cmd/fpkg: app bundle helper

This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/fpkg/activate.go

@@ -0,0 +1,57 @@
+package main
+
+import (
+	"errors"
+	"os"
+	"os/exec"
+	"path"
+
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+func actionActivate(args []string) {
+	// simple check so activate is not attempted outside fortify
+	if s, err := os.Stat(path.Join(fst.Tmp, "sbin")); err != nil {
+		fmsg.Fatalf("cannot stat fortify sbin: %v", err)
+	} else if !s.IsDir() {
+		fmsg.Fatal("fortify sbin path is not a directory")
+	}
+
+	home := os.Getenv("HOME")
+	if !path.IsAbs(home) {
+		fmsg.Fatalf("path %q is not aboslute", home)
+	}
+	marker := path.Join(home, ".hm-activation")
+
+	if len(args) != 1 {
+		fmsg.Fatalf("invalid argument")
+	}
+	activate := path.Join(args[0], "activate")
+
+	var cmd *exec.Cmd
+	if l, err := os.Readlink(marker); err != nil && !errors.Is(err, os.ErrNotExist) {
+		fmsg.Fatalf("cannot read activation marker %q: %v", marker, err)
+	} else if err != nil || l != activate {
+		cmd = exec.Command(activate)
+	}
+
+	// marker present and equals to current activation package
+	if cmd == nil {
+		fmsg.Exit(0)
+		panic("unreachable")
+	}
+
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	cmd.Env = os.Environ()
+	if err := cmd.Run(); err != nil {
+		fmsg.Fatalf("cannot activate home-manager configuration: %v", err)
+	}
+
+	if err := os.Remove(marker); err != nil && !errors.Is(err, os.ErrNotExist) {
+		fmsg.Fatalf("cannot remove existing marker: %v", err)
+	}
+	if err := os.Symlink(activate, marker); err != nil {
+		fmsg.Fatalf("cannot create activation marker: %v", err)
+	}
+}

cmd/fpkg/main.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"flag"
+
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+var (
+	flagVerbose bool
+)
+
+func init() {
+	flag.BoolVar(&flagVerbose, "v", false, "Verbose output")
+}
+
+func main() {
+	fmsg.SetPrefix("fpkg")
+
+	flag.Parse()
+	fmsg.SetVerbose(flagVerbose)
+
+	args := flag.Args()
+	if len(args) < 1 {
+		fmsg.Fatal("invalid argument")
+	}
+
+	switch args[0] {
+	case "activate":
+		actionActivate(args[1:])
+	case "start":
+		actionStart(args[1:])
+	default:
+		fmsg.Fatal("invalid argument")
+	}
+
+	fmsg.Exit(0)
+}

cmd/fpkg/paths.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"os"
+	"strconv"
+)
+
+var (
+	dataHome string
+)
+
+func init() {
+	// dataHome
+	if p, ok := os.LookupEnv("FORTIFY_DATA_HOME"); ok {
+		dataHome = p
+	} else {
+		dataHome = "/var/lib/fortify/" + strconv.Itoa(os.Getuid())
+	}
+}

