security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 36 Wiki Activity

Compare commits

base: security:1ec901f79e1a11c26a91893b38c097cfb2b5e05b
Branches Tags
security:master
security:staging
security:develop
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1
..
compare: security:be4d8b63009fd63fdd30e89b0d1a3f198b10e408
Branches Tags
security:staging
security:develop
security:master
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1

No commits in common. "1ec901f79e1a11c26a91893b38c097cfb2b5e05b" and "be4d8b63009fd63fdd30e89b0d1a3f198b10e408" have entirely different histories.
1ec901f79e ... be4d8b6300

30 changed files with 394 additions and 510 deletions
Show Stats Expand all files Collapse all files

26
.gitea/workflows/build.yml → .gitea/workflows/nix.yml
View File

@ -1,12 +1,12 @@
name: Build name: Nix
on: on:
- push - push
- pull_request - pull_request
jobs: jobs:
dist: tests:
name: Create distribution name: NixOS tests
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
@ -30,21 +30,17 @@ jobs:
- name: Restore Nix store - name: Restore Nix store
uses: nix-community/cache-nix-action@v5 uses: nix-community/cache-nix-action@v5
with: with:
primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }} primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
restore-prefixes-first-match: nix-small-${{ runner.os }}- restore-prefixes-first-match: nix-${{ runner.os }}-
- name: Build for test - name: Run tests
id: build-test run: |
run: >- nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
export FORTIFY_REV="$(git rev-parse --short HEAD)" && nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
sed -i.old 's/version = /version = "0.0.0-'$FORTIFY_REV'"; # version = /' package.nix &&
nix build --print-out-paths --print-build-logs .#dist &&
mv package.nix.old package.nix &&
echo "rev=$FORTIFY_REV" >> $GITHUB_OUTPUT
- name: Upload test build - name: Upload test output
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: "fortify-${{ steps.build-test.outputs.rev }}" name: "result"
path: result/* path: result/*
retention-days: 1 retention-days: 1

53
.gitea/workflows/release.yml
View File

@ -1,52 +1,53 @@
name: Release name: Create distribution
on: on:
push: push:
tags: tags:
- 'v*' - '*'
jobs: jobs:
release: release:
name: Create release name: Release
runs-on: ubuntu-latest runs-on: ubuntu-latest
container:
image: node:16-bookworm-slim
steps: steps:
- name: Get dependencies
run: >-
echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
apt-get update &&
apt-get install -y
acl
git
gcc
pkg-config
libwayland-dev
wayland-protocols/bookworm-backports
libxcb1-dev
libacl1-dev
if: ${{ runner.os == 'Linux' }}
- name: Checkout - name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup go - name: Setup go
uses: https://github.com/actions/setup-go@v5 uses: https://github.com/actions/setup-go@v5
with: with:
go-version: '>=1.23.0' go-version: '>=1.23.0'
- name: Install Nix - name: Go generate
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
# explicitly enable sandbox
install_options: --daemon
extra_nix_config: |
sandbox = true
system-features = nixos-test benchmark big-parallel kvm
enable_kvm: true
- name: Ensure environment
run: >- run: >-
apt-get update && apt-get install -y sqlite3 go generate ./...
if: ${{ runner.os == 'Linux' }}
- name: Restore Nix store
uses: nix-community/cache-nix-action@v5
with:
primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
restore-prefixes-first-match: nix-small-${{ runner.os }}-
- name: Build for release - name: Build for release
id: build-test run: FORTIFY_VERSION='${{ github.ref_name }}' ./dist/release.sh
run: nix build --print-out-paths --print-build-logs .#dist
- name: Release - name: Release
id: use-go-action id: use-go-action
uses: https://gitea.com/actions/release-action@main uses: https://gitea.com/actions/release-action@main
with: with:
files: |- files: |-
result/fortify-** dist/fortify-**
api_key: '${{secrets.RELEASE_TOKEN}}' api_key: '${{secrets.RELEASE_TOKEN}}'

68
.gitea/workflows/test.yml
View File

@ -1,46 +1,62 @@
name: Test name: Tests
on: on:
- push - push
- pull_request - pull_request
jobs: jobs:
tests: test:
name: Run NixOS test name: Go tests
runs-on: ubuntu-latest runs-on: ubuntu-latest
container:
image: node:16-bookworm-slim
steps: steps:
- name: Checkout - name: Enable backports
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 run: >-
echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list
- name: Install Nix if: ${{ runner.os == 'Linux' }}
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
# explicitly enable sandbox
install_options: --daemon
extra_nix_config: |
sandbox = true
system-features = nixos-test benchmark big-parallel kvm
enable_kvm: true
- name: Ensure environment - name: Ensure environment
run: >- run: >-
apt-get update && apt-get install -y sqlite3 apt-get update && apt-get install -y curl wget sudo libxml2
if: ${{ runner.os == 'Linux' }} if: ${{ runner.os == 'Linux' }}
- name: Restore Nix store - name: Get dependencies
uses: nix-community/cache-nix-action@v5 uses: awalsh128/cache-apt-pkgs-action@latest
with: with:
primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }} packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
restore-prefixes-first-match: nix-${{ runner.os }}- version: 1.0
#execute_install_scripts: true
if: ${{ runner.os == 'Linux' }}
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup go
uses: https://github.com/actions/setup-go@v5
with:
go-version: '>=1.23.0'
- name: Go generate
run: >-
go generate ./...
- name: Run tests - name: Run tests
run: | run: >-
nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems go test ./...
nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
- name: Upload test output - name: Build for test
id: build-test
run: >-
FORTIFY_VERSION="$(git rev-parse --short HEAD)"
bash -c './dist/release.sh &&
echo "rev=$FORTIFY_VERSION" >> $GITHUB_OUTPUT'
- name: Upload test build
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: "result" name: "fortify-${{ steps.build-test.outputs.rev }}"
path: result/* path: dist/fortify-*
retention-days: 1 retention-days: 1

