.gitea/workflows/nix.yml

@@ -22,25 +22,5 @@ jobs:
             system-features = nixos-test benchmark big-parallel kvm
           enable_kvm: true
 
-      - name: Ensure environment
-        run: >-
-          apt-get update && apt-get install -y sqlite3
-        if: ${{ runner.os == 'Linux' }}
-
-      - name: Restore Nix store
-        uses: nix-community/cache-nix-action@v5
-        with:
-          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: nix-${{ runner.os }}-
-
       - name: Run tests
-        run: |
+        run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
-          nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
-          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
-
-      - name: Upload test output
-        uses: actions/upload-artifact@v3
-        with:
-          name: "result"
-          path: result/*
-          retention-days: 1

.gitea/workflows/test.yml

@@ -11,22 +11,19 @@ jobs:
     container:
       image: node:16-bookworm-slim
     steps:
-      - name: Enable backports
-        run: >-
-          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list
-        if: ${{ runner.os == 'Linux' }}
-
-      - name: Ensure environment
-        run: >-
-          apt-get update && apt-get install -y curl wget sudo libxml2
-        if: ${{ runner.os == 'Linux' }}
-
       - name: Get dependencies
-        uses: awalsh128/cache-apt-pkgs-action@latest
+        run: >-
-        with:
+          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
-          packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
+          apt-get update &&
-          version: 1.0
+          apt-get install -y
-          #execute_install_scripts: true
+          acl
+          git
+          gcc
+          pkg-config
+          libwayland-dev
+          wayland-protocols/bookworm-backports
+          libxcb1-dev
+          libacl1-dev
         if: ${{ runner.os == 'Linux' }}
 
       - name: Checkout
@@ -47,16 +44,13 @@ jobs:
         run: >-
           go test ./...
 
-      - name: Build for test
+      - name: Build for Linux
-        id: build-test
         run: >-
-          FORTIFY_VERSION="$(git rev-parse --short HEAD)"
+          go build -v -ldflags '-s -w
-          bash -c './dist/release.sh &&
+          -X git.ophivana.moe/security/fortify/internal.Version=${{ github.ref_name }}
-          echo "rev=$FORTIFY_VERSION" >> $GITHUB_OUTPUT'
+          -X git.ophivana.moe/security/fortify/internal.Fsu=/usr/bin/fsu
-
+          -X git.ophivana.moe/security/fortify/internal.Finit=/usr/libexec/fortify/finit
-      - name: Upload test build
+          -X main.Fmain=/usr/bin/fortify
-        uses: actions/upload-artifact@v3
+          -X main.Fshim=/usr/libexec/fortify/fshim'
-        with:
+          -o bin/ ./... &&
-          name: "fortify-${{ steps.build-test.outputs.rev }}"
+          (cd bin && sha512sum --tag -b * > sha512sums)
-          path: dist/fortify-*
-          retention-days: 1

cmd/finit/main.go

@@ -1,18 +1,19 @@
 package main
 
 import (
+	"encoding/gob"
 	"errors"
 	"os"
 	"os/exec"
 	"os/signal"
 	"path"
+	"strconv"
 	"syscall"
 	"time"
 
 	init0 "git.ophivana.moe/security/fortify/cmd/finit/ipc"
 	"git.ophivana.moe/security/fortify/internal"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/proc"
 )
 
 const (
@@ -47,24 +48,30 @@ func main() {
 		}
 	}
 
-	// receive setup payload
+	// setup pipe fd from environment
-	var (
+	var setup *os.File
-		payload    init0.Payload
+	if s, ok := os.LookupEnv(init0.Env); !ok {
-		closeSetup func() error
-	)
-	if f, err := proc.Receive(init0.Env, &payload); err != nil {
-		if errors.Is(err, proc.ErrInvalid) {
-			fmsg.Fatal("invalid config descriptor")
-		}
-		if errors.Is(err, proc.ErrNotSet) {
 		fmsg.Fatal("FORTIFY_INIT not set")
+		panic("unreachable")
+	} else {
+		if fd, err := strconv.Atoi(s); err != nil {
+			fmsg.Fatalf("cannot parse %q: %v", s, err)
+			panic("unreachable")
+		} else {
+			setup = os.NewFile(uintptr(fd), "setup")
+			if setup == nil {
+				fmsg.Fatal("invalid config descriptor")
+				panic("unreachable")
+			}
+		}
 	}
 
-		fmsg.Fatalf("cannot decode init setup payload: %v", err)
+	var payload init0.Payload
+	if err := gob.NewDecoder(setup).Decode(&payload); err != nil {
+		fmsg.Fatal("cannot decode init setup payload:", err)
 		panic("unreachable")
 	} else {
 		fmsg.SetVerbose(payload.Verbose)
-		closeSetup = f
 
 		// child does not need to see this
 		if err = os.Unsetenv(init0.Env); err != nil {
@@ -91,7 +98,7 @@ func main() {
 	fmsg.Suspend()
 