cmd/fpkg/start.go

@@ -0,0 +1,200 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"flag"
+	"io"
+	"os"
+	"os/exec"
+	"path"
+
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/system"
+)
+
+const shell = "/run/current-system/sw/bin/bash"
+
+type bundleInfo struct {
+	Name    string `json:"name"`
+	Version string `json:"version"`
+
+	// passed through to [fst.Config]
+	ID string `json:"id"`
+	// passed through to [fst.Config]
+	AppID int `json:"app_id"`
+	// passed through to [fst.Config]
+	Groups []string `json:"groups,omitempty"`
+	// passed through to [fst.Config]
+	UserNS bool `json:"userns,omitempty"`
+	// passed through to [fst.Config]
+	Net bool `json:"net,omitempty"`
+	// passed through to [fst.Config]
+	Dev bool `json:"dev,omitempty"`
+	// passed through to [fst.Config]
+	NoNewSession bool `json:"no_new_session,omitempty"`
+	// passed through to [fst.Config]
+	MapRealUID bool `json:"map_real_uid,omitempty"`
+	// passed through to [fst.Config]
+	DirectWayland bool `json:"direct_wayland,omitempty"`
+	// passed through to [fst.Config]
+	SystemBus *dbus.Config `json:"system_bus,omitempty"`
+	// passed through to [fst.Config]
+	SessionBus *dbus.Config `json:"session_bus,omitempty"`
+	// passed through to [fst.Config]
+	Enablements system.Enablements `json:"enablements"`
+
+	// allow gpu access within sandbox
+	GPU bool `json:"gpu"`
+	// inner nix store path to activate-and-exec script
+	Launcher string `json:"launcher"`
+	// store path to /run/current-system
+	CurrentSystem string `json:"current_system"`
+}
+
+func actionStart(args []string) {
+	set := flag.NewFlagSet("start", flag.ExitOnError)
+	var dropShell bool
+	set.BoolVar(&dropShell, "s", false, "Drop to a shell on activation")
+
+	// Ignore errors; set is set for ExitOnError.
+	_ = set.Parse(args)
+
+	args = set.Args()
+
+	if len(args) < 1 {
+		fmsg.Fatal("invalid argument")
+	}
+	name := args[0]
+	if !path.IsAbs(name) {
+		if dir, err := os.Getwd(); err != nil {
+			fmsg.Fatalf("cannot get current directory: %v", err)
+		} else {
+			name = path.Join(dir, name)
+		}
+	}
+
+	bundle := new(bundleInfo)
+	if f, err := os.Open(path.Join(name, "bundle.json")); err != nil {
+		fmsg.Fatalf("cannot open bundle: %v", err)
+	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
+		fmsg.Fatalf("cannot parse bundle metadata: %v", err)
+	} else if err = f.Close(); err != nil {
+		fmsg.Printf("cannot close bundle metadata: %v", err)
+	}
+
+	if err := os.Setenv("SHELL", shell); err != nil {
+		fmsg.Fatalf("cannot set $SHELL: %v", err)
+	}
+
+	command := make([]string, 1, len(args))
+	if !dropShell {
+		command[0] = bundle.Launcher
+	} else {
+		command[0] = shell
+	}
+	command = append(command, args[1:]...)
+
+	baseDir := path.Join(dataHome, bundle.ID)
+	homeDir := path.Join(baseDir, "files")
+	currentSystem := path.Join(name, bundle.CurrentSystem)
+	config := &fst.Config{
+		ID:      bundle.ID,
+		Command: command,
+		Confinement: fst.ConfinementConfig{
+			AppID:    bundle.AppID,
+			Groups:   bundle.Groups,
+			Username: "fortify",
+			Inner:    path.Join("/data/data", bundle.ID),
+			Outer:    homeDir,
+			Sandbox: &fst.SandboxConfig{
+				Hostname:      formatHostname(bundle.Name),
+				UserNS:        bundle.UserNS,
+				Net:           bundle.Net,
+				Dev:           bundle.Dev,
+				NoNewSession:  bundle.NoNewSession || dropShell,
+				MapRealUID:    bundle.MapRealUID,
+				DirectWayland: bundle.DirectWayland,
+				Filesystem: []*fst.FilesystemConfig{
+					{Src: path.Join(name, "nix"), Dst: "/nix", Must: true},
+					{Src: currentSystem, Dst: "/run/current-system", Must: true},
+					{Src: "/etc/resolv.conf"},
+					{Src: "/sys/block"},
+					{Src: "/sys/bus"},
+					{Src: "/sys/class"},
+					{Src: "/sys/dev"},
+					{Src: "/sys/devices"},
+				},
+				Link: [][2]string{
+					{"/run/current-system/sw/bin", "/bin"},
+					{"/run/current-system/sw/bin", "/usr/bin"},
+				},
+				Etc:     path.Join(name, "etc"),
+				AutoEtc: true,
+			},
+			ExtraPerms: []*fst.ExtraPermConfig{
+				{Path: baseDir, Read: true, Write: true, Execute: true},
+			},
+			SystemBus:   bundle.SystemBus,
+			SessionBus:  bundle.SessionBus,
+			Enablements: bundle.Enablements,
+		},
+	}
+
+	if bundle.GPU {
+		config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
+			&fst.FilesystemConfig{Src: "/dev/dri", Device: true})
+	}
+
+	var (
+		cmd *exec.Cmd
+		st  io.WriteCloser
+	)
+	if p, ok := internal.Check(internal.Fortify); !ok {
+		fmsg.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly")
+		panic("unreachable")
+	} else if r, w, err := os.Pipe(); err != nil {
+		fmsg.Fatalf("cannot pipe: %v", err)
+		panic("unreachable")
+	} else {
+		if fmsg.Verbose() {
+			cmd = exec.Command(p, "-v", "app", "3")
+		} else {
+			cmd = exec.Command(p, "app", "3")
+		}
+		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+		cmd.ExtraFiles = []*os.File{r}
+		st = w
+	}
+
+	go func() {
+		if err := json.NewEncoder(st).Encode(config); err != nil {
+			fmsg.Fatalf("cannot send configuration: %v", err)
+		}
+	}()
+
+	if err := cmd.Start(); err != nil {
+		fmsg.Fatalf("cannot start fortify: %v", err)
+	}
+	if err := cmd.Wait(); err != nil {
+		var exitError *exec.ExitError
+		if errors.As(err, &exitError) {
+			fmsg.Exit(exitError.ExitCode())
+		} else {
+			fmsg.Fatalf("cannot wait: %v", err)
+		}
+	}
+	fmsg.Exit(0)
+}
+
+func formatHostname(name string) string {
+	if h, err := os.Hostname(); err != nil {
+		fmsg.Printf("cannot get hostname: %v", err)
+		return "fortify-" + name
+	} else {
+		return h + "-" + name
+	}
+}

