Ophestra Umiker
df33123bd7
All checks were successful
test / test (push) Successful in 21s
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
190 lines
4.3 KiB
Go
190 lines
4.3 KiB
Go
package main
|
|
|
|
import (
|
|
"encoding/gob"
|
|
"errors"
|
|
"os"
|
|
"os/exec"
|
|
"os/signal"
|
|
"path"
|
|
"strconv"
|
|
"syscall"
|
|
"time"
|
|
|
|
init0 "git.ophivana.moe/security/fortify/cmd/finit/ipc"
|
|
"git.ophivana.moe/security/fortify/internal"
|
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
|
)
|
|
|
|
const (
|
|
// time to wait for linger processes after death of initial process
|
|
residualProcessTimeout = 5 * time.Second
|
|
)
|
|
|
|
// everything beyond this point runs within pid namespace
|
|
// proceed with caution!
|
|
|
|
func main() {
|
|
// sharing stdout with shim
|
|
// USE WITH CAUTION
|
|
fmsg.SetPrefix("init")
|
|
|
|
// setting this prevents ptrace
|
|
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
|
|
fmsg.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
|
|
panic("unreachable")
|
|
}
|
|
|
|
if os.Getpid() != 1 {
|
|
fmsg.Fatal("this process must run as pid 1")
|
|
panic("unreachable")
|
|
}
|
|
|
|
// re-exec
|
|
if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
|
|
if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil {
|
|
fmsg.Println("cannot re-exec self:", err)
|
|
// continue anyway
|
|
}
|
|
}
|
|
|
|
// setup pipe fd from environment
|
|
var setup *os.File
|
|
if s, ok := os.LookupEnv(init0.Env); !ok {
|
|
fmsg.Fatal("FORTIFY_INIT not set")
|
|
panic("unreachable")
|
|
} else {
|
|
if fd, err := strconv.Atoi(s); err != nil {
|
|
fmsg.Fatalf("cannot parse %q: %v", s, err)
|
|
panic("unreachable")
|
|
} else {
|
|
setup = os.NewFile(uintptr(fd), "setup")
|
|
if setup == nil {
|
|
fmsg.Fatal("invalid config descriptor")
|
|
panic("unreachable")
|
|
}
|
|
}
|
|
}
|
|
|
|
var payload init0.Payload
|
|
if err := gob.NewDecoder(setup).Decode(&payload); err != nil {
|
|
fmsg.Fatal("cannot decode init setup payload:", err)
|
|
panic("unreachable")
|
|
} else {
|
|
fmsg.SetVerbose(payload.Verbose)
|
|
|
|
// child does not need to see this
|
|
if err = os.Unsetenv(init0.Env); err != nil {
|
|
fmsg.Printf("cannot unset %s: %v", init0.Env, err)
|
|
// not fatal
|
|
} else {
|
|
fmsg.VPrintln("received configuration")
|
|
}
|
|
}
|
|
|
|
// die with parent
|
|
if err := internal.PR_SET_PDEATHSIG__SIGKILL(); err != nil {
|
|
fmsg.Fatalf("prctl(PR_SET_PDEATHSIG, SIGKILL): %v", err)
|
|
}
|
|
|
|
cmd := exec.Command(payload.Argv0)
|
|
cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
|
|
cmd.Args = payload.Argv
|
|
cmd.Env = os.Environ()
|
|
|
|
// pass wayland fd
|
|
if payload.WL != -1 {
|
|
if f := os.NewFile(uintptr(payload.WL), "wayland"); f != nil {
|
|
cmd.Env = append(cmd.Env, "WAYLAND_SOCKET="+strconv.Itoa(3+len(cmd.ExtraFiles)))
|
|
cmd.ExtraFiles = append(cmd.ExtraFiles, f)
|
|
}
|
|
}
|
|
|
|
if err := cmd.Start(); err != nil {
|
|
fmsg.Fatalf("cannot start %q: %v", payload.Argv0, err)
|
|
}
|
|
fmsg.Suspend()
|
|
|
|
// close setup pipe as setup is now complete
|
|
if err := setup.Close(); err != nil {
|
|
fmsg.Println("cannot close setup pipe:", err)
|
|
// not fatal
|
|
}
|
|
|
|
sig := make(chan os.Signal, 2)
|
|
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
|
|
|
|
type winfo struct {
|
|
wpid int
|
|
wstatus syscall.WaitStatus
|
|
}
|
|
info := make(chan winfo, 1)
|
|
done := make(chan struct{})
|
|
|
|
go func() {
|
|
var (
|
|
err error
|
|
wpid = -2
|
|
wstatus syscall.WaitStatus
|
|
)
|
|
|
|
// keep going until no child process is left
|
|
for wpid != -1 {
|
|
if err != nil {
|
|
break
|
|
}
|
|
|
|
if wpid != -2 {
|
|
info <- winfo{wpid, wstatus}
|
|
}
|
|
|
|
err = syscall.EINTR
|
|
for errors.Is(err, syscall.EINTR) {
|
|
wpid, err = syscall.Wait4(-1, &wstatus, 0, nil)
|
|
}
|
|
}
|
|
if !errors.Is(err, syscall.ECHILD) {
|
|
fmsg.Println("unexpected wait4 response:", err)
|
|
}
|
|
|
|
close(done)
|
|
}()
|
|
|
|
// closed after residualProcessTimeout has elapsed after initial process death
|
|
timeout := make(chan struct{})
|
|
|
|
r := 2
|
|
for {
|
|
select {
|
|
case s := <-sig:
|
|
fmsg.VPrintln("received", s.String())
|
|
fmsg.Resume() // output could still be withheld at this point, so resume is called
|
|
fmsg.Exit(0)
|
|
case w := <-info:
|
|
if w.wpid == cmd.Process.Pid {
|
|
// initial process exited, output is most likely available again
|
|
fmsg.Resume()
|
|
|
|
switch {
|
|
case w.wstatus.Exited():
|
|
r = w.wstatus.ExitStatus()
|
|
case w.wstatus.Signaled():
|
|
r = 128 + int(w.wstatus.Signal())
|
|
default:
|
|
r = 255
|
|
}
|
|
|
|
go func() {
|
|
time.Sleep(residualProcessTimeout)
|
|
close(timeout)
|
|
}()
|
|
}
|
|
case <-done:
|
|
fmsg.Exit(r)
|
|
case <-timeout:
|
|
fmsg.Println("timeout exceeded waiting for lingering processes")
|
|
fmsg.Exit(r)
|
|
}
|
|
}
|
|
}
|