security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

sandbox: move params setup functions
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m37s
Details
Test / Fpkg (push) Successful in 3m30s
Details
Test / Data race detector (push) Successful in 4m8s
Details
Test / Flake checks (push) Successful in 57s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-17 02:48:32 +09:00
parent 9a1f8e129f
commit 9ce4706a07
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
6 changed files with 16 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
internal/app/init0/main.go
View File

@ -9,7 +9,6 @@ import (
"syscall" "syscall"
"time" "time"
"git.gensokyo.uk/security/fortify/helper/proc"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/sandbox" "git.gensokyo.uk/security/fortify/internal/sandbox"
@ -42,11 +41,11 @@ func Main() {
payload Payload payload Payload
closeSetup func() error closeSetup func() error
) )
if f, err := proc.Receive(Env, &payload, nil); err != nil { if f, err := sandbox.Receive(Env, &payload, nil); err != nil {
if errors.Is(err, proc.ErrInvalid) { if errors.Is(err, sandbox.ErrInvalid) {
log.Fatal("invalid config descriptor") log.Fatal("invalid config descriptor")
} }
if errors.Is(err, proc.ErrNotSet) { if errors.Is(err, sandbox.ErrNotSet) {
log.Fatal("FORTIFY_INIT not set") log.Fatal("FORTIFY_INIT not set")
} }

9
internal/app/shim/main.go
View File

@ -13,7 +13,6 @@ import (
"git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/helper" "git.gensokyo.uk/security/fortify/helper"
"git.gensokyo.uk/security/fortify/helper/proc"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/app/init0" "git.gensokyo.uk/security/fortify/internal/app/init0"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
@ -38,11 +37,11 @@ func Main() {
payload Payload payload Payload
closeSetup func() error closeSetup func() error
) )
if f, err := proc.Receive(Env, &payload, nil); err != nil { if f, err := sandbox.Receive(Env, &payload, nil); err != nil {
if errors.Is(err, proc.ErrInvalid) { if errors.Is(err, sandbox.ErrInvalid) {
log.Fatal("invalid config descriptor") log.Fatal("invalid config descriptor")
} }
if errors.Is(err, proc.ErrNotSet) { if errors.Is(err, sandbox.ErrNotSet) {
log.Fatal("FORTIFY_SHIM not set") log.Fatal("FORTIFY_SHIM not set")
} }
@ -108,7 +107,7 @@ func Main() {
var extraFiles []*os.File var extraFiles []*os.File
// serve setup payload // serve setup payload
if fd, encoder, err := proc.Setup(&extraFiles); err != nil { if fd, encoder, err := sandbox.Setup(&extraFiles); err != nil {
log.Fatalf("cannot pipe: %v", err) log.Fatalf("cannot pipe: %v", err)
} else { } else {
conf.SetEnv[init0.Env] = strconv.Itoa(fd) conf.SetEnv[init0.Env] = strconv.Itoa(fd)

3
internal/app/shim/manager.go
View File

@ -13,6 +13,7 @@ import (
"git.gensokyo.uk/security/fortify/helper/proc" "git.gensokyo.uk/security/fortify/helper/proc"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/sandbox"
) )
// used by the parent process // used by the parent process
@ -56,7 +57,7 @@ func (s *Shim) Start(
s.cmd = exec.Command(fsuPath) s.cmd = exec.Command(fsuPath)
// pass shim setup pipe // pass shim setup pipe
if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil { if fd, e, err := sandbox.Setup(&s.cmd.ExtraFiles); err != nil {
return nil, fmsg.WrapErrorSuffix(err, return nil, fmsg.WrapErrorSuffix(err,
"cannot create shim setup pipe:") "cannot create shim setup pipe:")
} else { } else {

3
internal/sandbox/container.go
View File

@ -13,7 +13,6 @@ import (
"syscall" "syscall"
"time" "time"
"git.gensokyo.uk/security/fortify/helper/proc"
"git.gensokyo.uk/security/fortify/seccomp" "git.gensokyo.uk/security/fortify/seccomp"
) )
@ -163,7 +162,7 @@ func (p *Container) Start() error {
} }
// place setup pipe before user supplied extra files, this is later restored by init // place setup pipe before user supplied extra files, this is later restored by init
if fd, e, err := proc.Setup(&p.cmd.ExtraFiles); err != nil { if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil {
return wrapErrSuffix(err, return wrapErrSuffix(err,
"cannot create shim setup pipe:") "cannot create shim setup pipe:")
} else { } else {

7
internal/sandbox/init.go
View File

@ -13,7 +13,6 @@ import (
"syscall" "syscall"
"time" "time"
"git.gensokyo.uk/security/fortify/helper/proc"
"git.gensokyo.uk/security/fortify/seccomp" "git.gensokyo.uk/security/fortify/seccomp"
) )
@ -56,11 +55,11 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
setupFile *os.File setupFile *os.File
offsetSetup int offsetSetup int
) )
if f, err := proc.Receive(setupEnv, &params, &setupFile); err != nil { if f, err := Receive(setupEnv, &params, &setupFile); err != nil {
if errors.Is(err, proc.ErrInvalid) { if errors.Is(err, ErrInvalid) {
log.Fatal("invalid setup descriptor") log.Fatal("invalid setup descriptor")
} }
if errors.Is(err, proc.ErrNotSet) { if errors.Is(err, ErrNotSet) {
log.Fatal("FORTIFY_SETUP not set") log.Fatal("FORTIFY_SETUP not set")
} }

7
helper/proc/fd.go → internal/sandbox/params.go
View File

@ -1,4 +1,4 @@
package proc package sandbox
import ( import (
"encoding/gob" "encoding/gob"
@ -12,7 +12,7 @@ var (
ErrInvalid = errors.New("bad file descriptor") ErrInvalid = errors.New("bad file descriptor")
) )
// Setup appends the read end of a pipe for payload transmission and returns its fd. // Setup appends the read end of a pipe for setup params transmission and returns its fd.
func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) { func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
if r, w, err := os.Pipe(); err != nil { if r, w, err := os.Pipe(); err != nil {
return -1, nil, err return -1, nil, err
@ -23,8 +23,7 @@ func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
} }
} }
// Receive retrieves payload pipe fd from the environment, // Receive retrieves setup fd from the environment and receives params.
// receives its payload and returns the Close method of the pipe.
func Receive(key string, e any, v **os.File) (func() error, error) { func Receive(key string, e any, v **os.File) (func() error, error) {
var setup *os.File var setup *os.File