system/tmpfiles: implement private tmpfiles

These are only available within the mount namespace and should significantly reduce attack surface. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-17 00:07:52 +09:00 · 2025-02-17 00:07:52 +09:00 · 82a072f641
commit 82a072f641
parent 60c10c3f4a
7 changed files with 66 additions and 125 deletions
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -64,7 +64,7 @@ var testCasesNixos = []sealTestCase{
 			Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
 			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
-			CopyFile("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie").
+			CopyFile(nil, "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
 			MustProxyDBus("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
@ -213,7 +213,7 @@ var testCasesNixos = []sealTestCase{
 			CopyBind("/etc/group", []byte("fortify:x:1971:\n")).
 			Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0").
 			Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native").
-			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", fst.Tmp+"/pulse-cookie").
+			CopyBind(fst.Tmp+"/pulse-cookie", nil).
 			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus").
 			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket").
 			Tmpfs("/var/run/nscd", 8192).
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -219,7 +219,7 @@ var testCasesPd = []sealTestCase{
 			Ensure("/tmp/fortify.1971/wayland", 0711).
 			Wayland("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
-			CopyFile("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie").
+			CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
 			MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.Notifications",
@ -382,7 +382,7 @@ var testCasesPd = []sealTestCase{
 			CopyBind("/etc/group", []byte("fortify:x:65534:\n")).
 			Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0").
 			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", fst.Tmp+"/pulse-cookie").
+			CopyBind(fst.Tmp+"/pulse-cookie", nil).
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
 			Tmpfs("/var/run/nscd", 8192).
--- a/internal/app/share.go
+++ b/internal/app/share.go
@ -231,11 +231,11 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
 			// not fatal
 			fmsg.Verbose(strings.TrimSpace(err.(*fmsg.BaseError).Message()))
 		} else {
 			dst := path.Join(seal.share, "pulse-cookie")
 			innerDst := fst.Tmp + "/pulse-cookie"
 			seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
-			seal.sys.CopyFile(dst, src)
+			payload := new([]byte)
-			seal.sys.bwrap.Bind(dst, innerDst)
+			seal.sys.bwrap.CopyBindRef(innerDst, &payload)
 			seal.sys.CopyFile(payload, src, 256, 256)
 		}
 	}
--- a/internal/system/op_test.go
+++ b/internal/system/op_test.go
@ -100,7 +100,7 @@ func TestI_Equal(t *testing.T) {
 			"op type mismatch",
 			system.New(150).
 				ChangeHosts("chronos").
-				CopyFile("/tmp/fortify.1971/30c9543e0a2c9621a8bfecb9d874c347/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"),
+				CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 0, 256),
 			system.New(150).
 				ChangeHosts("chronos").
 				Ensure("/run", 0755),
--- a/internal/system/tmpfiles.go
+++ b/internal/system/tmpfiles.go
@ -1,95 +1,72 @@
 package system
 import (
-	"errors"
+	"bytes"
 	"fmt"
 	"io"
 	"os"
-	"strconv"
+	"syscall"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
-// CopyFile registers an Op that copies path dst from src.
+// CopyFile registers an Op that copies from src.
-func (sys *I) CopyFile(dst, src string) *I {
+// A buffer is initialised with size cap and the Op faults if bytes read exceed n.
-	return sys.CopyFileType(Process, dst, src)
+func (sys *I) CopyFile(payload *[]byte, src string, cap int, n int64) *I {
-}
+	buf := new(bytes.Buffer)
 	buf.Grow(cap)
 // CopyFileType registers a file copying Op labelled with type et.
