security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases 30 Wiki Activity

priv/shim: move /sbin/init setup to app
All checks were successful
Test / Create distribution (push) Successful in 49s
Details
Test / Run NixOS test (push) Successful in 3m36s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-02-15 02:56:08 +09:00
parent a0062d8275
commit ea8d1c07df
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
7 changed files with 24 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/app/app_nixos_test.go
View File

@ -219,6 +219,8 @@ var testCasesNixos = []sealTestCase{
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", fst.Tmp+"/pulse-cookie"). Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", fst.Tmp+"/pulse-cookie").
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus"). Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus").
Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket"). Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket").
Tmpfs("/var/run/nscd", 8192), Tmpfs("/var/run/nscd", 8192).
Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
Symlink("fortify", "/.fortify/sbin/init"),
}, },
} }

8
internal/app/app_pd_test.go
View File

@ -156,7 +156,9 @@ var testCasesPd = []sealTestCase{
Bind("/home/chronos", "/home/chronos", false, true). Bind("/home/chronos", "/home/chronos", false, true).
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd"). Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group"). Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
Tmpfs("/var/run/nscd", 8192), Tmpfs("/var/run/nscd", 8192).
Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
Symlink("fortify", "/.fortify/sbin/init"),
}, },
{ {
"nixos permissive defaults chromium", new(stubNixOS), "nixos permissive defaults chromium", new(stubNixOS),
@ -387,6 +389,8 @@ var testCasesPd = []sealTestCase{
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", fst.Tmp+"/pulse-cookie"). Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", fst.Tmp+"/pulse-cookie").
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus"). Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket"). Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
Tmpfs("/var/run/nscd", 8192), Tmpfs("/var/run/nscd", 8192).
Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
Symlink("fortify", "/.fortify/sbin/init"),
}, },
} }

33
internal/app/app_stub_test.go
View File

@ -16,9 +16,12 @@ type stubNixOS struct {
usernameErr map[string]error usernameErr map[string]error
} }
func (s *stubNixOS) Geteuid() int { func (s *stubNixOS) Geteuid() int { return 1971 }
return 1971 func (s *stubNixOS) TempDir() string { return "/tmp" }
} func (s *stubNixOS) MustExecutable() string { return "/run/wrappers/bin/fortify" }
func (s *stubNixOS) Exit(code int) { panic("called exit on stub with code " + strconv.Itoa(code)) }
func (s *stubNixOS) EvalSymlinks(path string) (string, error) { return path, nil }
func (s *stubNixOS) Uid(aid int) (int, error) { return 1000000 + 0*10000 + aid, nil }
func (s *stubNixOS) LookupEnv(key string) (string, bool) { func (s *stubNixOS) LookupEnv(key string) (string, bool) {
switch key { switch key {
@ -39,10 +42,6 @@ func (s *stubNixOS) LookupEnv(key string) (string, bool) {
} }
} }
func (s *stubNixOS) TempDir() string {
return "/tmp"
}
func (s *stubNixOS) LookPath(file string) (string, error) { func (s *stubNixOS) LookPath(file string) (string, error) {
if s.lookPathErr != nil { if s.lookPathErr != nil {
if err, ok := s.lookPathErr[file]; ok { if err, ok := s.lookPathErr[file]; ok {
@ -60,10 +59,6 @@ func (s *stubNixOS) LookPath(file string) (string, error) {
} }
} }
func (s *stubNixOS) Executable() (string, error) {
return "/home/ophestra/.nix-profile/bin/fortify", nil
}
func (s *stubNixOS) LookupGroup(name string) (*user.Group, error) { func (s *stubNixOS) LookupGroup(name string) (*user.Group, error) {
switch name { switch name {
case "video": case "video":
@ -127,14 +122,6 @@ func (s *stubNixOS) Open(name string) (fs.File, error) {
} }
} }
func (s *stubNixOS) EvalSymlinks(path string) (string, error) {
return path, nil
}
func (s *stubNixOS) Exit(code int) {
panic("called exit on stub with code " + strconv.Itoa(code))
}
func (s *stubNixOS) Paths() linux.Paths { func (s *stubNixOS) Paths() linux.Paths {
return linux.Paths{ return linux.Paths{
SharePath: "/tmp/fortify.1971", SharePath: "/tmp/fortify.1971",
@ -142,11 +129,3 @@ func (s *stubNixOS) Paths() linux.Paths {
RunDirPath: "/run/user/1971/fortify", RunDirPath: "/run/user/1971/fortify",
} }
} }
func (s *stubNixOS) Uid(aid int) (int, error) {
return 1000000 + 0*10000 + aid, nil
}
func (s *stubNixOS) SdBooted() bool {
return true
}

