cmd/flaunch: implement app bundle wrapper

This tool creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk>
internal: include path to fortify main program
2024-12-26 13:21:49 +09:00 · 2024-12-26 12:48:48 +09:00 · 2024-12-26 16:53:01 +09:00 · 2024-12-26 16:36:03 +09:00 · 2024-12-26 16:33:02 +09:00 · 2024-12-26 16:08:48 +09:00
11 changed files with 312 additions and 13 deletions
--- a/cmd/flaunch/activate.go
+++ b/cmd/flaunch/activate.go
@ -0,0 +1,49 @@
 package main
 import (
 	"errors"
 	"os"
 	"os/exec"
 	"path"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 func actionActivate(args []string) {
 	home := os.Getenv("HOME")
 	if !path.IsAbs(home) {
 		fmsg.Fatalf("path %q is not aboslute", home)
 	}
 	marker := path.Join(home, ".hm-activation")
 	if len(args) != 1 {
 		fmsg.Fatalf("invalid argument")
 	}
 	activate := path.Join(args[0], "activate")
 	var cmd *exec.Cmd
 	if l, err := os.Readlink(marker); err != nil && !errors.Is(err, os.ErrNotExist) {
 		fmsg.Fatalf("cannot read activation marker %q: %v", marker, err)
 	} else if err != nil || l != activate {
 		cmd = exec.Command(activate)
 	}
 	// marker present and equals to current activation package
 	if cmd == nil {
 		fmsg.Exit(0)
 		panic("unreachable")
 	}
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Env = os.Environ()
 	if err := cmd.Run(); err != nil {
 		fmsg.Fatalf("cannot activate: %v", err)
 	}
 	if err := os.Remove(marker); err != nil && !errors.Is(err, os.ErrNotExist) {
 		fmsg.Fatalf("cannot remove existing marker: %v", err)
 	}
 	if err := os.Symlink(activate, marker); err != nil {
 		fmsg.Fatalf("cannot create activation marker: %v", err)
 	}
 }
--- a/cmd/flaunch/main.go
+++ b/cmd/flaunch/main.go
@ -0,0 +1,38 @@
 package main
 import (
 	"flag"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 var (
 	flagVerbose bool
 )
 func init() {
 	flag.BoolVar(&flagVerbose, "v", false, "Verbose output")
 }
 func main() {
 	fmsg.SetPrefix("launch")
 	flag.Parse()
 	fmsg.SetVerbose(flagVerbose)
 	args := flag.Args()
 	if len(args) < 1 {
 		fmsg.Fatal("invalid arguments")
 	}
 	switch args[0] {
 	case "activate":
 		actionActivate(args[1:])
 	case "start":
 		actionStart(args[1:])
 	default:
 		fmsg.Fatal("invalid arguments")
 	}
 	fmsg.Exit(0)
 }
--- a/cmd/flaunch/start.go
+++ b/cmd/flaunch/start.go
@ -0,0 +1,164 @@
 package main
 import (
 	"encoding/json"
 	"errors"
 	"io"
 	"os"
 	"os/exec"
 	"path"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 type bundleInfo struct {
 	Name    string `json:"name"`
 	Version string `json:"version"`
 	// passed through to [fst.Config]
 	ID string `json:"id"`
 	// passed through to [fst.Config]
 	AppID int `json:"app_id"`
 	// passed through to [fst.Config]
 	Groups []string `json:"groups,omitempty"`
 	// passed through to [fst.Config]
 	UserNS bool `json:"userns,omitempty"`
 	// passed through to [fst.Config]
 	Net bool `json:"net,omitempty"`
 	// passed through to [fst.Config]
 	Dev bool `json:"dev,omitempty"`
 	// passed through to [fst.Config]
 	NoNewSession bool `json:"no_new_session,omitempty"`
 	// passed through to [fst.Config]
 	MapRealUID bool `json:"map_real_uid,omitempty"`
 	// passed through to [fst.Config]
 	DirectWayland bool `json:"direct_wayland,omitempty"`
 	// passed through to [fst.Config]
 	SystemBus *dbus.Config `json:"system_bus,omitempty"`
 	// passed through to [fst.Config]
 	SessionBus *dbus.Config `json:"session_bus,omitempty"`
 	// passed through to [fst.Config]
 	Enablements system.Enablements `json:"enablements"`
 	// allow gpu access within sandbox
 	GPU bool `json:"gpu"`
 	// inner nix store path to activate-and-exec script
 	Launcher string `json:"launcher"`
 }
 func actionStart(args []string) {
 	if len(args) < 1 {
 		fmsg.Fatal("invalid arguments")
 	}
 	name := args[0]
 	bundle := new(bundleInfo)
 	if f, err := os.Open(path.Join(name, "bundle.json")); err != nil {
 		fmsg.Fatalf("cannot open bundle: %v", err)
 	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