2
acl/c.go
View File

@ -9,7 +9,7 @@ import (
) )
/* /*
#cgo linux pkg-config: --static libacl #cgo linux pkg-config: libacl
#include <stdlib.h> #include <stdlib.h>
#include <sys/acl.h> #include <sys/acl.h>

0
internal/proc/priv/init/payload.go → cmd/finit/ipc/payload.go
View File

22
internal/proc/priv/init/main.go → cmd/finit/main.go
View File

@ -1,13 +1,15 @@
package init0 package main
import ( import (
"errors" "errors"
"os" "os"
"os/exec" "os/exec"
"os/signal" "os/signal"
"path"
"syscall" "syscall"
"time" "time"
init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/proc" "git.gensokyo.uk/security/fortify/internal/proc"
@ -21,7 +23,7 @@ const (
// everything beyond this point runs within pid namespace // everything beyond this point runs within pid namespace
// proceed with caution! // proceed with caution!
func Main() { func main() {
// sharing stdout with shim // sharing stdout with shim
// USE WITH CAUTION // USE WITH CAUTION
fmsg.SetPrefix("init") fmsg.SetPrefix("init")
@ -37,12 +39,20 @@ func Main() {
panic("unreachable") panic("unreachable")
} }
// re-exec
if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil {
fmsg.Println("cannot re-exec self:", err)
// continue anyway
}
}
// receive setup payload // receive setup payload
var ( var (
payload Payload payload init0.Payload
closeSetup func() error closeSetup func() error
) )
if f, err := proc.Receive(Env, &payload); err != nil { if f, err := proc.Receive(init0.Env, &payload); err != nil {
if errors.Is(err, proc.ErrInvalid) { if errors.Is(err, proc.ErrInvalid) {
fmsg.Fatal("invalid config descriptor") fmsg.Fatal("invalid config descriptor")
} }
@ -57,8 +67,8 @@ func Main() {
closeSetup = f closeSetup = f
// child does not need to see this // child does not need to see this
if err = os.Unsetenv(Env); err != nil { if err = os.Unsetenv(init0.Env); err != nil {
fmsg.Printf("cannot unset %s: %v", Env, err) fmsg.Printf("cannot unset %s: %v", init0.Env, err)
// not fatal // not fatal
} else { } else {
fmsg.VPrintln("received configuration") fmsg.VPrintln("received configuration")

8
cmd/fpkg/proc.go
View File

@ -12,18 +12,12 @@ import (
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
) )
const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
var (
Fmain = compPoison
)
func fortifyApp(config *fst.Config, beforeFail func()) { func fortifyApp(config *fst.Config, beforeFail func()) {
var ( var (
cmd *exec.Cmd cmd *exec.Cmd
st io.WriteCloser st io.WriteCloser
) )
if p, ok := internal.Path(Fmain); !ok { if p, ok := internal.Check(internal.Fortify); !ok {
beforeFail() beforeFail()
fmsg.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly") fmsg.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly")
panic("unreachable") panic("unreachable")

2
cmd/fpkg/with.go
View File

@ -62,7 +62,7 @@ func withCacheDir(action string, command []string, workDir string, app *bundleIn
AppID: app.AppID, AppID: app.AppID,
Username: "nixos", Username: "nixos",
Inner: path.Join("/data/data", app.ID, "cache"), Inner: path.Join("/data/data", app.ID, "cache"),
Outer: pathSet.cacheDir, // this also ensures cacheDir via shim Outer: pathSet.cacheDir, // this also ensures cacheDir via fshim
Sandbox: &fst.SandboxConfig{ Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(app.Name) + "-" + action, Hostname: formatHostname(app.Name) + "-" + action,
NoNewSession: dropShell, NoNewSession: dropShell,

6
internal/proc/priv/shim/payload.go → cmd/fshim/ipc/payload.go
View File

@ -1,6 +1,8 @@
package shim package shim0
import "git.gensokyo.uk/security/fortify/helper/bwrap" import (
"git.gensokyo.uk/security/fortify/helper/bwrap"
)
const Env = "FORTIFY_SHIM" const Env = "FORTIFY_SHIM"

