proc/priv/init: early init check
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
7baca66a56
commit
b31d055e20
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
18
internal/proc/priv/init/early.go
Normal file
18
internal/proc/priv/init/early.go
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
package init0
|
||||||
|
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
"path"
|
||||||
|
|
||||||
|
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||||
|
)
|
||||||
|
|
||||||
|
// used by the parent process
|
||||||
|
|
||||||
|
// TryArgv0 calls [Main] if argv0 indicates the process is started from a file named "init".
|
||||||
|
func TryArgv0() {
|
||||||
|
if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" {
|
||||||
|
Main()
|
||||||
|
fmsg.Exit(0)
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -5,7 +5,6 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"os/signal"
|
"os/signal"
|
||||||
"path"
|
|
||||||
"syscall"
|
"syscall"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@ -38,14 +37,6 @@ func Main() {
|
|||||||
panic("unreachable")
|
panic("unreachable")
|
||||||
}
|
}
|
||||||
|
|
||||||
// re-exec
|
|
||||||
if len(os.Args) > 0 && (os.Args[0] != "fortify" || os.Args[1] != "init" || len(os.Args) != 2) && path.IsAbs(os.Args[0]) {
|
|
||||||
if err := syscall.Exec(os.Args[0], []string{"fortify", "init"}, os.Environ()); err != nil {
|
|
||||||
fmsg.Println("cannot re-exec self:", err)
|
|
||||||
// continue anyway
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// receive setup payload
|
// receive setup payload
|
||||||
var (
|
var (
|
||||||
payload Payload
|
payload Payload
|
||||||
|
|||||||
@ -125,14 +125,17 @@ func Main() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// bind fortify inside sandbox
|
// bind fortify inside sandbox
|
||||||
innerSbin := path.Join(fst.Tmp, "sbin")
|
var (
|
||||||
fortifyInnerPath := path.Join(innerSbin, "fortify")
|
innerSbin = path.Join(fst.Tmp, "sbin")
|
||||||
conf.Bind(proc.MustExecutable(), fortifyInnerPath)
|
innerFortify = path.Join(innerSbin, "fortify")
|
||||||
conf.Symlink(fortifyInnerPath, path.Join(innerSbin, "init"))
|
innerInit = path.Join(innerSbin, "init")
|
||||||
|
)
|
||||||
|
conf.Bind(proc.MustExecutable(), innerFortify)
|
||||||
|
conf.Symlink("fortify", innerInit)
|
||||||
|
|
||||||
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
|
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
|
||||||
if b, err := helper.NewBwrap(conf, nil, fortifyInnerPath,
|
if b, err := helper.NewBwrap(conf, nil, innerInit,
|
||||||
func(int, int) []string { return []string{"init"} }); err != nil {
|
func(int, int) []string { return make([]string, 0) }); err != nil {
|
||||||
fmsg.Fatalf("malformed sandbox config: %v", err)
|
fmsg.Fatalf("malformed sandbox config: %v", err)
|
||||||
} else {
|
} else {
|
||||||
cmd := b.Unwrap()
|
cmd := b.Unwrap()
|
||||||
|
|||||||
3
main.go
3
main.go
@ -55,6 +55,9 @@ func (g *gl) Set(v string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
|
||||||
|
init0.TryArgv0()
|
||||||
|
|
||||||
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
|
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
|
||||||
fmsg.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
|
fmsg.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
|
||||||
// not fatal: this program runs as the privileged user
|
// not fatal: this program runs as the privileged user
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user