 		fmsg.Fatalf("cannot parse bundle metadata: %v", err)
 	} else if err = f.Close(); err != nil {
 		fmsg.Printf("cannot close bundle metadata: %v", err)
 	}
 	config := &fst.Config{
 		ID:      bundle.ID,
 		Command: append([]string{bundle.Launcher}, args[1:]...),
 		Confinement: fst.ConfinementConfig{
 			AppID:    bundle.AppID,
 			Groups:   bundle.Groups,
 			Username: "fortify",
 			Inner:    path.Join("/data/data", bundle.ID),
 			Outer:    formatDataPath(bundle.ID),
 			Sandbox: &fst.SandboxConfig{
 				Hostname:      formatHostname(bundle.Name),
 				UserNS:        bundle.UserNS,
 				Net:           bundle.Net,
 				Dev:           bundle.Dev,
 				NoNewSession:  bundle.NoNewSession,
 				MapRealUID:    bundle.MapRealUID,
 				DirectWayland: bundle.DirectWayland,
 				Filesystem: []*fst.FilesystemConfig{
 					{Src: path.Join(name, "nix", "store"), Dst: "/nix/store", Must: true},
 					{Src: "/sys/block"},
 					{Src: "/sys/bus"},
 					{Src: "/sys/class"},
 					{Src: "/sys/dev"},
 					{Src: "/sys/devices"},
 				},
 				AutoEtc: true,
 			},
 			SystemBus:   bundle.SystemBus,
 			SessionBus:  bundle.SessionBus,
 			Enablements: bundle.Enablements,
 		},
 	}
 	if bundle.GPU {
 		config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
 			&fst.FilesystemConfig{Src: "/dev/dri", Device: true})
 	}
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
 	)
 	if p, ok := internal.Check(internal.Fortify); !ok {
 		fmsg.Fatal("invalid fortify path, this copy of flaunch is not compiled correctly")
 		panic("unreachable")
 	} else if r, w, err := os.Pipe(); err != nil {
 		fmsg.Fatalf("cannot pipe: %v", err)
 		panic("unreachable")
 	} else {
 		if fmsg.Verbose() {
 			cmd = exec.Command(p, "-v", "app", "3")
 		} else {
 			cmd = exec.Command(p, "app", "3")
 		}
 		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 		cmd.ExtraFiles = []*os.File{r}
 		st = w
 	}
 	go func() {
 		if err := json.NewEncoder(st).Encode(config); err != nil {
 			fmsg.Fatalf("cannot send configuration: %v", err)
 		}
 	}()
 	if err := cmd.Start(); err != nil {
 		fmsg.Fatalf("cannot start fortify: %v", err)
 	}
 	if err := cmd.Wait(); err != nil {
 		var exitError *exec.ExitError
 		if errors.As(err, &exitError) {
 			fmsg.Exit(exitError.ExitCode())
 		} else {
 			fmsg.Fatalf("cannot wait: %v", err)
 		}
 	}
 	fmsg.Exit(0)
 }
 func formatHostname(name string) string {
 	if h, err := os.Hostname(); err != nil {
 		fmsg.Printf("cannot get hostname: %v", err)
 		return "fortify-" + name
 	} else {
 		return h + "-" + name
 	}
 }
 func formatDataPath(id string) string {
 	if p, ok := os.LookupEnv("FORTIFY_DATA_HOME"); ok {
 		return path.Join(p, id)
 	} else if p, ok = os.LookupEnv("HOME"); ok {
 		return path.Join(p, ".app", id)
 	} else {
 		return path.Join("/var/lib/fortify/app", id)
 	}
 }
--- a/dbus/dbus_test.go
+++ b/dbus/dbus_test.go
@ -124,6 +124,8 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 		t.Run("proxy for "+id, func(t *testing.T) {
 			helper.InternalReplaceExecCommand(t)
 			overridePath(t)
 			p := dbus.New(tc[0].bus, tc[1].bus)
 			output := new(strings.Builder)
@ -174,7 +176,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 				t.Run("sealed start of "+id, func(t *testing.T) {
 					if err := p.Start(nil, output, sandbox); err != nil {
-						t.Errorf("Start(nil, nil) error = %v",
+						t.Fatalf("Start(nil, nil) error = %v",
 							err)
 					}
@ -213,3 +215,11 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 		})
 	}
 }
 func overridePath(t *testing.T) {
 	proxyName := dbus.ProxyName
 	dbus.ProxyName = "/nonexistent-xdg-dbus-proxy"
 	t.Cleanup(func() {
 		dbus.ProxyName = proxyName
 	})
 }
--- a/dbus/run.go
+++ b/dbus/run.go
@ -46,14 +46,16 @@ func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
 		// look up absolute path if name is just a file name
 		toolPath := p.name
 		if filepath.Base(p.name) == p.name {
-			if s, err := exec.LookPath(p.name); err == nil {
+			if s, err := exec.LookPath(p.name); err != nil {
 				return err
 			} else {
