proc: remove duplicate compile-time fortify reference

This is no longer needed since shim and init are now part of the main program. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:59:33 +09:00 · 2025-01-18 11:59:33 +09:00 · 7baca66a56
commit 7baca66a56
parent 27d2914286
7 changed files with 36 additions and 15 deletions
--- a/cmd/fpkg/proc.go
+++ b/cmd/fpkg/proc.go
@ -12,12 +12,18 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

+const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
+
+var (
+	Fmain = compPoison
+)
+
 func fortifyApp(config *fst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
 	)
-	if p, ok := internal.Check(internal.Fortify); !ok {
+	if p, ok := internal.Path(Fmain); !ok {
 		beforeFail()
 		fmsg.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly")
 		panic("unreachable")
--- a/dist/release.sh
+++ b/dist/release.sh
@ -11,7 +11,6 @@ cp -rv "comp" "${out}"
 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
  -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
-  -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
  -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
  -X main.Fmain=/usr/bin/fortify" ./...

--- a/internal/path.go
+++ b/internal/path.go
@ -3,7 +3,6 @@ package internal
 import "path"

 var (
-	Fortify = compPoison
 	Fsu = compPoison
 )

--- a/internal/proc/priv/shim/main.go
+++ b/internal/proc/priv/shim/main.go
@ -37,14 +37,6 @@ func Main() {
 		}
 	}

-	// check path to fortify
-	var fortifyPath string
-	if p, ok := internal.Path(internal.Fortify); !ok {
-		fmsg.Fatal("invalid fortify path, this copy of fortify is not compiled correctly")
-	} else {
-		fortifyPath = p
-	}
-
 	// receive setup payload
 	var (
 		payload    Payload
@ -135,7 +127,7 @@ func Main() {
 	// bind fortify inside sandbox
 	innerSbin := path.Join(fst.Tmp, "sbin")
 	fortifyInnerPath := path.Join(innerSbin, "fortify")
-	conf.Bind(fortifyPath, fortifyInnerPath)
+	conf.Bind(proc.MustExecutable(), fortifyInnerPath)
 	conf.Symlink(fortifyInnerPath, path.Join(innerSbin, "init"))

 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
--- a/internal/proc/priv/shim/manager.go
+++ b/internal/proc/priv/shim/manager.go
@ -56,7 +56,7 @@ func (s *Shim) WaitFallback() chan error {
 func (s *Shim) Start() (*time.Time, error) {
 	// prepare user switcher invocation
 	var fsu string
-	if p, ok := internal.Check(internal.Fsu); !ok {
+	if p, ok := internal.Path(internal.Fsu); !ok {
 		fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly")
 		panic("unreachable")
 	} else {
--- a/internal/proc/self.go
+++ b/internal/proc/self.go
@ -0,0 +1,26 @@
+package proc
+
+import (
+	"os"
+	"sync"
+
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+var (
+	executable     string
+	executableOnce sync.Once
+)
+
+func copyExecutable() {
+	if name, err := os.Executable(); err != nil {
+		fmsg.Fatalf("cannot read executable path: %v", err)
+	} else {
+		executable = name
+	}
+}
+
+func MustExecutable() string {
+	executableOnce.Do(copyExecutable)
+	return executable
+}
--- a/package.nix
+++ b/package.nix
@ -37,7 +37,6 @@ buildGoModule rec {
      {
        Version = "v${version}";
        Fsu = "/run/wrappers/bin/fsu";
-        Fortify = "${placeholder "out"}/bin/fortify";
      };

  # nix build environment does not allow acls