priv/shim: move /sbin/init setup to app

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-15 02:56:08 +09:00 · 2025-02-15 02:56:08 +09:00 · ea8d1c07df
commit ea8d1c07df
parent a0062d8275
7 changed files with 24 additions and 43 deletions
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -219,6 +219,8 @@ var testCasesNixos = []sealTestCase{
 			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", fst.Tmp+"/pulse-cookie").
 			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus").
 			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket").
-			Tmpfs("/var/run/nscd", 8192),
+			Tmpfs("/var/run/nscd", 8192).
+			Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
+			Symlink("fortify", "/.fortify/sbin/init"),
 	},
 }
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -156,7 +156,9 @@ var testCasesPd = []sealTestCase{
 			Bind("/home/chronos", "/home/chronos", false, true).
 			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
 			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
-			Tmpfs("/var/run/nscd", 8192),
+			Tmpfs("/var/run/nscd", 8192).
+			Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
+			Symlink("fortify", "/.fortify/sbin/init"),
 	},
 	{
 		"nixos permissive defaults chromium", new(stubNixOS),
@ -387,6 +389,8 @@ var testCasesPd = []sealTestCase{
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", fst.Tmp+"/pulse-cookie").
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
-			Tmpfs("/var/run/nscd", 8192),
+			Tmpfs("/var/run/nscd", 8192).
+			Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
+			Symlink("fortify", "/.fortify/sbin/init"),
 	},
 }
--- a/internal/app/app_stub_test.go
+++ b/internal/app/app_stub_test.go
@ -16,9 +16,12 @@ type stubNixOS struct {
 	usernameErr map[string]error
 }

-func (s *stubNixOS) Geteuid() int {
-	return 1971
-}
+func (s *stubNixOS) Geteuid() int                             { return 1971 }
+func (s *stubNixOS) TempDir() string                          { return "/tmp" }
+func (s *stubNixOS) MustExecutable() string                   { return "/run/wrappers/bin/fortify" }
+func (s *stubNixOS) Exit(code int)                            { panic("called exit on stub with code " + strconv.Itoa(code)) }
+func (s *stubNixOS) EvalSymlinks(path string) (string, error) { return path, nil }
+func (s *stubNixOS) Uid(aid int) (int, error)                 { return 1000000 + 0*10000 + aid, nil }

 func (s *stubNixOS) LookupEnv(key string) (string, bool) {
 	switch key {
@ -39,10 +42,6 @@ func (s *stubNixOS) LookupEnv(key string) (string, bool) {
 	}
 }

-func (s *stubNixOS) TempDir() string {
-	return "/tmp"
-}
-
 func (s *stubNixOS) LookPath(file string) (string, error) {
 	if s.lookPathErr != nil {
 		if err, ok := s.lookPathErr[file]; ok {
@ -60,10 +59,6 @@ func (s *stubNixOS) LookPath(file string) (string, error) {
 	}
 }

-func (s *stubNixOS) Executable() (string, error) {
-	return "/home/ophestra/.nix-profile/bin/fortify", nil
-}
-
 func (s *stubNixOS) LookupGroup(name string) (*user.Group, error) {
 	switch name {
 	case "video":
@ -127,14 +122,6 @@ func (s *stubNixOS) Open(name string) (fs.File, error) {
 	}
 }

-func (s *stubNixOS) EvalSymlinks(path string) (string, error) {
-	return path, nil
-}
-
-func (s *stubNixOS) Exit(code int) {
-	panic("called exit on stub with code " + strconv.Itoa(code))
-}
-
 func (s *stubNixOS) Paths() linux.Paths {
 	return linux.Paths{
 		SharePath:   "/tmp/fortify.1971",
@ -142,11 +129,3 @@ func (s *stubNixOS) Paths() linux.Paths {
 		RunDirPath:  "/run/user/1971/fortify",
 	}
 }
-
-func (s *stubNixOS) Uid(aid int) (int, error) {
-	return 1000000 + 0*10000 + aid, nil
-}
-
-func (s *stubNixOS) SdBooted() bool {
-	return true
-}
--- a/internal/app/share.go
+++ b/internal/app/share.go
@ -293,6 +293,10 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
 		seal.sys.bwrap.Tmpfs(dest, 8*1024)
 	}

+	// mount fortify in sandbox for init
+	seal.sys.bwrap.Bind(os.MustExecutable(), path.Join(fst.Tmp, "sbin/fortify"))
+	seal.sys.bwrap.Symlink("fortify", path.Join(fst.Tmp, "sbin/init"))
+
 	// append extra perms
 	for _, p := range seal.extraPerms {
 		if p == nil {
--- a/internal/linux/interface.go
+++ b/internal/linux/interface.go
@ -19,8 +19,8 @@ type System interface {
 	TempDir() string
 	// LookPath provides [exec.LookPath].
 	LookPath(file string) (string, error)
-	// Executable provides [os.Executable].
-	Executable() (string, error)
+	// MustExecutable provides [proc.MustExecutable].
+	MustExecutable() string
 	// LookupGroup provides [user.LookupGroup].
 	LookupGroup(name string) (*user.Group, error)
 	// ReadDir provides [os.ReadDir].
--- a/internal/linux/std.go
+++ b/internal/linux/std.go
@ -11,6 +11,7 @@ import (
 	"sync"
 	"syscall"

+	"git.gensokyo.uk/security/fortify/helper/proc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
@ -32,7 +33,7 @@ func (s *Std) Geteuid() int                                 { return os.Geteuid(
 func (s *Std) LookupEnv(key string) (string, bool)          { return os.LookupEnv(key) }
 func (s *Std) TempDir() string                              { return os.TempDir() }
 func (s *Std) LookPath(file string) (string, error)         { return exec.LookPath(file) }
-func (s *Std) Executable() (string, error)                  { return os.Executable() }
+func (s *Std) MustExecutable() string                       { return proc.MustExecutable() }
 func (s *Std) LookupGroup(name string) (*user.Group, error) { return user.LookupGroup(name) }
 func (s *Std) ReadDir(name string) ([]os.DirEntry, error)   { return os.ReadDir(name) }
 func (s *Std) Stat(name string) (fs.FileInfo, error)        { return os.Stat(name) }
--- a/internal/priv/shim/main.go
+++ b/internal/priv/shim/main.go
@ -121,21 +121,12 @@ func Main() {
 		}()
 	}

-	// bind fortify inside sandbox
-	var (
-		innerSbin    = path.Join(fst.Tmp, "sbin")
-		innerFortify = path.Join(innerSbin, "fortify")
-		innerInit    = path.Join(innerSbin, "init")
-	)
-	conf.Bind(proc.MustExecutable(), innerFortify)
-	conf.Symlink("fortify", innerInit)
-
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
 	if fmsg.Verbose() {
 		seccomp.CPrintln = fmsg.Println
 	}
 	if b, err := helper.NewBwrap(
-		conf, innerInit,
+		conf, path.Join(fst.Tmp, "sbin/init"),
 		nil, func(int, int) []string { return make([]string, 0) },
 		extraFiles,
 		syncFd,