 				toolPath = s
 			}
 		}
 		// resolve libraries by parsing ldd output
 		var proxyDeps []*ldd.Entry
-		if path.IsAbs(toolPath) {
+		if toolPath != "/nonexistent-xdg-dbus-proxy" {
 			if l, err := ldd.Exec(toolPath); err != nil {
 				return err
 			} else {
@ -91,6 +93,9 @@ func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
 			if path.IsAbs(ent.Path) {
 				roBindTarget[path.Dir(ent.Path)] = struct{}{}
 			}
 			if path.IsAbs(ent.Name) {
 				roBindTarget[path.Dir(ent.Name)] = struct{}{}
 			}
 		}
 		// resolve upstream bus directories
--- a/dist/install.sh
+++ b/dist/install.sh
@ -4,6 +4,7 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
 install -vDm0755 "bin/fshim" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fshim"
 install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
 install -vDm0755 "bin/flaunch" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/flaunch"
 install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
 install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"
--- a/dist/release.sh
+++ b/dist/release.sh
@ -10,6 +10,7 @@ cp -rv "comp" "${out}"
 go build -v -o "${out}/bin/" -ldflags "-s -w
  -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
  -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
  -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
  -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
  -X main.Fmain=/usr/bin/fortify
--- a/internal/path.go
+++ b/internal/path.go
@ -3,8 +3,9 @@ package internal
 import "path"
 var (
-	Fsu   = compPoison
+	Fortify = compPoison
-	Finit = compPoison
+	Fsu     = compPoison
 	Finit   = compPoison
 )
 func Path(p string) (string, bool) {
--- a/ldd/ldd.go
+++ b/ldd/ldd.go
@ -32,7 +32,7 @@ func Parse(stdout fmt.Stringer) ([]*Entry, error) {
 		switch len(segment) {
 		case 2: // /lib/ld-musl-x86_64.so.1 (0x7f04d14ef000)
 			iL = 1
-			result[i] = &Entry{Name: segment[0]}
+			result[i] = &Entry{Name: strings.TrimSpace(segment[0])}
 		case 4: // libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f04d14ef000)
 			iL = 3
 			if segment[1] != "=>" {
@ -42,7 +42,7 @@ func Parse(stdout fmt.Stringer) ([]*Entry, error) {
 				return nil, ErrPathNotAbsolute
 			}
 			result[i] = &Entry{
-				Name: segment[0],
+				Name: strings.TrimSpace(segment[0]),
 				Path: segment[2],
 			}
 		default:
--- a/ldd/ldd_test.go
+++ b/ldd/ldd_test.go
@ -65,12 +65,12 @@ libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7ff71c0a4000)`,
 				{"libc.musl-x86_64.so.1", "/lib/ld-musl-x86_64.so.1", 0x7ff71c0a4000},
 			}},
 		{"glibc /nix/store/rc3n2r3nffpib2gqpxlkjx36frw6n34z-kmod-31/bin/kmod", `
-linux-vdso.so.1 (0x00007ffed65be000)
+	linux-vdso.so.1 (0x00007ffed65be000)
-libzstd.so.1 => /nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1 (0x00007f3199cd1000)
+	libzstd.so.1 => /nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1 (0x00007f3199cd1000)
-liblzma.so.5 => /nix/store/g78jna1i5qhh8gqs4mr64648f0szqgw4-xz-5.4.7/lib/liblzma.so.5 (0x00007f3199ca2000)
+	liblzma.so.5 => /nix/store/g78jna1i5qhh8gqs4mr64648f0szqgw4-xz-5.4.7/lib/liblzma.so.5 (0x00007f3199ca2000)
-libc.so.6 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libc.so.6 (0x00007f3199ab5000)
+	libc.so.6 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libc.so.6 (0x00007f3199ab5000)
-libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0 (0x00007f3199ab0000)
+	libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0 (0x00007f3199ab0000)
-/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2 (0x00007f3199da5000)`,
+	/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2 (0x00007f3199da5000)`,
 			[]*ldd.Entry{
 				{"linux-vdso.so.1", "", 0x00007ffed65be000},
 				{"libzstd.so.1", "/nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1", 0x00007f3199cd1000},
@ -79,6 +79,35 @@ libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib
 				{"libpthread.so.0", "/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0", 0x00007f3199ab0000},