 	// close setup pipe as setup is now complete
-	if err := closeSetup(); err != nil {
+	if err := setup.Close(); err != nil {
 		fmsg.Println("cannot close setup pipe:", err)
 		// not fatal
 	}

cmd/fshim/ipc/payload.go

@@ -1,7 +1,11 @@
 package shim0
 
 import (
+	"encoding/gob"
+	"net"
+
 	"git.ophivana.moe/security/fortify/helper/bwrap"
+	"git.ophivana.moe/security/fortify/internal/fmsg"
 )
 
 const Env = "FORTIFY_SHIM"
@@ -19,3 +23,13 @@ type Payload struct {
 	// verbosity pass through
 	Verbose bool
 }
+
+func (p *Payload) Serve(conn *net.UnixConn) error {
+	if err := gob.NewEncoder(conn).Encode(*p); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			"cannot stream shim payload:")
+	}
+
+	return fmsg.WrapErrorSuffix(conn.Close(),
+		"cannot close setup connection:")
+}

cmd/fshim/ipc/shim/shim.go

@@ -1,16 +1,18 @@
 package shim
 
 import (
-	"encoding/gob"
 	"errors"
+	"net"
 	"os"
 	"os/exec"
 	"os/signal"
-	"strconv"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"syscall"
 	"time"
 
+	"git.ophivana.moe/security/fortify/acl"
 	shim0 "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
 	"git.ophivana.moe/security/fortify/internal"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
@@ -30,14 +32,20 @@ type Shim struct {
 	aid string
 	// string representation of supplementary group ids
 	supp []string
+	// path to setup socket
+	socket string
+	// shim setup abort reason and completion
+	abort     chan error
+	abortErr  atomic.Pointer[error]
+	abortOnce sync.Once
 	// fallback exit notifier with error returned killing the process
 	killFallback chan error
 	// shim setup payload
 	payload *shim0.Payload
 }
 
-func New(uid uint32, aid string, supp []string, payload *shim0.Payload) *Shim {
+func New(uid uint32, aid string, supp []string, socket string, payload *shim0.Payload) *Shim {
-	return &Shim{uid: uid, aid: aid, supp: supp, payload: payload}
+	return &Shim{uid: uid, aid: aid, supp: supp, socket: socket, payload: payload}
 }
 
 func (s *Shim) String() string {
@@ -51,11 +59,39 @@ func (s *Shim) Unwrap() *exec.Cmd {
 	return s.cmd
 }
 
+func (s *Shim) Abort(err error) {
+	s.abortOnce.Do(func() {
+		s.abortErr.Store(&err)
+		// s.abort is buffered so this will never block
+		s.abort <- err
+	})
+}
+
+func (s *Shim) AbortWait(err error) {
+	s.Abort(err)
+	<-s.abort
+}
+
 func (s *Shim) WaitFallback() chan error {
 	return s.killFallback
 }
 
 func (s *Shim) Start() (*time.Time, error) {
+	var (
+		cf     chan *net.UnixConn
+		accept func()
+	)
+
+	// listen on setup socket
+	if c, a, err := s.serve(); err != nil {
+		return nil, fmsg.WrapErrorSuffix(err,
+			"cannot listen on shim setup socket:")
+	} else {
+		// accepts a connection after each call to accept
+		// connections are sent to the channel cf
+		cf, accept = c, a
+	}
+
 	// start user switcher process and save time
 	var fsu string
 	if p, ok := internal.Check(internal.Fsu); !ok {
@@ -65,19 +101,10 @@ func (s *Shim) Start() (*time.Time, error) {
 		fsu = p
 	}
 	s.cmd = exec.Command(fsu)
-
-	var encoder *gob.Encoder
-	if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil {
-		return nil, fmsg.WrapErrorSuffix(err,
-			"cannot create shim setup pipe:")
-	} else {
-		encoder = e
 	s.cmd.Env = []string{
-			shim0.Env + "=" + strconv.Itoa(fd),
+		shim0.Env + "=" + s.socket,
 		"FORTIFY_APP_ID=" + s.aid,
 	}
-	}
-
 	if len(s.supp) > 0 {
 		fmsg.VPrintf("attaching supplementary group ids %s", s.supp)
 		s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(s.supp, " "))
@@ -118,20 +145,117 @@ func (s *Shim) Start() (*time.Time, error) {
 		signal.Ignore(syscall.SIGINT, syscall.SIGTERM)
 	}()
 
-	shimErr := make(chan error)
+	accept()
-	go func() { shimErr <- encoder.Encode(s.payload) }()
+	var conn *net.UnixConn
-
 	select {
-	case err := <-shimErr:
+	case c := <-cf:
-		if err != nil {
+		if c == nil {
-			return &startTime, fmsg.WrapErrorSuffix(err,
+			return &startTime, fmsg.WrapErrorSuffix(*s.abortErr.Load(), "cannot accept call on setup socket:")
-				"cannot transmit shim config:")
+		} else {
+			conn = c
 		}
-		killShim = func() {}
 	case <-time.After(shimSetupTimeout):
-		return &startTime, fmsg.WrapError(errors.New("timed out waiting for shim"),
+		err := fmsg.WrapError(errors.New("timed out waiting for shim"),
-			"timed out waiting for shim")
+			"timed out waiting for shim to connect")
+		s.AbortWait(err)
+		return &startTime, err
 	}
 