70
internal/proc/priv/shim/manager.go → cmd/fshim/ipc/shim/shim.go
View File

@ -1,20 +1,24 @@
package shim package shim
import ( import (
"context"
"encoding/gob" "encoding/gob"
"errors" "errors"
"os" "os"
"os/exec" "os/exec"
"os/signal"
"strconv" "strconv"
"strings" "strings"
"syscall"
"time" "time"
shim0 "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/proc" "git.gensokyo.uk/security/fortify/internal/proc"
) )
const shimSetupTimeout = 5 * time.Second
// used by the parent process // used by the parent process
type Shim struct { type Shim struct {
@ -29,12 +33,10 @@ type Shim struct {
// fallback exit notifier with error returned killing the process // fallback exit notifier with error returned killing the process
killFallback chan error killFallback chan error
// shim setup payload // shim setup payload
payload *Payload payload *shim0.Payload
// monitor to shim encoder
encoder *gob.Encoder
} }
func New(uid uint32, aid string, supp []string, payload *Payload) *Shim { func New(uid uint32, aid string, supp []string, payload *shim0.Payload) *Shim {
return &Shim{uid: uid, aid: aid, supp: supp, payload: payload} return &Shim{uid: uid, aid: aid, supp: supp, payload: payload}
} }
@ -54,29 +56,28 @@ func (s *Shim) WaitFallback() chan error {
} }
func (s *Shim) Start() (*time.Time, error) { func (s *Shim) Start() (*time.Time, error) {
// prepare user switcher invocation // start user switcher process and save time
var fsu string var fsu string
if p, ok := internal.Path(internal.Fsu); !ok { if p, ok := internal.Check(internal.Fsu); !ok {
fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly") fmsg.Fatal("invalid fsu path, this copy of fshim is not compiled correctly")
panic("unreachable") panic("unreachable")
} else { } else {
fsu = p fsu = p
} }
s.cmd = exec.Command(fsu) s.cmd = exec.Command(fsu)
// pass shim setup pipe var encoder *gob.Encoder
if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil { if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil {
return nil, fmsg.WrapErrorSuffix(err, return nil, fmsg.WrapErrorSuffix(err,
"cannot create shim setup pipe:") "cannot create shim setup pipe:")
} else { } else {
s.encoder = e encoder = e
s.cmd.Env = []string{ s.cmd.Env = []string{
Env + "=" + strconv.Itoa(fd), shim0.Env + "=" + strconv.Itoa(fd),
"FORTIFY_APP_ID=" + s.aid, "FORTIFY_APP_ID=" + s.aid,
} }
} }
// format fsu supplementary groups
if len(s.supp) > 0 { if len(s.supp) > 0 {
fmsg.VPrintf("attaching supplementary group ids %s", s.supp) fmsg.VPrintf("attaching supplementary group ids %s", s.supp)
s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(s.supp, " ")) s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(s.supp, " "))
@ -91,17 +92,13 @@ func (s *Shim) Start() (*time.Time, error) {
} }
fmsg.VPrintln("starting shim via fsu:", s.cmd) fmsg.VPrintln("starting shim via fsu:", s.cmd)
// withhold messages to stderr fmsg.Suspend() // withhold messages to stderr
fmsg.Suspend()
if err := s.cmd.Start(); err != nil { if err := s.cmd.Start(); err != nil {
return nil, fmsg.WrapErrorSuffix(err, return nil, fmsg.WrapErrorSuffix(err,
"cannot start fsu:") "cannot start fsu:")
} }
startTime := time.Now().UTC() startTime := time.Now().UTC()
return &startTime, nil
}
func (s *Shim) Serve(ctx context.Context) error {
// kill shim if something goes wrong and an error is returned // kill shim if something goes wrong and an error is returned
s.killFallback = make(chan error, 1) s.killFallback = make(chan error, 1)
killShim := func() { killShim := func() {
@ -111,31 +108,30 @@ func (s *Shim) Serve(ctx context.Context) error {
} }
defer func() { killShim() }() defer func() { killShim() }()
encodeErr := make(chan error) // take alternative exit path on signal
go func() { encodeErr <- s.encoder.Encode(s.payload) }() sig := make(chan os.Signal, 2)
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
go func() {
v := <-sig
fmsg.Printf("got %s after program start", v)
s.killFallback <- nil
signal.Ignore(syscall.SIGINT, syscall.SIGTERM)
}()
shimErr := make(chan error)
go func() { shimErr <- encoder.Encode(s.payload) }()
select { select {
// encode return indicates setup completion case err := <-shimErr:
case err := <-encodeErr:
if err != nil { if err != nil {
return fmsg.WrapErrorSuffix(err, return &startTime, fmsg.WrapErrorSuffix(err,
"cannot transmit shim config:") "cannot transmit shim config:")
} }
killShim = func() {} killShim = func() {}
return nil case <-time.After(shimSetupTimeout):
return &startTime, fmsg.WrapError(errors.New("timed out waiting for shim"),
"timed out waiting for shim")
}
// setup canceled before payload was accepted return &startTime, nil
case <-ctx.Done():
err := ctx.Err()
if errors.Is(err, context.Canceled) {
return fmsg.WrapError(errors.New("shim setup canceled"),
"shim setup canceled")
}
if errors.Is(err, context.DeadlineExceeded) {
return fmsg.WrapError(errors.New("deadline exceeded waiting for shim"),
"deadline exceeded waiting for shim")
}
// unreachable
return err
}
} }

