diff --git a/internal/app/init0/main.go b/internal/app/init0/main.go index 8303313..46ce449 100644 --- a/internal/app/init0/main.go +++ b/internal/app/init0/main.go @@ -9,7 +9,6 @@ import ( "syscall" "time" - "git.gensokyo.uk/security/fortify/helper/proc" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/sandbox" @@ -42,11 +41,11 @@ func Main() { payload Payload closeSetup func() error ) - if f, err := proc.Receive(Env, &payload, nil); err != nil { - if errors.Is(err, proc.ErrInvalid) { + if f, err := sandbox.Receive(Env, &payload, nil); err != nil { + if errors.Is(err, sandbox.ErrInvalid) { log.Fatal("invalid config descriptor") } - if errors.Is(err, proc.ErrNotSet) { + if errors.Is(err, sandbox.ErrNotSet) { log.Fatal("FORTIFY_INIT not set") } diff --git a/internal/app/shim/main.go b/internal/app/shim/main.go index effa6b8..9450149 100644 --- a/internal/app/shim/main.go +++ b/internal/app/shim/main.go @@ -13,7 +13,6 @@ import ( "git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/helper" - "git.gensokyo.uk/security/fortify/helper/proc" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/app/init0" "git.gensokyo.uk/security/fortify/internal/fmsg" @@ -38,11 +37,11 @@ func Main() { payload Payload closeSetup func() error ) - if f, err := proc.Receive(Env, &payload, nil); err != nil { - if errors.Is(err, proc.ErrInvalid) { + if f, err := sandbox.Receive(Env, &payload, nil); err != nil { + if errors.Is(err, sandbox.ErrInvalid) { log.Fatal("invalid config descriptor") } - if errors.Is(err, proc.ErrNotSet) { + if errors.Is(err, sandbox.ErrNotSet) { log.Fatal("FORTIFY_SHIM not set") } @@ -108,7 +107,7 @@ func Main() { var extraFiles []*os.File // serve setup payload - if fd, encoder, err := proc.Setup(&extraFiles); err != nil { + if fd, encoder, err := sandbox.Setup(&extraFiles); err != nil { log.Fatalf("cannot pipe: %v", err) } else { conf.SetEnv[init0.Env] = strconv.Itoa(fd) diff --git a/internal/app/shim/manager.go b/internal/app/shim/manager.go index bb3948f..4b5432b 100644 --- a/internal/app/shim/manager.go +++ b/internal/app/shim/manager.go @@ -13,6 +13,7 @@ import ( "git.gensokyo.uk/security/fortify/helper/proc" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/fmsg" + "git.gensokyo.uk/security/fortify/internal/sandbox" ) // used by the parent process @@ -56,7 +57,7 @@ func (s *Shim) Start( s.cmd = exec.Command(fsuPath) // pass shim setup pipe - if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil { + if fd, e, err := sandbox.Setup(&s.cmd.ExtraFiles); err != nil { return nil, fmsg.WrapErrorSuffix(err, "cannot create shim setup pipe:") } else { diff --git a/internal/sandbox/container.go b/internal/sandbox/container.go index f243ffd..afbcc4f 100644 --- a/internal/sandbox/container.go +++ b/internal/sandbox/container.go @@ -13,7 +13,6 @@ import ( "syscall" "time" - "git.gensokyo.uk/security/fortify/helper/proc" "git.gensokyo.uk/security/fortify/seccomp" ) @@ -163,7 +162,7 @@ func (p *Container) Start() error { } // place setup pipe before user supplied extra files, this is later restored by init - if fd, e, err := proc.Setup(&p.cmd.ExtraFiles); err != nil { + if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil { return wrapErrSuffix(err, "cannot create shim setup pipe:") } else { diff --git a/internal/sandbox/init.go b/internal/sandbox/init.go index 058fe9a..a6fac1a 100644 --- a/internal/sandbox/init.go +++ b/internal/sandbox/init.go @@ -13,7 +13,6 @@ import ( "syscall" "time" - "git.gensokyo.uk/security/fortify/helper/proc" "git.gensokyo.uk/security/fortify/seccomp" ) @@ -56,11 +55,11 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) { setupFile *os.File offsetSetup int ) - if f, err := proc.Receive(setupEnv, ¶ms, &setupFile); err != nil { - if errors.Is(err, proc.ErrInvalid) { + if f, err := Receive(setupEnv, ¶ms, &setupFile); err != nil { + if errors.Is(err, ErrInvalid) { log.Fatal("invalid setup descriptor") } - if errors.Is(err, proc.ErrNotSet) { + if errors.Is(err, ErrNotSet) { log.Fatal("FORTIFY_SETUP not set") } diff --git a/helper/proc/fd.go b/internal/sandbox/params.go similarity index 79% rename from helper/proc/fd.go rename to internal/sandbox/params.go index abf8f36..5b69874 100644 --- a/helper/proc/fd.go +++ b/internal/sandbox/params.go @@ -1,4 +1,4 @@ -package proc +package sandbox import ( "encoding/gob" @@ -12,7 +12,7 @@ var ( ErrInvalid = errors.New("bad file descriptor") ) -// Setup appends the read end of a pipe for payload transmission and returns its fd. +// Setup appends the read end of a pipe for setup params transmission and returns its fd. func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) { if r, w, err := os.Pipe(); err != nil { return -1, nil, err @@ -23,8 +23,7 @@ func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) { } } -// Receive retrieves payload pipe fd from the environment, -// receives its payload and returns the Close method of the pipe. +// Receive retrieves setup fd from the environment and receives params. func Receive(key string, e any, v **os.File) (func() error, error) { var setup *os.File