-	return &startTime, nil
+	// authenticate against called provided uid and shim pid
+	if cred, err := peerCred(conn); err != nil {
+		return &startTime, fmsg.WrapErrorSuffix(*s.abortErr.Load(), "cannot retrieve shim credentials:")
+	} else if cred.Uid != s.uid {
+		fmsg.Printf("process %d owned by user %d tried to connect, expecting %d",
+			cred.Pid, cred.Uid, s.uid)
+		err = errors.New("compromised fortify build")
+		s.Abort(err)
+		return &startTime, err
+	} else if cred.Pid != int32(s.cmd.Process.Pid) {
+		fmsg.Printf("process %d tried to connect to shim setup socket, expecting shim %d",
+			cred.Pid, s.cmd.Process.Pid)
+		err = errors.New("compromised target user")
+		s.Abort(err)
+		return &startTime, err
+	}
+
+	// serve payload
+	// this also closes the connection
+	err := s.payload.Serve(conn)
+	if err == nil {
+		killShim = func() {}
+	}
+	s.Abort(err) // aborting with nil indicates success
+	return &startTime, err
+}
+
+func (s *Shim) serve() (chan *net.UnixConn, func(), error) {
+	if s.abort != nil {
+		panic("attempted to serve shim setup twice")
+	}
+	s.abort = make(chan error, 1)
+
+	cf := make(chan *net.UnixConn)
+	accept := make(chan struct{}, 1)
+
+	if l, err := net.ListenUnix("unix", &net.UnixAddr{Name: s.socket, Net: "unix"}); err != nil {
+		return nil, nil, err
+	} else {
+		l.SetUnlinkOnClose(true)
+
+		fmsg.VPrintf("listening on shim setup socket %q", s.socket)
+		if err = acl.UpdatePerm(s.socket, int(s.uid), acl.Read, acl.Write, acl.Execute); err != nil {
+			fmsg.Println("cannot append ACL entry to shim setup socket:", err)
+			s.Abort(err) // ensures setup socket cleanup
+		}
+
+		go func() {
+			cfWg := new(sync.WaitGroup)
+			for {
+				select {
+				case err = <-s.abort:
+					if err != nil {
+						fmsg.VPrintln("aborting shim setup, reason:", err)
+					}
+					if err = l.Close(); err != nil {
+						fmsg.Println("cannot close setup socket:", err)
+					}
+					close(s.abort)
+					go func() {
+						cfWg.Wait()
+						close(cf)
+					}()
+					return
+				case <-accept:
+					cfWg.Add(1)
+					go func() {
+						defer cfWg.Done()
+						if conn, err0 := l.AcceptUnix(); err0 != nil {
+							// breaks loop
+							s.Abort(err0)
+							// receiver sees nil value and loads err0 stored during abort
+							cf <- nil
+						} else {
+							cf <- conn
+						}
+					}()
+				}
+			}
+		}()
+	}
+
+	return cf, func() { accept <- struct{}{} }, nil
+}
+
+// peerCred fetches peer credentials of conn
+func peerCred(conn *net.UnixConn) (ucred *syscall.Ucred, err error) {
+	var raw syscall.RawConn
+	if raw, err = conn.SyscallConn(); err != nil {
+		return
+	}
+
+	err0 := raw.Control(func(fd uintptr) {
+		ucred, err = syscall.GetsockoptUcred(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERCRED)
+	})
+	err = errors.Join(err, err0)
+	return
 }

cmd/fshim/main.go

@@ -1,7 +1,8 @@
 package main
 
 import (
-	"errors"
+	"encoding/gob"
+	"net"
 	"os"
 	"path"
 	"strconv"
@@ -12,7 +13,6 @@ import (
 	"git.ophivana.moe/security/fortify/helper"
 	"git.ophivana.moe/security/fortify/internal"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/proc"
 )
 
 // everything beyond this point runs as unconstrained target user
@@ -37,6 +37,15 @@ func main() {
 		}
 	}
 
+	// lookup socket path from environment
+	var socketPath string
+	if s, ok := os.LookupEnv(shim.Env); !ok {
+		fmsg.Fatal("FORTIFY_SHIM not set")
+		panic("unreachable")
+	} else {
+		socketPath = s
+	}
+
 	// check path to finit
 	var finitPath string
 	if p, ok := internal.Path(internal.Finit); !ok {
@@ -45,24 +54,21 @@ func main() {
 		finitPath = p
 	}
 