36
internal/proc/priv/shim/main.go → cmd/fshim/main.go
View File

@ -1,4 +1,4 @@
package shim package main
import ( import (
"errors" "errors"
@ -7,18 +7,19 @@ import (
"strconv" "strconv"
"syscall" "syscall"
init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
"git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/helper" "git.gensokyo.uk/security/fortify/helper"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/proc" "git.gensokyo.uk/security/fortify/internal/proc"
init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
) )
// everything beyond this point runs as unconstrained target user // everything beyond this point runs as unconstrained target user
// proceed with caution! // proceed with caution!
func Main() { func main() {
// sharing stdout with fortify // sharing stdout with fortify
// USE WITH CAUTION // USE WITH CAUTION
fmsg.SetPrefix("shim") fmsg.SetPrefix("shim")
@ -30,19 +31,27 @@ func Main() {
} }
// re-exec // re-exec
if len(os.Args) > 0 && (os.Args[0] != "fortify" || os.Args[1] != "shim" || len(os.Args) != 2) && path.IsAbs(os.Args[0]) { if len(os.Args) > 0 && (os.Args[0] != "fshim" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
if err := syscall.Exec(os.Args[0], []string{"fortify", "shim"}, os.Environ()); err != nil { if err := syscall.Exec(os.Args[0], []string{"fshim"}, os.Environ()); err != nil {
fmsg.Println("cannot re-exec self:", err) fmsg.Println("cannot re-exec self:", err)
// continue anyway // continue anyway
} }
} }
// check path to finit
var finitPath string
if p, ok := internal.Path(internal.Finit); !ok {
fmsg.Fatal("invalid finit path, this copy of fshim is not compiled correctly")
} else {
finitPath = p
}
// receive setup payload // receive setup payload
var ( var (
payload Payload payload shim.Payload
closeSetup func() error closeSetup func() error
) )
if f, err := proc.Receive(Env, &payload); err != nil { if f, err := proc.Receive(shim.Env, &payload); err != nil {
if errors.Is(err, proc.ErrInvalid) { if errors.Is(err, proc.ErrInvalid) {
fmsg.Fatal("invalid config descriptor") fmsg.Fatal("invalid config descriptor")
} }
@ -124,17 +133,12 @@ func Main() {
}() }()
} }
// bind fortify inside sandbox // bind finit inside sandbox
var ( finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
innerSbin = path.Join(fst.Tmp, "sbin") conf.Bind(finitPath, finitInnerPath)
innerFortify = path.Join(innerSbin, "fortify")
innerInit = path.Join(innerSbin, "init")
)
conf.Bind(proc.MustExecutable(), innerFortify)
conf.Symlink("fortify", innerInit)
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
if b, err := helper.NewBwrap(conf, nil, innerInit, if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
func(int, int) []string { return make([]string, 0) }); err != nil { func(int, int) []string { return make([]string, 0) }); err != nil {
fmsg.Fatalf("malformed sandbox config: %v", err) fmsg.Fatalf("malformed sandbox config: %v", err)
} else { } else {

10
cmd/fsu/main.go
View File

@ -24,6 +24,7 @@ const (
var ( var (
Fmain = compPoison Fmain = compPoison
Fshim = compPoison
) )
func main() { func main() {
@ -40,12 +41,17 @@ func main() {
log.Fatal("this program must not be started by root") log.Fatal("this program must not be started by root")
} }
var fmain string var fmain, fshim string
if p, ok := checkPath(Fmain); !ok { if p, ok := checkPath(Fmain); !ok {
log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly") log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
} else { } else {
fmain = p fmain = p
} }
if p, ok := checkPath(Fshim); !ok {
log.Fatal("invalid fshim path, this copy of fsu is not compiled correctly")
} else {
fshim = p
}
pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe") pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
if p, err := os.Readlink(pexe); err != nil { if p, err := os.Readlink(pexe); err != nil {
@ -136,7 +142,7 @@ func main() {
if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 { if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
log.Fatalf("cannot set no_new_privs flag: %s", errno.Error()) log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
} }
if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil { if err := syscall.Exec(fshim, []string{"fshim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
log.Fatalf("cannot start shim: %v", err) log.Fatalf("cannot start shim: %v", err)
} }

2
dist/install.sh vendored
View File

@ -4,6 +4,8 @@ cd "$(dirname -- "$0")" || exit 1
install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify" install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg" install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg"
install -vDm0755 "bin/fshim" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fshim"
install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb" install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu" install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"

8
dist/release.sh vendored
View File

@ -8,11 +8,13 @@ mkdir -p "${out}"
cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}" cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
cp -rv "comp" "${out}" cp -rv "comp" "${out}"
go generate ./... go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
-X git.gensokyo.uk/security/fortify/internal.Version=${VERSION} -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
-X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
-X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
-X main.Fmain=/usr/bin/fortify" ./... -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
-X main.Fmain=/usr/bin/fortify
-X main.Fshim=/usr/libexec/fortify/fshim" ./...
rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}" rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
rm -rf "./${out}" rm -rf "./${out}"