 func (sys *I) CopyFileType(et Enablement, dst, src string) *I {
 	sys.lock.Lock()
-	sys.ops = append(sys.ops, &Tmpfile{et, tmpfileCopy, dst, src})
+	sys.ops = append(sys.ops, &Tmpfile{payload, src, n, buf})
 	sys.lock.Unlock()
 	sys.UpdatePermType(et, dst, acl.Read)
 	return sys
 }
 const (
 	tmpfileCopy uint8 = iota
 )
 type Tmpfile struct {
-	et       Enablement
+	payload *[]byte
-	method   uint8
+	src     string
-	dst, src string
+
-}
+	n   int64
-
+	buf *bytes.Buffer
 func (t *Tmpfile) Type() Enablement {
 	return t.et
 }
 func (t *Tmpfile) Type() Enablement { return Process }
 func (t *Tmpfile) apply(_ *I) error {
-	switch t.method {
+	fmsg.Verbose("copying", t)
-	case tmpfileCopy:
+
-		fmsg.Verbose("publishing tmpfile", t)
+	if b, err := os.Stat(t.src); err != nil {
-		return fmsg.WrapErrorSuffix(copyFile(t.dst, t.src),
+		return fmsg.WrapErrorSuffix(err,
-			fmt.Sprintf("cannot copy tmpfile %q:", t.dst))
+			fmt.Sprintf("cannot stat %q:", t.src))
-	default:
+	} else {
-		panic("invalid tmpfile method " + strconv.Itoa(int(t.method)))
+		if b.IsDir() {
 			return fmsg.WrapErrorSuffix(syscall.EISDIR,
 				fmt.Sprintf("%q is a directory", t.src))
 		}
 		if s := b.Size(); s > t.n {
 			return fmsg.WrapErrorSuffix(syscall.ENOMEM,
 				fmt.Sprintf("file %q is too long: %d > %d",
 					t.src, s, t.n))
 		}
 	}
-func (t *Tmpfile) revert(_ *I, ec *Criteria) error {
+	if f, err := os.Open(t.src); err != nil {
-	if ec.hasType(t) {
+		return fmsg.WrapErrorSuffix(err,
-		fmsg.Verbosef("removing tmpfile %q", t.dst)
+			fmt.Sprintf("cannot open %q:", t.src))
-		return fmsg.WrapErrorSuffix(os.Remove(t.dst),
+	} else if _, err = io.CopyN(t.buf, f, t.n); err != nil {
-			fmt.Sprintf("cannot remove tmpfile %q:", t.dst))
+		return fmsg.WrapErrorSuffix(err,
-	} else {
+			fmt.Sprintf("cannot read from %q:", t.src))
-		fmsg.Verbosef("skipping tmpfile %q", t.dst)
+	}
 	*t.payload = t.buf.Bytes()
 	return nil
 }
-}
+func (t *Tmpfile) revert(*I, *Criteria) error { t.buf.Reset(); return nil }
 func (t *Tmpfile) Is(o Op) bool {
 	t0, ok := o.(*Tmpfile)
-	return ok && t0 != nil && *t == *t0
+	return ok && t0 != nil &&
 		t.src == t0.src && t.n == t0.n
 }
 func (t *Tmpfile) Path() string   { return t.src }
-
+func (t *Tmpfile) String() string { return fmt.Sprintf("up to %d bytes from %q", t.n, t.src) }
 func (t *Tmpfile) String() string {
 	switch t.method {
 	case tmpfileCopy:
 		return fmt.Sprintf("%q from %q", t.dst, t.src)
 	default:
 		panic("invalid tmpfile method " + strconv.Itoa(int(t.method)))
 	}
 }
 func copyFile(dst, src string) error {
 	dstD, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
 	}
 	srcD, err := os.Open(src)
 	if err != nil {
 		return errors.Join(err, dstD.Close())
 	}
 	_, err = io.Copy(dstD, srcD)
 	return errors.Join(err, dstD.Close(), srcD.Close())
 }
--- a/internal/system/tmpfiles_test.go
+++ b/internal/system/tmpfiles_test.go
@ -1,46 +1,25 @@
 package system