-	// receive setup payload
+	// dial setup socket
-	var (
+	var conn *net.UnixConn
-		payload    shim.Payload
+	if c, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: socketPath, Net: "unix"}); err != nil {
-		closeSetup func() error
+		fmsg.Fatal(err.Error())
-	)
-	if f, err := proc.Receive(shim.Env, &payload); err != nil {
-		if errors.Is(err, proc.ErrInvalid) {
-			fmsg.Fatal("invalid config descriptor")
-		}
-		if errors.Is(err, proc.ErrNotSet) {
-			fmsg.Fatal("FORTIFY_SHIM not set")
-		}
-
-		fmsg.Fatalf("cannot decode shim setup payload: %v", err)
 		panic("unreachable")
+	} else {
+		conn = c
+	}
+
+	// decode payload gob stream
+	var payload shim.Payload
+	if err := gob.NewDecoder(conn).Decode(&payload); err != nil {
+		fmsg.Fatalf("cannot decode shim payload: %v", err)
 	} else {
 		fmsg.SetVerbose(payload.Verbose)
-		closeSetup = f
 	}
 
 	if payload.Bwrap == nil {
@@ -75,8 +81,8 @@ func main() {
 	}
 
 	// close setup socket
-	if err := closeSetup(); err != nil {
+	if err := conn.Close(); err != nil {
-		fmsg.Println("cannot close setup pipe:", err)
+		fmsg.Println("cannot close setup socket:", err)
 		// not fatal
 	}
 
@@ -104,14 +110,17 @@ func main() {
 
 	var extraFiles []*os.File
 
-	// serve setup payload
+	// share config pipe
-	if fd, encoder, err := proc.Setup(&extraFiles); err != nil {
+	if r, w, err := os.Pipe(); err != nil {
 		fmsg.Fatalf("cannot pipe: %v", err)
 	} else {
-		conf.SetEnv[init0.Env] = strconv.Itoa(fd)
+		conf.SetEnv[init0.Env] = strconv.Itoa(3 + len(extraFiles))
-		go func() {
+		extraFiles = append(extraFiles, r)
+
 		fmsg.VPrintln("transmitting config to init")
-			if err = encoder.Encode(&ic); err != nil {
+		go func() {
+			// stream config to pipe
+			if err = gob.NewEncoder(w).Encode(&ic); err != nil {
 				fmsg.Fatalf("cannot transmit init config: %v", err)
 			}
 		}()

cmd/fsu/main.go

@@ -83,17 +83,17 @@ func main() {
 		uid += aid
 	}
 
-	// pass through setup fd to shim
+	// pass through setup path to shim
-	var shimSetupFd string
+	var shimSetupPath string
 	if s, ok := os.LookupEnv(envShim); !ok {
 		// fortify requests target uid
 		// print resolved uid and exit
 		fmt.Print(uid)
 		os.Exit(0)
-	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
+	} else if !path.IsAbs(s) {
-		log.Fatal("FORTIFY_SHIM holds an invalid value")
+		log.Fatal("FORTIFY_SHIM is not absolute")
 	} else {
-		shimSetupFd = s
+		shimSetupPath = s
 	}
 
 	// supplementary groups
@@ -142,7 +142,7 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(fshim, []string{"fshim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+	if err := syscall.Exec(fshim, []string{"fshim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}
 

flake.nix

@@ -74,7 +74,7 @@
                 touch $out
               '';
 
-          nixos-tests = callPackage ./test.nix { inherit system self home-manager; };
+          nixos-tests = callPackage ./test.nix { inherit self home-manager; };
         }
       );
 
@@ -95,26 +95,6 @@
           buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
         };
 
-        fhs = nixpkgsFor.${system}.buildFHSEnv {
-          pname = "fortify-fhs";
-          inherit (self.packages.${system}.fortify) version;
-          targetPkgs =
-            pkgs: with pkgs; [
-              go
-              gcc
-              pkg-config
-              acl
-              wayland
-              wayland-scanner
-              wayland-protocols
-              xorg.libxcb
-            ];
-          extraOutputsToInstall = [ "dev" ];
-          profile = ''
-            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
-          '';
-        };
-
         withPackage = nixpkgsFor.${system}.mkShell {
           buildInputs =
             with nixpkgsFor.${system};

internal/app/app.go

@@ -2,16 +2,14 @@ package app
 
 import (
 	"sync"
-	"sync/atomic"
 
 	"git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim"
-	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/internal/linux"
 )
 
 type App interface {
 	// ID returns a copy of App's unique ID.
-	ID() fst.ID
+	ID() ID
 	// Start sets up the system and starts the App.
 	Start() error
 	// Wait waits for App's process to exit and reverts system setup.
@@ -19,16 +17,13 @@ type App interface {
 	// WaitErr returns error returned by the underlying wait syscall.
 	WaitErr() error
 
-	Seal(config *fst.Config) error
+	Seal(config *Config) error
 	String() string
 }
 
 type app struct {
-	// single-use config reference
-	ct *appCt
-
 	// application unique identifier
-	id *fst.ID
+	id *ID
 	// operating system interface
 	os linux.System
 	// shim process manager
@@ -41,7 +36,7 @@ type app struct {
 	lock sync.RWMutex
 }
 