4
internal/app/share.go
View File

@ -293,6 +293,10 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
seal.sys.bwrap.Tmpfs(dest, 8*1024) seal.sys.bwrap.Tmpfs(dest, 8*1024)
} }
// mount fortify in sandbox for init
seal.sys.bwrap.Bind(os.MustExecutable(), path.Join(fst.Tmp, "sbin/fortify"))
seal.sys.bwrap.Symlink("fortify", path.Join(fst.Tmp, "sbin/init"))
// append extra perms // append extra perms
for _, p := range seal.extraPerms { for _, p := range seal.extraPerms {
if p == nil { if p == nil {

4
internal/linux/interface.go
View File

@ -19,8 +19,8 @@ type System interface {
TempDir() string TempDir() string
// LookPath provides [exec.LookPath]. // LookPath provides [exec.LookPath].
LookPath(file string) (string, error) LookPath(file string) (string, error)
// Executable provides [os.Executable]. // MustExecutable provides [proc.MustExecutable].
Executable() (string, error) MustExecutable() string
// LookupGroup provides [user.LookupGroup]. // LookupGroup provides [user.LookupGroup].
LookupGroup(name string) (*user.Group, error) LookupGroup(name string) (*user.Group, error)
// ReadDir provides [os.ReadDir]. // ReadDir provides [os.ReadDir].

3
internal/linux/std.go
View File

@ -11,6 +11,7 @@ import (
"sync" "sync"
"syscall" "syscall"
"git.gensokyo.uk/security/fortify/helper/proc"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
) )
@ -32,7 +33,7 @@ func (s *Std) Geteuid() int { return os.Geteuid(
func (s *Std) LookupEnv(key string) (string, bool) { return os.LookupEnv(key) } func (s *Std) LookupEnv(key string) (string, bool) { return os.LookupEnv(key) }
func (s *Std) TempDir() string { return os.TempDir() } func (s *Std) TempDir() string { return os.TempDir() }
func (s *Std) LookPath(file string) (string, error) { return exec.LookPath(file) } func (s *Std) LookPath(file string) (string, error) { return exec.LookPath(file) }
func (s *Std) Executable() (string, error) { return os.Executable() } func (s *Std) MustExecutable() string { return proc.MustExecutable() }
func (s *Std) LookupGroup(name string) (*user.Group, error) { return user.LookupGroup(name) } func (s *Std) LookupGroup(name string) (*user.Group, error) { return user.LookupGroup(name) }
func (s *Std) ReadDir(name string) ([]os.DirEntry, error) { return os.ReadDir(name) } func (s *Std) ReadDir(name string) ([]os.DirEntry, error) { return os.ReadDir(name) }
func (s *Std) Stat(name string) (fs.FileInfo, error) { return os.Stat(name) } func (s *Std) Stat(name string) (fs.FileInfo, error) { return os.Stat(name) }

11
internal/priv/shim/main.go
View File

@ -121,21 +121,12 @@ func Main() {
}() }()
} }
// bind fortify inside sandbox
var (
innerSbin = path.Join(fst.Tmp, "sbin")
innerFortify = path.Join(innerSbin, "fortify")
innerInit = path.Join(innerSbin, "init")
)
conf.Bind(proc.MustExecutable(), innerFortify)
conf.Symlink("fortify", innerInit)
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
if fmsg.Verbose() { if fmsg.Verbose() {
seccomp.CPrintln = fmsg.Println seccomp.CPrintln = fmsg.Println
} }
if b, err := helper.NewBwrap( if b, err := helper.NewBwrap(
conf, innerInit, conf, path.Join(fst.Tmp, "sbin/init"),
nil, func(int, int) []string { return make([]string, 0) }, nil, func(int, int) []string { return make([]string, 0) },
extraFiles, extraFiles,
syncFd, syncFd,