dist/install.sh

@@ -4,6 +4,7 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
 install -vDm0755 "bin/fshim" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fshim"
 install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
+install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fpkg"
 install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
 
 install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"

dist/release.sh

@@ -8,8 +8,9 @@ mkdir -p "${out}"
 cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
 cp -rv "comp" "${out}"
 
-go build -v -o "${out}/bin/" -ldflags "-s -w
+go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
   -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
+  -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
   -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
   -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
   -X main.Fmain=/usr/bin/fortify

fst/config.go

@@ -35,6 +35,8 @@ type ConfinementConfig struct {
 	Outer string `json:"home"`
 	// bwrap sandbox confinement configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
+	// extra acl entries to append
+	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
 
 	// reference to a system D-Bus proxy configuration,
 	// nil value disables system bus proxy
@@ -78,6 +80,29 @@ type SandboxConfig struct {
 	Override []string `json:"override"`
 }
 
+type ExtraPermConfig struct {
+	Path    string `json:"path"`
+	Read    bool   `json:"r,omitempty"`
+	Write   bool   `json:"w,omitempty"`
+	Execute bool   `json:"x,omitempty"`
+}
+
+func (e *ExtraPermConfig) String() string {
+	buf := make([]byte, 0, 4+len(e.Path))
+	buf = append(buf, '-', '-', '-', ':')
+	buf = append(buf, []byte(e.Path)...)
+	if e.Read {
+		buf[0] = 'r'
+	}
+	if e.Write {
+		buf[1] = 'w'
+	}
+	if e.Execute {
+		buf[2] = 'x'
+	}
+	return string(buf)
+}
+
 type FilesystemConfig struct {
 	// mount point in sandbox, same as src if empty
 	Dst string `json:"dst,omitempty"`

internal/app/seal.go

@@ -8,6 +8,7 @@ import (
 	"regexp"
 	"strconv"
 