-func (a *app) ID() fst.ID {
+func (a *app) ID() ID {
 	return *a.id
 }
 
@@ -70,28 +65,7 @@ func (a *app) WaitErr() error {
 
 func New(os linux.System) (App, error) {
 	a := new(app)
-	a.id = new(fst.ID)
+	a.id = new(ID)
 	a.os = os
-	return a, fst.NewAppID(a.id)
+	return a, newAppID(a.id)
-}
-
-// appCt ensures its wrapped val is only accessed once
-type appCt struct {
-	val  *fst.Config
-	done *atomic.Bool
-}
-
-func (a *appCt) Unwrap() *fst.Config {
-	if !a.done.Load() {
-		defer a.done.Store(true)
-		return a.val
-	}
-	panic("attempted to access config reference twice")
-}
-
-func newAppCt(config *fst.Config) (ct *appCt) {
-	ct = new(appCt)
-	ct.done = new(atomic.Bool)
-	ct.val = config
-	return ct
 }

internal/app/app_nixos_test.go

@@ -3,23 +3,23 @@ package app_test
 import (
 	"git.ophivana.moe/security/fortify/acl"
 	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/helper/bwrap"
+	"git.ophivana.moe/security/fortify/internal/app"
 	"git.ophivana.moe/security/fortify/internal/system"
 )
 
 var testCasesNixos = []sealTestCase{
 	{
 		"nixos chromium direct wayland", new(stubNixOS),
-		&fst.Config{
+		&app.Config{
 			ID:      "org.chromium.Chromium",
 			Command: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
-			Confinement: fst.ConfinementConfig{
+			Confinement: app.ConfinementConfig{
 				AppID: 1, Groups: []string{}, Username: "u0_a1",
 				Outer: "/var/lib/persist/module/fortify/0/1",
-				Sandbox: &fst.SandboxConfig{
+				Sandbox: &app.SandboxConfig{
 					UserNS: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil,
-					Filesystem: []*fst.FilesystemConfig{
+					Filesystem: []*app.FilesystemConfig{
 						{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
 						{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
 						{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
@@ -48,7 +48,7 @@ var testCasesNixos = []sealTestCase{
 				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
 			},
 		},
-		fst.ID{
+		app.ID{
 			0x8e, 0x2c, 0x76, 0xb0,
 			0x66, 0xda, 0xbe, 0x57,
 			0x4c, 0xf0, 0x73, 0xbd,

internal/app/app_pd_test.go

@@ -3,23 +3,23 @@ package app_test
 import (
 	"git.ophivana.moe/security/fortify/acl"
 	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/helper/bwrap"
+	"git.ophivana.moe/security/fortify/internal/app"
 	"git.ophivana.moe/security/fortify/internal/system"
 )
 
 var testCasesPd = []sealTestCase{
 	{
 		"nixos permissive defaults no enablements", new(stubNixOS),
-		&fst.Config{
+		&app.Config{
 			Command: make([]string, 0),
-			Confinement: fst.ConfinementConfig{
+			Confinement: app.ConfinementConfig{
 				AppID:    0,
 				Username: "chronos",
 				Outer:    "/home/chronos",
 			},
 		},
-		fst.ID{
+		app.ID{
 			0x4a, 0x45, 0x0b, 0x65,
 			0x96, 0xd7, 0xbc, 0x15,
 			0xbd, 0x01, 0x78, 0x0e,
@@ -190,10 +190,10 @@ var testCasesPd = []sealTestCase{
 	},
 	{
 		"nixos permissive defaults chromium", new(stubNixOS),
-		&fst.Config{
+		&app.Config{
 			ID:      "org.chromium.Chromium",
 			Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "},
-			Confinement: fst.ConfinementConfig{
+			Confinement: app.ConfinementConfig{
 				AppID:    9,
 				Groups:   []string{"video"},
 				Username: "chronos",
@@ -232,7 +232,7 @@ var testCasesPd = []sealTestCase{
 				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
 			},
 		},
-		fst.ID{
+		app.ID{
 			0xeb, 0xf0, 0x83, 0xd1,
 			0xb1, 0x75, 0x91, 0x17,
 			0x82, 0xd4, 0x13, 0x36,

internal/app/app_test.go

@@ -6,7 +6,6 @@ import (
 	"testing"
 	"time"
 
-	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/helper/bwrap"
 	"git.ophivana.moe/security/fortify/internal/app"
 	"git.ophivana.moe/security/fortify/internal/linux"
@@ -16,8 +15,8 @@ import (
 type sealTestCase struct {
 	name      string
 	os        linux.System
-	config    *fst.Config
+	config    *app.Config
-	id        fst.ID
+	id        app.ID
 	wantSys   *system.I
 	wantBwrap *bwrap.Config
 }

internal/app/config.go

@@ -1,4 +1,4 @@
-package fst
+package app
 
 import (
 	"errors"

internal/app/export_test.go

@@ -1,13 +1,12 @@
 package app
 
 import (
-	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/helper/bwrap"
 	"git.ophivana.moe/security/fortify/internal/linux"
 	"git.ophivana.moe/security/fortify/internal/system"
 )
 