96
flake.nix
View File

@ -95,105 +95,44 @@
packages = forAllSystems ( packages = forAllSystems (
system: system:
let let
inherit (self.packages.${system}) fortify;
pkgs = nixpkgsFor.${system}; pkgs = nixpkgsFor.${system};
in in
{ {
default = self.packages.${system}.fortify; default = self.packages.${system}.fortify;
fortify = pkgs.callPackage ./package.nix { }; fortify = pkgs.callPackage ./package.nix { };
}
);
dist = devShells = forAllSystems (system: {
pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; } default = nixpkgsFor.${system}.mkShell {
'' buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
# go requires XDG_CACHE_HOME for the build cache };
export XDG_CACHE_HOME="$(mktemp -d)"
# get a different workdir as go does not like /build fhs = nixpkgsFor.${system}.buildFHSEnv {
cd $(mktemp -d) && cp -r ${fortify.src}/. . && chmod -R +w .
export FORTIFY_VERSION="v${fortify.version}"
./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
'';
fhs = pkgs.buildFHSEnv {
pname = "fortify-fhs"; pname = "fortify-fhs";
inherit (fortify) version; inherit (self.packages.${system}.fortify) version;
targetPkgs = targetPkgs =
pkgs: pkgs: with pkgs; [
with pkgs;
[
go go
gcc gcc
pkg-config pkg-config
wayland-scanner
]
++ (
with pkgs.pkgsStatic;
[
musl
libffi
acl acl
wayland wayland
wayland-scanner
wayland-protocols wayland-protocols
] xorg.libxcb
++ (with xorg; [ ];
libxcb
libXau
libXdmcp
xorgproto
])
);
extraOutputsToInstall = [ "dev" ]; extraOutputsToInstall = [ "dev" ];
profile = '' profile = ''
export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH" export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
''; '';
}; };
}
);
devShells = forAllSystems (
system:
let
inherit (self.packages.${system}) fortify fhs;
pkgs = nixpkgsFor.${system};
in
{
default = pkgs.mkShell {
buildInputs =
with pkgs;
[
go
gcc
]
# buildInputs
++ (
with pkgsStatic;
[
musl
libffi
acl
wayland
wayland-protocols
]
++ (with xorg; [
libxcb
libXau
libXdmcp
])
)
# nativeBuildInputs
++ [
pkg-config
wayland-scanner
makeBinaryWrapper
];
};
fhs = fhs.env;
withPackage = nixpkgsFor.${system}.mkShell { withPackage = nixpkgsFor.${system}.mkShell {
buildInputs = [ self.packages.${system}.fortify ] ++ self.devShells.${system}.default.buildInputs; buildInputs =
with nixpkgsFor.${system};
self.packages.${system}.fortify.buildInputs ++ [ self.packages.${system}.fortify ];
}; };
generateDoc = generateDoc =
@ -222,7 +161,6 @@
exec cat ${docText} > options.md exec cat ${docText} > options.md
''; '';
}; };
} });
);
}; };
} }

9
helper/bwrap.go
View File

@ -49,11 +49,6 @@ func (b *bubblewrap) StartNotify(ready chan error) error {
return errors.New("exec: already started") return errors.New("exec: already started")
} }
// pass sync fd to bwrap
if b.sync != nil {
b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(int(proc.ExtraFile(b.Cmd, b.sync))))
}
// prepare bwrap pipe and args // prepare bwrap pipe and args
if argsFD, _, err := b.control.prepareCmd(b.Cmd); err != nil { if argsFD, _, err := b.control.prepareCmd(b.Cmd); err != nil {
return err return err
@ -81,6 +76,10 @@ func (b *bubblewrap) StartNotify(ready chan error) error {
b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=-1") b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=-1")
} }
if b.sync != nil {
b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(int(proc.ExtraFile(b.Cmd, b.sync))))
}
if err := b.Cmd.Start(); err != nil { if err := b.Cmd.Start(); err != nil {
return err return err
} }

26
internal/app/app.go
View File

@ -1,34 +1,28 @@
package app package app
import ( import (
"context"
"sync" "sync"
"sync/atomic" "sync/atomic"
"git.gensokyo.uk/security/fortify/cmd/fshim/ipc/shim"
"git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/internal/linux" "git.gensokyo.uk/security/fortify/internal/linux"
"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
) )
type App interface { type App interface {
// ID returns a copy of App's unique ID. // ID returns a copy of App's unique ID.
ID() fst.ID ID() fst.ID
// Run sets up the system and runs the App. // Start sets up the system and starts the App.
Run(ctx context.Context, rs *RunState) error Start() error
// Wait waits for App's process to exit and reverts system setup.
Wait() (int, error)
// WaitErr returns error returned by the underlying wait syscall.
WaitErr() error
Seal(config *fst.Config) error Seal(config *fst.Config) error
String() string String() string
} }
type RunState struct {
// Start is true if fsu is successfully started.
Start bool
// ExitCode is the value returned by shim.
ExitCode int
// WaitErr is error returned by the underlying wait syscall.
WaitErr error
}
type app struct { type app struct {
// single-use config reference // single-use config reference
ct *appCt ct *appCt
@ -41,6 +35,8 @@ type app struct {
shim *shim.Shim shim *shim.Shim
// child process related information // child process related information
seal *appSeal seal *appSeal
// error returned waiting for process
waitErr error
lock sync.RWMutex lock sync.RWMutex
} }
@ -68,6 +64,10 @@ func (a *app) String() string {
return "(unsealed fortified app)" return "(unsealed fortified app)"
} }
func (a *app) WaitErr() error {
return a.waitErr
}
func New(os linux.System) (App, error) { func New(os linux.System) (App, error) {
a := new(app) a := new(app)
a.id = new(fst.ID) a.id = new(fst.ID)