 import (
 	"strconv"
 	"testing"
 	"git.gensokyo.uk/security/fortify/acl"
 )
 func TestCopyFile(t *testing.T) {
 	testCases := []struct {
 		dst, src string
 	}{
 		{"/tmp/fortify.1971/f587afe9fce3c8e1ad5b64deb6c41ad5/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"},
 		{"/tmp/fortify.1971/62154f708b5184ab01f9dcc2bbe7a33b/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"},
 	}
 	for _, tc := range testCases {
 		t.Run("copy file "+tc.dst+" from "+tc.src, func(t *testing.T) {
 			sys := New(150)
 			sys.CopyFile(tc.dst, tc.src)
 			(&tcOp{Process, tc.src}).test(t, sys.ops, []Op{
 				&Tmpfile{Process, tmpfileCopy, tc.dst, tc.src},
 				&ACL{Process, tc.dst, []acl.Perm{acl.Read}},
 			}, "CopyFile")
 		})
 	}
 }
 func TestCopyFileType(t *testing.T) {
 	testCases := []struct {
 		tcOp
-		dst string
+		cap int
 		n   int64
 	}{
-		{tcOp{User, "/tmp/fortify.1971/f587afe9fce3c8e1ad5b64deb6c41ad5/pulse-cookie"}, "/home/ophestra/xdg/config/pulse/cookie"},
+		{tcOp{Process, "/home/ophestra/xdg/config/pulse/cookie"}, 256, 256},
 		{tcOp{Process, "/tmp/fortify.1971/62154f708b5184ab01f9dcc2bbe7a33b/pulse-cookie"}, "/home/ophestra/xdg/config/pulse/cookie"},
 	}
 	for _, tc := range testCases {
-		t.Run("copy file "+tc.dst+" from "+tc.path+" with type "+TypeString(tc.et), func(t *testing.T) {
+		t.Run("copy file "+tc.path+" with cap = "+strconv.Itoa(tc.cap)+" n = "+strconv.Itoa(int(tc.n)), func(t *testing.T) {
 			sys := New(150)
-			sys.CopyFileType(tc.et, tc.dst, tc.path)
+			sys.CopyFile(new([]byte), tc.path, tc.cap, tc.n)
 			tc.test(t, sys.ops, []Op{
-				&Tmpfile{tc.et, tmpfileCopy, tc.dst, tc.path},
+				&Tmpfile{nil, tc.path, tc.n, nil},
-				&ACL{tc.et, tc.dst, []acl.Perm{acl.Read}},
+			}, "CopyFile")
 			}, "CopyFileType")
 		})
 	}
 }
@ -83,33 +62,18 @@ func TestLinkFileType(t *testing.T) {
 }
 func TestTmpfile_String(t *testing.T) {
 	t.Run("invalid method panic", func(t *testing.T) {
 		defer func() {
 			wantPanic := "invalid tmpfile method 255"
 			if r := recover(); r != wantPanic {
 				t.Errorf("String() panic = %v, want %v",
 					r, wantPanic)
 			}
 		}()
 		_ = (&Tmpfile{method: 255}).String()
 	})
 	testCases := []struct {
-		method   uint8
+		src  string
-		dst, src string
+		n    int64
 		want string
 	}{
-		{tmpfileCopy, "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie",
+		{"/home/ophestra/xdg/config/pulse/cookie", 256,
-			`"/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse-cookie" from "/home/ophestra/xdg/config/pulse/cookie"`},
+			`up to 256 bytes from "/home/ophestra/xdg/config/pulse/cookie"`},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.want, func(t *testing.T) {
-			if got := (&Tmpfile{
+			if got := (&Tmpfile{src: tc.src, n: tc.n}).String(); got != tc.want {
 				method: tc.method,
 				dst:    tc.dst,
 				src:    tc.src,
 			}).String(); got != tc.want {
 				t.Errorf("String() = %v, want %v", got, tc.want)
 			}
 		})