-func NewWithID(id fst.ID, os linux.System) App {
+func NewWithID(id ID, os linux.System) App {
 	a := new(app)
 	a.id = &id
 	a.os = os

internal/app/id.go

@@ -1,5 +1,4 @@
-// Package fst exports shared fortify types.
+package app
-package fst
 
 import (
 	"crypto/rand"
@@ -12,7 +11,7 @@ func (a *ID) String() string {
 	return hex.EncodeToString(a[:])
 }
 
-func NewAppID(id *ID) error {
+func newAppID(id *ID) error {
 	_, err := rand.Read(id[:])
 	return err
 }

internal/app/seal.go

@@ -9,7 +9,6 @@ import (
 	"strconv"
 
 	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
 	"git.ophivana.moe/security/fortify/internal/linux"
 	"git.ophivana.moe/security/fortify/internal/state"
@@ -60,7 +59,7 @@ type appSeal struct {
 }
 
 // Seal seals the app launch context
-func (a *app) Seal(config *fst.Config) error {
+func (a *app) Seal(config *Config) error {
 	a.lock.Lock()
 	defer a.lock.Unlock()
 
@@ -148,7 +147,7 @@ func (a *app) Seal(config *fst.Config) error {
 		fmsg.VPrintln("sandbox configuration not supplied, PROCEED WITH CAUTION")
 
 		// permissive defaults
-		conf := &fst.SandboxConfig{
+		conf := &SandboxConfig{
 			UserNS:       true,
 			Net:          true,
 			NoNewSession: true,
@@ -158,7 +157,7 @@ func (a *app) Seal(config *fst.Config) error {
 		if d, err := a.os.ReadDir("/"); err != nil {
 			return err
 		} else {
-			b := make([]*fst.FilesystemConfig, 0, len(d))
+			b := make([]*FilesystemConfig, 0, len(d))
 			for _, ent := range d {
 				p := "/" + ent.Name()
 				switch p {
@@ -170,7 +169,7 @@ func (a *app) Seal(config *fst.Config) error {
 				case "/etc":
 
 				default:
-					b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true})
+					b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
 				}
 			}
 			conf.Filesystem = append(conf.Filesystem, b...)
@@ -179,7 +178,7 @@ func (a *app) Seal(config *fst.Config) error {
 		if d, err := a.os.ReadDir("/run"); err != nil {
 			return err
 		} else {
-			b := make([]*fst.FilesystemConfig, 0, len(d))
+			b := make([]*FilesystemConfig, 0, len(d))
 			for _, ent := range d {
 				name := ent.Name()
 				switch name {
@@ -187,7 +186,7 @@ func (a *app) Seal(config *fst.Config) error {
 				case "dbus":
 				default:
 					p := "/run/" + name
-					b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true})
+					b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
 				}
 			}
 			conf.Filesystem = append(conf.Filesystem, b...)
@@ -199,7 +198,7 @@ func (a *app) Seal(config *fst.Config) error {
 		}
 		// bind GPU stuff
 		if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
-			conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
+			conf.Filesystem = append(conf.Filesystem, &FilesystemConfig{Src: "/dev/dri", Device: true})
 		}
 
 		config.Confinement.Sandbox = conf
@@ -237,6 +236,5 @@ func (a *app) Seal(config *fst.Config) error {
 
 	// seal app and release lock
 	a.seal = seal
-	a.ct = newAppCt(config)
 	return nil
 }

internal/app/start.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"strings"
 
@@ -45,6 +46,7 @@ func (a *app) Start() error {
 		uint32(a.seal.sys.UID()),
 		a.seal.sys.user.as,
 		a.seal.sys.user.supp,
+		path.Join(a.seal.share, "shim"),
 		&shim0.Payload{
 			Argv:  a.seal.command,
 			Exec:  shimExec,
@@ -68,9 +70,10 @@ func (a *app) Start() error {
 	} else {
 		// shim start and setup success, create process state
 		sd := state.State{
-			ID:     *a.id,
 			PID:        a.shim.Unwrap().Process.Pid,
-			Config: a.ct.Unwrap(),
+			Command:    a.seal.command,
+			Capability: a.seal.et,
+			Argv:       a.shim.Unwrap().Args,
 			Time:       *startTime,
 		}
 
@@ -224,12 +227,8 @@ func (a *app) Wait() (int, error) {
 				}
 
 				// accumulate capabilities of other launchers
-				for i, s := range states {
+				for _, s := range states {
-					if s.Config != nil {
+					*rt |= s.Capability
-						*rt |= s.Config.Confinement.Enablements
-					} else {
-						fmsg.Printf("state entry %d does not contain config", i)
-					}
 				}
 			}
 			// invert accumulated enablements for cleanup
@@ -250,6 +249,12 @@ func (a *app) Wait() (int, error) {
 				}
 			}
 