197
internal/app/start.go
View File

@ -1,31 +1,26 @@
package app package app
import ( import (
"context"
"errors" "errors"
"fmt" "fmt"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"strings" "strings"
"time"
shim0 "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
"git.gensokyo.uk/security/fortify/cmd/fshim/ipc/shim"
"git.gensokyo.uk/security/fortify/helper" "git.gensokyo.uk/security/fortify/helper"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
"git.gensokyo.uk/security/fortify/internal/state" "git.gensokyo.uk/security/fortify/internal/state"
"git.gensokyo.uk/security/fortify/internal/system" "git.gensokyo.uk/security/fortify/internal/system"
) )
const shimSetupTimeout = 5 * time.Second // Start selects a user switcher and starts shim.
// Note that Wait must be called regardless of error returned by Start.
func (a *app) Run(ctx context.Context, rs *RunState) error { func (a *app) Start() error {
a.lock.Lock() a.lock.Lock()
defer a.lock.Unlock() defer a.lock.Unlock()
if rs == nil {
panic("attempted to pass nil state to run")
}
// resolve exec paths // resolve exec paths
shimExec := [2]string{helper.BubblewrapName} shimExec := [2]string{helper.BubblewrapName}
if len(a.seal.command) > 0 { if len(a.seal.command) > 0 {
@ -50,7 +45,7 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
uint32(a.seal.sys.UID()), uint32(a.seal.sys.UID()),
a.seal.sys.user.as, a.seal.sys.user.as,
a.seal.sys.user.supp, a.seal.sys.user.supp,
&shim.Payload{ &shim0.Payload{
Argv: a.seal.command, Argv: a.seal.command,
Exec: shimExec, Exec: shimExec,
Bwrap: a.seal.sys.bwrap, Bwrap: a.seal.sys.bwrap,
@ -69,30 +64,10 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
// export sync pipe from sys // export sync pipe from sys
a.seal.sys.bwrap.SetSync(a.seal.sys.Sync()) a.seal.sys.bwrap.SetSync(a.seal.sys.Sync())
// start shim via manager
waitErr := make(chan error, 1)
if startTime, err := a.shim.Start(); err != nil { if startTime, err := a.shim.Start(); err != nil {
return err return err
} else { } else {
// shim process created // shim start and setup success, create process state
rs.Start = true
shimSetupCtx, shimSetupCancel := context.WithDeadline(ctx, time.Now().Add(shimSetupTimeout))
defer shimSetupCancel()
// start waiting for shim
go func() {
waitErr <- a.shim.Unwrap().Wait()
// cancel shim setup in case shim died before receiving payload
shimSetupCancel()
}()
// send payload
if err = a.shim.Serve(shimSetupCtx); err != nil {
return err
}
// shim accepted setup payload, create process state
sd := state.State{ sd := state.State{
ID: *a.id, ID: *a.id,
PID: a.shim.Unwrap().Process.Pid, PID: a.shim.Unwrap().Process.Pid,
@ -106,41 +81,110 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
err0.InnerErr = c.Save(&sd) err0.InnerErr = c.Save(&sd)
}) })
a.seal.sys.saveState = true a.seal.sys.saveState = true
if err = err0.equiv("cannot save process state:"); err != nil { return err0.equiv("cannot save process state:")
return err
} }
}
// StateStoreError is returned for a failed state save
type StateStoreError struct {
// whether inner function was called
Inner bool
// error returned by state.Store Do method
DoErr error
// error returned by state.Backend Save method
InnerErr error
// any other errors needing to be tracked
Err error
}
func (e *StateStoreError) equiv(a ...any) error {
if e.Inner && e.DoErr == nil && e.InnerErr == nil && e.Err == nil {
return nil
} else {
return fmsg.WrapErrorSuffix(e, a...)
} }
}
func (e *StateStoreError) Error() string {
if e.Inner && e.InnerErr != nil {
return e.InnerErr.Error()
}
if e.DoErr != nil {
return e.DoErr.Error()
}
if e.Err != nil {
return e.Err.Error()
}
return "(nil)"
}
func (e *StateStoreError) Unwrap() (errs []error) {
errs = make([]error, 0, 3)
if e.DoErr != nil {
errs = append(errs, e.DoErr)
}
if e.InnerErr != nil {
errs = append(errs, e.InnerErr)
}
if e.Err != nil {
errs = append(errs, e.Err)
}
return
}
type RevertCompoundError interface {
Error() string
Unwrap() []error
}
func (a *app) Wait() (int, error) {
a.lock.Lock()
defer a.lock.Unlock()
if a.shim == nil {
fmsg.VPrintln("shim not initialised, skipping cleanup")
return 1, nil
}
var r int
if cmd := a.shim.Unwrap(); cmd == nil {
// failure prior to process start
r = 255
} else {
wait := make(chan error, 1)
go func() { wait <- cmd.Wait() }()
select { select {
// wait for process and resolve exit code // wait for process and resolve exit code
case err := <-waitErr: case err := <-wait:
if err != nil { if err != nil {
var exitError *exec.ExitError var exitError *exec.ExitError
if !errors.As(err, &exitError) { if !errors.As(err, &exitError) {
// should be unreachable // should be unreachable
rs.WaitErr = err a.waitErr = err
} }
// store non-zero return code // store non-zero return code
rs.ExitCode = exitError.ExitCode() r = exitError.ExitCode()
} else { } else {
rs.ExitCode = a.shim.Unwrap().ProcessState.ExitCode() r = cmd.ProcessState.ExitCode()
}
if fmsg.Verbose() {
fmsg.VPrintf("process %d exited with exit code %d", a.shim.Unwrap().Process.Pid, rs.ExitCode)
} }
fmsg.VPrintf("process %d exited with exit code %d", cmd.Process.Pid, r)
// this is reached when a fault makes an already running shim impossible to continue execution // alternative exit path when kill was unsuccessful
// however a kill signal could not be delivered (should actually always happen like that since fsu)
// the effects of this is similar to the alternative exit path and ensures shim death
case err := <-a.shim.WaitFallback(): case err := <-a.shim.WaitFallback():
rs.ExitCode = 255 r = 255
if err != nil {
fmsg.Printf("cannot terminate shim on faulted setup: %v", err) fmsg.Printf("cannot terminate shim on faulted setup: %v", err)
} else {
// alternative exit path relying on shim behaviour on monitor process exit
case <-ctx.Done():
fmsg.VPrintln("alternative exit path selected") fmsg.VPrintln("alternative exit path selected")
} }
}
}
// child process exited, resume output // child process exited, resume output
fmsg.Resume() fmsg.Resume()
@ -218,60 +262,5 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
}) })
e.Err = a.seal.store.Close() e.Err = a.seal.store.Close()
return e.equiv("error returned during cleanup:", e) return r, e.equiv("error returned during cleanup:", e)
}
// StateStoreError is returned for a failed state save
type StateStoreError struct {
// whether inner function was called
Inner bool
// error returned by state.Store Do method
DoErr error
// error returned by state.Backend Save method
InnerErr error
// any other errors needing to be tracked
Err error
}
func (e *StateStoreError) equiv(a ...any) error {
if e.Inner && e.DoErr == nil && e.InnerErr == nil && e.Err == nil {
return nil
} else {
return fmsg.WrapErrorSuffix(e, a...)
}
}
func (e *StateStoreError) Error() string {
if e.Inner && e.InnerErr != nil {
return e.InnerErr.Error()
}
if e.DoErr != nil {
return e.DoErr.Error()
}
if e.Err != nil {
return e.Err.Error()
}
return "(nil)"
}
func (e *StateStoreError) Unwrap() (errs []error) {
errs = make([]error, 0, 3)
if e.DoErr != nil {
errs = append(errs, e.DoErr)
}
if e.InnerErr != nil {
errs = append(errs, e.InnerErr)
}
if e.Err != nil {
errs = append(errs, e.Err)
}
return
}
type RevertCompoundError interface {
Error() string
Unwrap() []error
} }