 				{"/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2", "/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2", 0x00007f3199da5000},
 			}},
 		{"glibc /usr/bin/xdg-dbus-proxy", `
 	linux-vdso.so.1 (0x00007725f5772000)
 	libglib-2.0.so.0 => /usr/lib/libglib-2.0.so.0 (0x00007725f55d5000)
 	libgio-2.0.so.0 => /usr/lib/libgio-2.0.so.0 (0x00007725f5406000)
 	libgobject-2.0.so.0 => /usr/lib/libgobject-2.0.so.0 (0x00007725f53a6000)
 	libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007725f5378000)
 	libc.so.6 => /usr/lib/libc.so.6 (0x00007725f5187000)
 	libpcre2-8.so.0 => /usr/lib/libpcre2-8.so.0 (0x00007725f50e8000)
 	libgmodule-2.0.so.0 => /usr/lib/libgmodule-2.0.so.0 (0x00007725f50df000)
 	libz.so.1 => /usr/lib/libz.so.1 (0x00007725f50c6000)
 	libmount.so.1 => /usr/lib/libmount.so.1 (0x00007725f5076000)
 	libffi.so.8 => /usr/lib/libffi.so.8 (0x00007725f506b000)
 	/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007725f5774000)
 	libblkid.so.1 => /usr/lib/libblkid.so.1 (0x00007725f5032000)`,
 			[]*ldd.Entry{
 				{"linux-vdso.so.1", "", 0x00007725f5772000},
 				{"libglib-2.0.so.0", "/usr/lib/libglib-2.0.so.0", 0x00007725f55d5000},
 				{"libgio-2.0.so.0", "/usr/lib/libgio-2.0.so.0", 0x00007725f5406000},
 				{"libgobject-2.0.so.0", "/usr/lib/libgobject-2.0.so.0", 0x00007725f53a6000},
 				{"libgcc_s.so.1", "/usr/lib/libgcc_s.so.1", 0x00007725f5378000},
 				{"libc.so.6", "/usr/lib/libc.so.6", 0x00007725f5187000},
 				{"libpcre2-8.so.0", "/usr/lib/libpcre2-8.so.0", 0x00007725f50e8000},
 				{"libgmodule-2.0.so.0", "/usr/lib/libgmodule-2.0.so.0", 0x00007725f50df000},
 				{"libz.so.1", "/usr/lib/libz.so.1", 0x00007725f50c6000},
 				{"libmount.so.1", "/usr/lib/libmount.so.1", 0x00007725f5076000},
 				{"libffi.so.8", "/usr/lib/libffi.so.8", 0x00007725f506b000},
 				{"/lib64/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2", 0x00007725f5774000},
 				{"libblkid.so.1", "/usr/lib/libblkid.so.1", 0x00007725f5032000},
 			}},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.file, func(t *testing.T) {
--- a/package.nix
+++ b/package.nix
@ -45,6 +45,7 @@ buildGoModule rec {
        Version = "v${version}";
        Fsu = "/run/wrappers/bin/fsu";
        Finit = "${placeholder "out"}/libexec/finit";
        Fortify = "${placeholder "out"}/bin/fortify";
      };
  # nix build environment does not allow acls
Author	SHA1	Message	Date
Ophestra	fba87b0c39	cmd/flaunch: implement app bundle wrapper All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 3m30s Details This tool creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 13:21:49 +09:00
Ophestra	cdfc23700f	internal: include path to fortify main program Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 12:48:48 +09:00
Ophestra	b956ce4052	ldd: trim leading and trailing white spaces from name All checks were successful Tests / Go tests (push) Successful in 33s Details Nix / NixOS tests (push) Successful in 3m31s Details Glibc emits ldd output with \t prefix for formatting. Remove that here. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 16:53:01 +09:00
Ophestra	dc579dc610	dbus/run: bind ldd entry absolute name All checks were successful Tests / Go tests (push) Successful in 32s Details Nix / NixOS tests (push) Successful in 3m35s Details The ld.so entry has an absolute name. They are usually symlinks so binding path does not guarantee ld.so availability under its expected path in the mount namespace. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 16:36:03 +09:00
Ophestra	ade57c39af	ldd: add fhs glibc test case All checks were successful Tests / Go tests (push) Successful in 33s Details Nix / NixOS tests (push) Successful in 3m34s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 16:33:02 +09:00
Ophestra	614ad86a5b	dbus: fail on LookPath error All checks were successful Tests / Go tests (push) Successful in 35s Details Nix / NixOS tests (push) Successful in 3m24s Details An absolute path to xdg-dbus-proxy is required. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 16:08:48 +09:00