+			if a.shim.Unwrap() == nil {
+				fmsg.VPrintln("fault before shim start")
+			} else {
+				a.shim.AbortWait(errors.New("shim exited"))
+			}
+
 			if a.seal.sys.needRevert {
 				if err := a.seal.sys.Revert(ec); err != nil {
 					return err.(RevertCompoundError)

internal/proc/fd.go

@@ -1,42 +0,0 @@
-package proc
-
-import (
-	"encoding/gob"
-	"errors"
-	"os"
-	"strconv"
-)
-
-var (
-	ErrNotSet  = errors.New("environment variable not set")
-	ErrInvalid = errors.New("bad file descriptor")
-)
-
-func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
-	if r, w, err := os.Pipe(); err != nil {
-		return -1, nil, err
-	} else {
-		fd := 3 + len(*extraFiles)
-		*extraFiles = append(*extraFiles, r)
-		return fd, gob.NewEncoder(w), nil
-	}
-}
-
-func Receive(key string, e any) (func() error, error) {
-	var setup *os.File
-
-	if s, ok := os.LookupEnv(key); !ok {
-		return nil, ErrNotSet
-	} else {
-		if fd, err := strconv.Atoi(s); err != nil {
-			return nil, err
-		} else {
-			setup = os.NewFile(uintptr(fd), "setup")
-			if setup == nil {
-				return nil, ErrInvalid
-			}
-		}
-	}
-
-	return func() error { return setup.Close() }, gob.NewDecoder(setup).Decode(e)
-}

internal/state/print.go

@@ -82,41 +82,27 @@ func (s *simpleStore) mustPrintLauncherState(w **tabwriter.Writer, now time.Time
 					continue
 				}
 
-				// build enablements and command string
+				// build enablements string
-				var (
+				ets := strings.Builder{}
-					ets *strings.Builder
-					cs  = "(No command information)"
-				)
-
-				// check if enablements are provided
-				if state.Config != nil {
-					ets = new(strings.Builder)
 				// append enablement strings in order
 				for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
-						if state.Config.Confinement.Enablements.Has(i) {
+					if state.Capability.Has(i) {
 						ets.WriteString(", " + i.String())
 					}
 				}
-
+				// prevent an empty string when
-					cs = fmt.Sprintf("%q", state.Config.Command)
-				}
-				if ets != nil {
-					// prevent an empty string
 				if ets.Len() == 0 {
 					ets.WriteString("(No enablements)")
 				}
-				} else {
-					ets = new(strings.Builder)
-					ets.WriteString("(No confinement information)")
-				}
 
 				if !fmsg.Verbose() {
 					_, _ = fmt.Fprintf(*w, "\t%d\t%s\t%s\t%s\t%s\n",
-						state.PID, s.path[len(s.path)-1], now.Sub(state.Time).Round(time.Second).String(), strings.TrimPrefix(ets.String(), ", "), cs)
+						state.PID, s.path[len(s.path)-1], now.Sub(state.Time).Round(time.Second).String(), strings.TrimPrefix(ets.String(), ", "),
+						state.Command)
 				} else {
 					// emit argv instead when verbose
 					_, _ = fmt.Fprintf(*w, "\t%d\t%s\t%s\n",
-						state.PID, s.path[len(s.path)-1], state.ID)
+						state.PID, s.path[len(s.path)-1], state.Argv)
 				}
 			}
 

internal/state/simple.go

@@ -176,10 +176,6 @@ func (b *simpleBackend) Save(state *State) error {
 	b.lock.Lock()
 	defer b.lock.Unlock()
 
-	if state.Config == nil {
-		return errors.New("state does not contain config")
-	}
-
 	statePath := b.filename(state.PID)
 
 	// create and open state data file

internal/state/state.go

@@ -3,7 +3,7 @@ package state
 import (
 	"time"
 
-	"git.ophivana.moe/security/fortify/fst"
+	"git.ophivana.moe/security/fortify/internal/system"
 )
 
 type Store interface {
@@ -26,13 +26,15 @@ type Backend interface {
 
 // State is the on-disk format for a fortified process's state information
 type State struct {
-	// fortify instance id
-	ID fst.ID `json:"instance"`
 	// child process PID value
-	PID int `json:"pid"`
+	PID int
-	// sealed app configuration
+	// command used to seal the app
-	Config *fst.Config `json:"config"`
+	Command []string
+	// capability enablements applied to child
+	Capability system.Enablements
 
+	// full argv whe launching
+	Argv []string
 	// process start time
 	Time time.Time
 }

main.go

@@ -12,7 +12,6 @@ import (
 	"text/tabwriter"
 