2
internal/linux/std.go
View File

@ -73,7 +73,7 @@ func (s *Std) Uid(aid int) (int, error) {
u.uid = -1 u.uid = -1
if fsu, ok := internal.Check(internal.Fsu); !ok { if fsu, ok := internal.Check(internal.Fsu); !ok {
fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly") fmsg.Fatal("invalid fsu path, this copy of fshim is not compiled correctly")
panic("unreachable") panic("unreachable")
} else { } else {
cmd := exec.Command(fsu) cmd := exec.Command(fsu)

2
internal/path.go
View File

@ -3,7 +3,9 @@ package internal
import "path" import "path"
var ( var (
Fortify = compPoison
Fsu = compPoison Fsu = compPoison
Finit = compPoison
) )
func Path(p string) (string, bool) { func Path(p string) (string, bool) {

2
internal/prctl.go
View File

@ -12,7 +12,7 @@ func PR_SET_DUMPABLE__SUID_DUMP_DISABLE() error {
} }
func PR_SET_PDEATHSIG__SIGKILL() error { func PR_SET_PDEATHSIG__SIGKILL() error {
if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 { if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 {
return errno return errno
} }

3
internal/proc/fd.go
View File

@ -12,7 +12,6 @@ var (
ErrInvalid = errors.New("bad file descriptor") ErrInvalid = errors.New("bad file descriptor")
) )
// Setup appends the read end of a pipe for payload transmission and returns its fd.
func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) { func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
if r, w, err := os.Pipe(); err != nil { if r, w, err := os.Pipe(); err != nil {
return -1, nil, err return -1, nil, err
@ -23,8 +22,6 @@ func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
} }
} }
// Receive retrieves payload pipe fd from the environment,
// receives its payload and returns the Close method of the pipe.
func Receive(key string, e any) (func() error, error) { func Receive(key string, e any) (func() error, error) {
var setup *os.File var setup *os.File

18
internal/proc/priv/init/early.go
View File

@ -1,18 +0,0 @@
package init0
import (
"os"
"path"
"git.gensokyo.uk/security/fortify/internal/fmsg"
)
// used by the parent process
// TryArgv0 calls [Main] if argv0 indicates the process is started from a file named "init".
func TryArgv0() {
if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" {
Main()
fmsg.Exit(0)
}
}

26
internal/proc/self.go
View File

@ -1,26 +0,0 @@
package proc
import (
"os"
"sync"
"git.gensokyo.uk/security/fortify/internal/fmsg"
)
var (
executable string
executableOnce sync.Once
)
func copyExecutable() {
if name, err := os.Executable(); err != nil {
fmsg.Fatalf("cannot read executable path: %v", err)
} else {
executable = name
}
}
func MustExecutable() string {
executableOnce.Do(copyExecutable)
return executable
}

