b/dist/release.sh
index 53f21dc..05be840 100755
--- a/dist/release.sh
+++ b/dist/release.sh
@@ -11,7 +11,6 @@ cp -rv "comp" "${out}"
 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
   -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
-  -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
   -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
   -X main.Fmain=/usr/bin/fortify" ./...
 
diff --git a/internal/path.go b/internal/path.go
index 8c6a2e5..9f3e1cf 100644
--- a/internal/path.go
+++ b/internal/path.go
@@ -3,8 +3,7 @@ package internal
 import "path"
 
 var (
-	Fortify = compPoison
-	Fsu     = compPoison
+	Fsu = compPoison
 )
 
 func Path(p string) (string, bool) {
diff --git a/internal/proc/priv/shim/main.go b/internal/proc/priv/shim/main.go
index 91ff8d2..3ade286 100644
--- a/internal/proc/priv/shim/main.go
+++ b/internal/proc/priv/shim/main.go
@@ -37,14 +37,6 @@ func Main() {
 		}
 	}
 
-	// check path to fortify
-	var fortifyPath string
-	if p, ok := internal.Path(internal.Fortify); !ok {
-		fmsg.Fatal("invalid fortify path, this copy of fortify is not compiled correctly")
-	} else {
-		fortifyPath = p
-	}
-
 	// receive setup payload
 	var (
 		payload    Payload
@@ -135,7 +127,7 @@ func Main() {
 	// bind fortify inside sandbox
 	innerSbin := path.Join(fst.Tmp, "sbin")
 	fortifyInnerPath := path.Join(innerSbin, "fortify")
-	conf.Bind(fortifyPath, fortifyInnerPath)
+	conf.Bind(proc.MustExecutable(), fortifyInnerPath)
 	conf.Symlink(fortifyInnerPath, path.Join(innerSbin, "init"))
 
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
diff --git a/internal/proc/priv/shim/manager.go b/internal/proc/priv/shim/manager.go
index 26b5492..1d1210b 100644
--- a/internal/proc/priv/shim/manager.go
+++ b/internal/proc/priv/shim/manager.go
@@ -56,7 +56,7 @@ func (s *Shim) WaitFallback() chan error {
 func (s *Shim) Start() (*time.Time, error) {
 	// prepare user switcher invocation
 	var fsu string
-	if p, ok := internal.Check(internal.Fsu); !ok {
+	if p, ok := internal.Path(internal.Fsu); !ok {
 		fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly")
 		panic("unreachable")
 	} else {
diff --git a/internal/proc/self.go b/internal/proc/self.go
new file mode 100644
index 0000000..6dc92eb
--- /dev/null
+++ b/internal/proc/self.go
@@ -0,0 +1,26 @@
+package proc
+
+import (
+	"os"
+	"sync"
+
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+var (
+	executable     string
+	executableOnce sync.Once
+)
+
+func copyExecutable() {
+	if name, err := os.Executable(); err != nil {
+		fmsg.Fatalf("cannot read executable path: %v", err)
+	} else {
+		executable = name
+	}
+}
+
+func MustExecutable() string {
+	executableOnce.Do(copyExecutable)
+	return executable
+}
diff --git a/package.nix b/package.nix
index 4c715ec..8c8f869 100644
--- a/package.nix
+++ b/package.nix
@@ -37,7 +37,6 @@ buildGoModule rec {
       {
         Version = "v${version}";
         Fsu = "/run/wrappers/bin/fsu";
-        Fortify = "${placeholder "out"}/bin/fortify";
       };
 
   # nix build environment does not allow acls