+	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
@@ -48,6 +49,8 @@ type appSeal struct {
 	et system.Enablements
 	// wayland socket direct access
 	directWayland bool
+	// extra UpdatePerm ops
+	extraPerms []*sealedExtraPerm
 
 	// prevents sharing from happening twice
 	shared bool
@@ -59,6 +62,11 @@ type appSeal struct {
 	// protected by upstream mutex
 }
 
+type sealedExtraPerm struct {
+	name  string
+	perms acl.Perms
+}
+
 // Seal seals the app launch context
 func (a *app) Seal(config *fst.Config) error {
 	a.lock.Lock()
@@ -100,46 +108,66 @@ func (a *app) Seal(config *fst.Config) error {
 	if config.Confinement.AppID < 0 || config.Confinement.AppID > 9999 {
 		return fmsg.WrapError(ErrUser,
 			fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
+	}
+	seal.sys.user = appUser{
+		aid:      config.Confinement.AppID,
+		as:       strconv.Itoa(config.Confinement.AppID),
+		data:     config.Confinement.Outer,
+		home:     config.Confinement.Inner,
+		username: config.Confinement.Username,
+	}
+	if seal.sys.user.username == "" {
+		seal.sys.user.username = "chronos"
+	} else if !posixUsername.MatchString(seal.sys.user.username) {
+		return fmsg.WrapError(ErrName,
+			fmt.Sprintf("invalid user name %q", seal.sys.user.username))
+	}
+	if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
+		return fmsg.WrapError(ErrHome,
+			fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
+	}
+	if seal.sys.user.home == "" {
+		seal.sys.user.home = seal.sys.user.data
+	}
+
+	// invoke fsu for full uid
+	if u, err := a.os.Uid(seal.sys.user.aid); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			"cannot obtain uid from fsu:")
 	} else {
-		seal.sys.user = appUser{
-			aid:      config.Confinement.AppID,
-			as:       strconv.Itoa(config.Confinement.AppID),
-			data:     config.Confinement.Outer,
-			home:     config.Confinement.Inner,
-			username: config.Confinement.Username,
-		}
-		if seal.sys.user.username == "" {
-			seal.sys.user.username = "chronos"
-		} else if !posixUsername.MatchString(seal.sys.user.username) {
-			return fmsg.WrapError(ErrName,
-				fmt.Sprintf("invalid user name %q", seal.sys.user.username))
-		}
-		if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
-			return fmsg.WrapError(ErrHome,
-				fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
-		}
-		if seal.sys.user.home == "" {
-			seal.sys.user.home = seal.sys.user.data
-		}
+		seal.sys.user.uid = u
+		seal.sys.user.us = strconv.Itoa(u)
+	}
 
-		// invoke fsu for full uid
-		if u, err := a.os.Uid(seal.sys.user.aid); err != nil {
-			return fmsg.WrapErrorSuffix(err,
-				"cannot obtain uid from fsu:")
+	// resolve supplementary group ids from names
+	seal.sys.user.supp = make([]string, len(config.Confinement.Groups))
+	for i, name := range config.Confinement.Groups {
+		if g, err := a.os.LookupGroup(name); err != nil {
+			return fmsg.WrapError(err,
+				fmt.Sprintf("unknown group %q", name))
 		} else {
-			seal.sys.user.uid = u
-			seal.sys.user.us = strconv.Itoa(u)
+			seal.sys.user.supp[i] = g.Gid
+		}
+	}
+
+	// build extra perms
+	seal.extraPerms = make([]*sealedExtraPerm, len(config.Confinement.ExtraPerms))
+	for i, p := range config.Confinement.ExtraPerms {
+		if p == nil {
+			continue
 		}
 