56
main.go
View File

@ -1,17 +1,14 @@
package main package main
import ( import (
"context"
_ "embed" _ "embed"
"flag" "flag"
"fmt" "fmt"
"os" "os"
"os/signal"
"os/user" "os/user"
"strconv" "strconv"
"strings" "strings"
"sync" "sync"
"syscall"
"text/tabwriter" "text/tabwriter"
"git.gensokyo.uk/security/fortify/dbus" "git.gensokyo.uk/security/fortify/dbus"
@ -20,8 +17,6 @@ import (
"git.gensokyo.uk/security/fortify/internal/app" "git.gensokyo.uk/security/fortify/internal/app"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/linux" "git.gensokyo.uk/security/fortify/internal/linux"
init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
"git.gensokyo.uk/security/fortify/internal/system" "git.gensokyo.uk/security/fortify/internal/system"
) )
@ -55,9 +50,6 @@ func (g *gl) Set(v string) error {
} }
func main() { func main() {
// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
init0.TryArgv0()
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil { if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
fmsg.Printf("cannot set SUID_DUMP_DISABLE: %s", err) fmsg.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
// not fatal: this program runs as the privileged user // not fatal: this program runs as the privileged user
@ -288,15 +280,6 @@ func main() {
// invoke app // invoke app
runApp(config) runApp(config)
// internal commands
case "shim":
shim.Main()
fmsg.Exit(0)
case "init":
init0.Main()
fmsg.Exit(0)
default: default:
fmsg.Fatalf("%q is not a valid command", args[0]) fmsg.Fatalf("%q is not a valid command", args[0])
} }
@ -305,38 +288,27 @@ func main() {
} }
func runApp(config *fst.Config) { func runApp(config *fst.Config) {
rs := new(app.RunState) a, err := app.New(sys)
ctx, cancel := context.WithCancel(context.Background()) if err != nil {
// handle signals for graceful shutdown
sig := make(chan os.Signal, 2)
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
go func() {
v := <-sig
fmsg.Printf("got %s after program start", v)
cancel()
signal.Ignore(syscall.SIGINT, syscall.SIGTERM)
}()
if a, err := app.New(sys); err != nil {
fmsg.Fatalf("cannot create app: %s\n", err) fmsg.Fatalf("cannot create app: %s\n", err)
} else if err = a.Seal(config); err != nil { } else if err = a.Seal(config); err != nil {
logBaseError(err, "cannot seal app:") logBaseError(err, "cannot seal app:")
fmsg.Exit(1) fmsg.Exit(1)
} else if err = a.Run(ctx, rs); err != nil { } else if err = a.Start(); err != nil {
if !rs.Start {
logBaseError(err, "cannot start app:") logBaseError(err, "cannot start app:")
} else { }
var r int
// wait must be called regardless of result of start
if r, err = a.Wait(); err != nil {
if r < 1 {
r = 1
}
logWaitError(err) logWaitError(err)
} }
if err = a.WaitErr(); err != nil {
fmsg.Println("inner wait failed:", err)
} }
if rs.WaitErr != nil { fmsg.Exit(r)
fmsg.Println("inner wait failed:", rs.WaitErr)
}
if rs.ExitCode < 0 {
fmsg.VPrintf("got negative exit %v", rs.ExitCode)
fmsg.Exit(1)
}
fmsg.Exit(rs.ExitCode)
panic("unreachable") panic("unreachable")
} }

2
options.md
View File

@ -36,7 +36,7 @@ package
*Default:* *Default:*
` <derivation fortify-0.2.10> ` ` <derivation fortify-0.2.8> `

33
package.nix
View File

@ -5,17 +5,16 @@
xdg-dbus-proxy, xdg-dbus-proxy,
bubblewrap, bubblewrap,
pkg-config, pkg-config,
libffi,
acl, acl,
wayland, wayland,
wayland-protocols,
wayland-scanner, wayland-scanner,
wayland-protocols,
xorg, xorg,
}: }:
buildGoModule rec { buildGoModule rec {
pname = "fortify"; pname = "fortify";
version = "0.2.10"; version = "0.2.9";
src = builtins.path { src = builtins.path {
name = "fortify-src"; name = "fortify-src";
@ -28,32 +27,36 @@ buildGoModule rec {
lib.attrsets.foldlAttrs lib.attrsets.foldlAttrs
( (
ldflags: name: value: ldflags: name: value:
ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ] ldflags
++ [
"-X"
"git.gensokyo.uk/security/fortify/internal.${name}=${value}"
]
) )
[ [
"-s -w" "-s"
"-X main.Fmain=${placeholder "out"}/libexec/fortify" "-w"
"-X"
"main.Fmain=${placeholder "out"}/libexec/fortify"
"-X"
"main.Fshim=${placeholder "out"}/libexec/fshim"
] ]
{ {
Version = "v${version}"; Version = "v${version}";
Fsu = "/run/wrappers/bin/fsu"; Fsu = "/run/wrappers/bin/fsu";
Finit = "${placeholder "out"}/libexec/finit";
Fortify = "${placeholder "out"}/bin/fortify";
}; };
# nix build environment does not allow acls # nix build environment does not allow acls
GO_TEST_SKIP_ACL = 1; GO_TEST_SKIP_ACL = 1;
buildInputs = buildInputs = [
[
libffi
acl acl
wayland wayland
wayland-protocols wayland-protocols
] xorg.libxcb
++ (with xorg; [ ];
libxcb
libXau
libXdmcp
]);
nativeBuildInputs = [ nativeBuildInputs = [
pkg-config pkg-config

2
test.nix
View File

@ -51,7 +51,7 @@ nixosTest {
mako mako
# For go tests: # For go tests:
self.packages.${system}.fhs self.devShells.${system}.fhs
]; ];
variables = { variables = {

3
wl/c.go
View File

@ -4,13 +4,12 @@ package wl
//go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c" //go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c"
/* /*
#cgo linux pkg-config: --static wayland-client #cgo linux pkg-config: wayland-client
#cgo freebsd openbsd LDFLAGS: -lwayland-client #cgo freebsd openbsd LDFLAGS: -lwayland-client
#include <stdint.h> #include <stdint.h>
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <string.h>
#include <unistd.h> #include <unistd.h>
#include <sys/socket.h> #include <sys/socket.h>

2
xcb/c.go
View File

@ -6,7 +6,7 @@ import (
) )
/* /*
#cgo linux pkg-config: --static xcb #cgo linux pkg-config: xcb
#include <stdlib.h> #include <stdlib.h>
#include <xcb/xcb.h> #include <xcb/xcb.h>