cmd/finit/main.go

@@ -1,13 +1,15 @@
-package init0
+package main
 
 import (
 	"errors"
 	"os"
 	"os/exec"
 	"os/signal"
+	"path"
 	"syscall"
 	"time"
 
+	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
@@ -21,7 +23,7 @@ const (
 // everything beyond this point runs within pid namespace
 // proceed with caution!
 
-func Main() {
+func main() {
 	// sharing stdout with shim
 	// USE WITH CAUTION
 	fmsg.SetPrefix("init")
@@ -37,12 +39,20 @@ func Main() {
 		panic("unreachable")
 	}
 
+	// re-exec
+	if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
+		if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil {
+			fmsg.Println("cannot re-exec self:", err)
+			// continue anyway
+		}
+	}
+
 	// receive setup payload
 	var (
-		payload    Payload
+		payload    init0.Payload
 		closeSetup func() error
 	)
-	if f, err := proc.Receive(Env, &payload); err != nil {
+	if f, err := proc.Receive(init0.Env, &payload); err != nil {
 		if errors.Is(err, proc.ErrInvalid) {
 			fmsg.Fatal("invalid config descriptor")
 		}
@@ -57,8 +67,8 @@ func Main() {
 		closeSetup = f
 
 		// child does not need to see this
-		if err = os.Unsetenv(Env); err != nil {
+		if err = os.Unsetenv(init0.Env); err != nil {
-			fmsg.Printf("cannot unset %s: %v", Env, err)
+			fmsg.Printf("cannot unset %s: %v", init0.Env, err)
 			// not fatal
 		} else {
 			fmsg.VPrintln("received configuration")

cmd/fpkg/proc.go

@@ -12,18 +12,12 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
-const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
-
-var (
-	Fmain = compPoison
-)
-
 func fortifyApp(config *fst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
 	)
-	if p, ok := internal.Path(Fmain); !ok {
+	if p, ok := internal.Check(internal.Fortify); !ok {
 		beforeFail()
 		fmsg.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly")
 		panic("unreachable")

dist/install.sh

@@ -4,6 +4,7 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
 install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg"
 
+install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
 install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
 
 install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"

dist/release.sh

@@ -11,7 +11,9 @@ cp -rv "comp" "${out}"
 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
   -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
+  -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
   -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
+  -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
   -X main.Fmain=/usr/bin/fortify" ./...
 
 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"

internal/path.go

@@ -3,7 +3,9 @@ package internal
 import "path"
 
 var (
+	Fortify = compPoison
 	Fsu     = compPoison
+	Finit   = compPoison
 )
 
 func Path(p string) (string, bool) {

internal/proc/priv/init/early.go

@@ -1,18 +0,0 @@
-package init0
-
-import (
-	"os"
-	"path"
-
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-// used by the parent process
-
-// TryArgv0 calls [Main] if argv0 indicates the process is started from a file named "init".
-func TryArgv0() {
-	if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" {
-		Main()
-		fmsg.Exit(0)
-	}
-}

internal/proc/priv/shim/main.go

@@ -7,12 +7,12 @@ import (
 	"strconv"
 	"syscall"
 
+	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
-	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
 )
 
 // everything beyond this point runs as unconstrained target user
@@ -37,6 +37,14 @@ func Main() {
 		}
 	}
 
+	// check path to finit
+	var finitPath string
+	if p, ok := internal.Path(internal.Finit); !ok {
+		fmsg.Fatal("invalid finit path, this copy of fortify is not compiled correctly")
+	} else {
+		finitPath = p
+	}
+
 	// receive setup payload
 	var (
 		payload    Payload
@@ -124,17 +132,12 @@ func Main() {
 		}()
 	}
 
-	// bind fortify inside sandbox
+	// bind finit inside sandbox
-	var (
+	finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
-		innerSbin    = path.Join(fst.Tmp, "sbin")
+	conf.Bind(finitPath, finitInnerPath)
-		innerFortify = path.Join(innerSbin, "fortify")
-		innerInit    = path.Join(innerSbin, "init")
-	)
-	conf.Bind(proc.MustExecutable(), innerFortify)
-	conf.Symlink("fortify", innerInit)
 
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, innerInit,
+	if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
 		func(int, int) []string { return make([]string, 0) }); err != nil {
 		fmsg.Fatalf("malformed sandbox config: %v", err)
 	} else {

internal/proc/priv/shim/manager.go

@@ -56,7 +56,7 @@ func (s *Shim) WaitFallback() chan error {
 func (s *Shim) Start() (*time.Time, error) {
 	// prepare user switcher invocation
 	var fsu string
-	if p, ok := internal.Path(internal.Fsu); !ok {
+	if p, ok := internal.Check(internal.Fsu); !ok {
 		fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly")
 		panic("unreachable")
 	} else {

internal/proc/self.go

@@ -1,26 +0,0 @@
-package proc
-
-import (
-	"os"
-	"sync"
-
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-var (
-	executable     string
-	executableOnce sync.Once
-)
-
-func copyExecutable() {
-	if name, err := os.Executable(); err != nil {
-		fmsg.Fatalf("cannot read executable path: %v", err)
-	} else {
-		executable = name
-	}
-}
-
-func MustExecutable() string {
-	executableOnce.Do(copyExecutable)
-	return executable
-}

main.go

@@ -20,7 +20,6 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
-	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
 	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
@@ -55,9 +54,6 @@ func (g *gl) Set(v string) error {
 }
 
 func main() {
-	// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
-	init0.TryArgv0()
-
 	if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
 		fmsg.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
 		// not fatal: this program runs as the privileged user
@@ -293,9 +289,6 @@ func main() {
 	case "shim":
 		shim.Main()
 		fmsg.Exit(0)
-	case "init":
-		init0.Main()
-		fmsg.Exit(0)
 
 	default:
 		fmsg.Fatalf("%q is not a valid command", args[0])

package.nix

@@ -37,6 +37,8 @@ buildGoModule rec {
       {
         Version = "v${version}";
         Fsu = "/run/wrappers/bin/fsu";
+        Finit = "${placeholder "out"}/libexec/finit";
+        Fortify = "${placeholder "out"}/bin/fortify";
       };
 
   # nix build environment does not allow acls