-		// resolve supplementary group ids from names
-		seal.sys.user.supp = make([]string, len(config.Confinement.Groups))
-		for i, name := range config.Confinement.Groups {
-			if g, err := a.os.LookupGroup(name); err != nil {
-				return fmsg.WrapError(err,
-					fmt.Sprintf("unknown group %q", name))
-			} else {
-				seal.sys.user.supp[i] = g.Gid
-			}
+		seal.extraPerms[i] = new(sealedExtraPerm)
+		seal.extraPerms[i].name = p.Path
+		seal.extraPerms[i].perms = make(acl.Perms, 0, 3)
+		if p.Read {
+			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Read)
+		}
+		if p.Write {
+			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Write)
+		}
+		if p.Execute {
+			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
 		}
 	}
 

internal/app/share.go

@@ -292,6 +292,14 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
 		seal.sys.bwrap.Tmpfs(dest, 8*1024)
 	}
 
+	// append extra perms
+	for _, p := range seal.extraPerms {
+		if p == nil {
+			continue
+		}
+		seal.sys.UpdatePermType(system.User, p.name, p.perms...)
+	}
+
 	return nil
 }
 

internal/path.go

@@ -3,8 +3,9 @@ package internal
 import "path"
 
 var (
-	Fsu   = compPoison
-	Finit = compPoison
+	Fortify = compPoison
+	Fsu     = compPoison
+	Finit   = compPoison
 )
 
 func Path(p string) (string, bool) {

package.nix

@@ -45,6 +45,7 @@ buildGoModule rec {
         Version = "v${version}";
         Fsu = "/run/wrappers/bin/fsu";
         Finit = "${placeholder "out"}/libexec/finit";
+        Fortify = "${placeholder "out"}/bin/fortify";
       };
 
   # nix build environment does not allow acls

print.go

@@ -90,33 +90,47 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
 	fmt.Fprintf(w, " Command:\t%s\n", strings.Join(config.Command, " "))
 	fmt.Fprintf(w, "\n")
 
-	if !short && config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
-		fmt.Fprintf(w, "Filesystem:\n")
-		for _, f := range config.Confinement.Sandbox.Filesystem {
-			if f == nil {
-				continue
-			}
+	if !short {
+		if config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
+			fmt.Fprintf(w, "Filesystem\n")
+			for _, f := range config.Confinement.Sandbox.Filesystem {
+				if f == nil {
+					continue
+				}
 
-			expr := new(strings.Builder)
-			if f.Device {
-				expr.WriteString(" d")
-			} else if f.Write {
-				expr.WriteString(" w")
-			} else {
-				expr.WriteString(" ")
+				expr := new(strings.Builder)
+				expr.Grow(3 + len(f.Src) + 1 + len(f.Dst))
+
+				if f.Device {
+					expr.WriteString(" d")
+				} else if f.Write {
+					expr.WriteString(" w")
+				} else {
+					expr.WriteString(" ")
+				}
+				if f.Must {
+					expr.WriteString("*")
+				} else {
+					expr.WriteString("+")
+				}
+				expr.WriteString(f.Src)
+				if f.Dst != "" {
+					expr.WriteString(":" + f.Dst)
+				}
+				fmt.Fprintf(w, "%s\n", expr.String())
 			}
-			if f.Must {
-				expr.WriteString("*")
-			} else {
-				expr.WriteString("+")
-			}
-			expr.WriteString(f.Src)
-			if f.Dst != "" {
-				expr.WriteString(":" + f.Dst)
-			}
-			fmt.Fprintf(w, "%s\n", expr.String())
+			fmt.Fprintf(w, "\n")
+		}
+		if len(config.Confinement.ExtraPerms) > 0 {
+			fmt.Fprintf(w, "Extra ACL\n")
+			for _, p := range config.Confinement.ExtraPerms {
+				if p == nil {
+					continue
+				}
+				fmt.Fprintf(w, " %s\n", p.String())
+			}
+			fmt.Fprintf(w, "\n")
 		}
-		fmt.Fprintf(w, "\n")
 	}
 
 	printDBus := func(c *dbus.Config) {