proc/priv/init: early init check

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/fpkg/proc.go

@@ -12,12 +12,18 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
+const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
+
+var (
+	Fmain = compPoison
+)
+
 func fortifyApp(config *fst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
 	)
-	if p, ok := internal.Check(internal.Fortify); !ok {
+	if p, ok := internal.Path(Fmain); !ok {
 		beforeFail()
 		fmsg.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly")
 		panic("unreachable")

dist/install.sh

@@ -4,7 +4,6 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
 install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg"
 
-install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
 install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
 
 install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"

dist/release.sh

@@ -11,9 +11,7 @@ cp -rv "comp" "${out}"
 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
   -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
-  -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
   -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
-  -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
   -X main.Fmain=/usr/bin/fortify" ./...
 
 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"

internal/path.go

@@ -3,9 +3,7 @@ package internal
 import "path"
 
 var (
-	Fortify = compPoison
 	Fsu = compPoison
-	Finit   = compPoison
 )
 
 func Path(p string) (string, bool) {

internal/proc/priv/init/early.go

@@ -0,0 +1,18 @@
+package init0
+
+import (
+	"os"
+	"path"
+
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+// used by the parent process
+
+// TryArgv0 calls [Main] if argv0 indicates the process is started from a file named "init".
+func TryArgv0() {
+	if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" {
+		Main()
+		fmsg.Exit(0)
+	}
+}

internal/proc/priv/init/main.go

@@ -1,15 +1,13 @@
-package main
+package init0
 
 import (
 	"errors"
 	"os"
 	"os/exec"
 	"os/signal"
-	"path"
 	"syscall"
 	"time"
 
-	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
@@ -23,7 +21,7 @@ const (
 // everything beyond this point runs within pid namespace
 // proceed with caution!
 
-func main() {
+func Main() {
 	// sharing stdout with shim
 	// USE WITH CAUTION
 	fmsg.SetPrefix("init")
@@ -39,20 +37,12 @@ func main() {
 		panic("unreachable")
 	}
 
-	// re-exec
-	if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
-		if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil {
-			fmsg.Println("cannot re-exec self:", err)
-			// continue anyway
-		}
-	}
-
 	// receive setup payload
 	var (
-		payload    init0.Payload
+		payload    Payload
 		closeSetup func() error
 	)
-	if f, err := proc.Receive(init0.Env, &payload); err != nil {
+	if f, err := proc.Receive(Env, &payload); err != nil {
 		if errors.Is(err, proc.ErrInvalid) {
 			fmsg.Fatal("invalid config descriptor")
 		}
@@ -67,8 +57,8 @@ func main() {
 		closeSetup = f
 
 		// child does not need to see this
-		if err = os.Unsetenv(init0.Env); err != nil {
-			fmsg.Printf("cannot unset %s: %v", init0.Env, err)
+		if err = os.Unsetenv(Env); err != nil {
+			fmsg.Printf("cannot unset %s: %v", Env, err)
 			// not fatal
 		} else {
 			fmsg.VPrintln("received configuration")

internal/proc/priv/shim/main.go

@@ -7,12 +7,12 @@ import (
 	"strconv"
 	"syscall"
 
-	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
+	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
 )
 
 // everything beyond this point runs as unconstrained target user
@@ -37,14 +37,6 @@ func Main() {
 		}
 	}
 
-	// check path to finit
-	var finitPath string
-	if p, ok := internal.Path(internal.Finit); !ok {
-		fmsg.Fatal("invalid finit path, this copy of fortify is not compiled correctly")
-	} else {
-		finitPath = p
-	}
-
 	// receive setup payload
 	var (
 		payload    Payload
@@ -132,12 +124,17 @@ func Main() {
 		}()
 	}
 
-	// bind finit inside sandbox
-	finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
-	conf.Bind(finitPath, finitInnerPath)
+	// bind fortify inside sandbox
+	var (
+		innerSbin    = path.Join(fst.Tmp, "sbin")
+		innerFortify = path.Join(innerSbin, "fortify")
+		innerInit    = path.Join(innerSbin, "init")
+	)
+	conf.Bind(proc.MustExecutable(), innerFortify)
+	conf.Symlink("fortify", innerInit)
 
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
+	if b, err := helper.NewBwrap(conf, nil, innerInit,
 		func(int, int) []string { return make([]string, 0) }); err != nil {
 		fmsg.Fatalf("malformed sandbox config: %v", err)
 	} else {

internal/proc/priv/shim/manager.go

@@ -56,7 +56,7 @@ func (s *Shim) WaitFallback() chan error {
 func (s *Shim) Start() (*time.Time, error) {
 	// prepare user switcher invocation
 	var fsu string
-	if p, ok := internal.Check(internal.Fsu); !ok {
+	if p, ok := internal.Path(internal.Fsu); !ok {
 		fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly")
 		panic("unreachable")
 	} else {

internal/proc/self.go

@@ -0,0 +1,26 @@
+package proc
+
+import (
+	"os"
+	"sync"
+
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+var (
+	executable     string
+	executableOnce sync.Once
+)
+
+func copyExecutable() {
+	if name, err := os.Executable(); err != nil {
+		fmsg.Fatalf("cannot read executable path: %v", err)
+	} else {
+		executable = name
+	}
+}
+
+func MustExecutable() string {
+	executableOnce.Do(copyExecutable)
+	return executable
+}

main.go

@@ -20,6 +20,7 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
+	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
 	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
@@ -54,6 +55,9 @@ func (g *gl) Set(v string) error {
 }
 
 func main() {
+	// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
+	init0.TryArgv0()
+
 	if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
 		fmsg.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
 		// not fatal: this program runs as the privileged user
@@ -289,6 +293,9 @@ func main() {
 	case "shim":
 		shim.Main()
 		fmsg.Exit(0)
+	case "init":
+		init0.Main()
+		fmsg.Exit(0)
 
 	default:
 		fmsg.Fatalf("%q is not a valid command", args[0])

package.nix

@@ -37,8 +37,6 @@ buildGoModule rec {
       {
         Version = "v${version}";
         Fsu = "/run/wrappers/bin/fsu";
-        Finit = "${placeholder "out"}/libexec/finit";
-        Fortify = "${placeholder "out"}/bin/fortify";
       };
 
   # nix build environment does not allow acls