 	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/fst"
 	"git.ophivana.moe/security/fortify/internal"
 	"git.ophivana.moe/security/fortify/internal/app"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
@@ -103,7 +102,7 @@ func main() {
 		fmt.Println(license)
 		fmsg.Exit(0)
 	case "template": // print full template configuration
-		if s, err := json.MarshalIndent(fst.Template(), "", "  "); err != nil {
+		if s, err := json.MarshalIndent(app.Template(), "", "  "); err != nil {
 			fmsg.Fatalf("cannot generate template: %v", err)
 			panic("unreachable")
 		} else {
@@ -130,7 +129,7 @@ func main() {
 			fmsg.Fatal("app requires at least 1 argument")
 		}
 
-		config := new(fst.Config)
+		config := new(app.Config)
 		if f, err := os.Open(args[1]); err != nil {
 			fmsg.Fatalf("cannot access config file %q: %s", args[1], err)
 			panic("unreachable")
@@ -180,7 +179,7 @@ func main() {
 		_ = set.Parse(args[1:])
 
 		// initialise config from flags
-		config := &fst.Config{
+		config := &app.Config{
 			ID:      fid,
 			Command: set.Args(),
 		}
@@ -276,7 +275,7 @@ func main() {
 	panic("unreachable")
 }
 
-func runApp(config *fst.Config) {
+func runApp(config *app.Config) {
 	if os.SdBooted() {
 		fmsg.VPrintln("system booted with systemd as init system")
 	}

options.md

@@ -36,7 +36,7 @@ package
 
 
 *Default:*
-` <derivation fortify-0.2.4> `
+` <derivation fortify-0.2.1> `
 
 
 

package.nix

@@ -14,7 +14,7 @@
 
 buildGoModule rec {
   pname = "fortify";
-  version = "0.2.4";
+  version = "0.2.3";
 
   src = ./.;
   vendorHash = null;

test.nix

@@ -1,5 +1,4 @@
 {
-  system,
   self,
   home-manager,
   nixosTest,
@@ -32,14 +31,11 @@ nixosTest {
       services.getty.autologinUser = "alice";
 
       environment = {
-        systemPackages = with pkgs; [
         # For glinfo and wayland-info:
+        systemPackages = with pkgs; [
           mesa-demos
           wayland-utils
           alacritty
-
-          # For go tests:
-          self.devShells.${system}.fhs
         ];
 
         variables = {
@@ -77,13 +73,8 @@ nixosTest {
 
       programs.sway.enable = true;
 
-      virtualisation.qemu.options = [
       # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
-        "-vga none -device virtio-gpu-pci"
+      virtualisation.qemu.options = [ "-vga none -device virtio-gpu-pci" ];
-
-        # Increase Go test compiler performance:
-        "-smp 8"
-      ];
 
       environment.fortify = {
         enable = true;
@@ -145,19 +136,10 @@ nixosTest {
 
         retry(func)
 
-    def collect_state_ui(name):
-        swaymsg(f"exec fortify ps > '/tmp/{name}.ps'")
-        machine.copy_from_vm(f"/tmp/{name}.ps", "")
-        machine.screenshot(name)
-
     start_all()
     machine.wait_for_unit("multi-user.target")
 
-    # Run fortify Go tests outside of nix build:
+    # To check the version:
-    machine.succeed("rm -rf /tmp/src && cp -a '${self.packages.${system}.fortify.src}' /tmp/src")
-    print(machine.succeed("fortify-fhs -c '(cd /tmp/src && go generate ./... && go test ./...)'"))
-
-    # To check sway's version:
     print(machine.succeed("sway --version"))
 
     # Wait for Sway to complete startup:
@@ -182,13 +164,9 @@ nixosTest {
     wait_for_window("u0_a0@machine")
     machine.send_chars("wayland-info && touch /tmp/success-client\n")
     machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client")
-    collect_state_ui("foot_wayland_permissive")
+    machine.screenshot("foot_wayland_permissive")
-    # Verify acl on XDG_RUNTIME_DIR:
-    print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000"))
     machine.send_chars("exit\n")
     machine.wait_until_fails("pgrep foot")
-    # Verify acl cleanup on XDG_RUNTIME_DIR:
-    machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")
 
     # Start a terminal (foot) within fortify from a terminal on workspace 4:
     machine.send_key("alt-4")
@@ -197,7 +175,7 @@ nixosTest {
     wait_for_window("u0_a0@machine")
     machine.send_chars("wayland-info && touch /tmp/success-client-term\n")
     machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-term")
-    collect_state_ui("foot_wayland_permissive_term")
+    machine.screenshot("foot_wayland_permissive_term")
     machine.send_chars("exit\n")
     machine.wait_until_fails("pgrep foot")
 
@@ -206,9 +184,8 @@ nixosTest {
     wait_for_window("u0_a0@machine")
     machine.send_chars("glinfo && touch /tmp/success-client-x11\n")
     machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-x11")
-    collect_state_ui("alacritty_x11_permissive")
+    machine.screenshot("alacritty_x11_permissive")
-    machine.send_chars("exit\n")
+    machine.succeed("pkill alacritty")
-    machine.wait_until_fails("pgrep alacritty")
 
     # Exit Sway and verify process exit status 0:
     swaymsg("exit", succeed=False)