fortify/main.go

package main

import (
	"flag"
	"syscall"

	"git.ophivana.moe/security/fortify/internal"
	"git.ophivana.moe/security/fortify/internal/app"
	"git.ophivana.moe/security/fortify/internal/fmsg"
	init0 "git.ophivana.moe/security/fortify/internal/init"
	"git.ophivana.moe/security/fortify/internal/shim"
)

var (
	flagVerbose bool
)

func init() {
	flag.BoolVar(&flagVerbose, "v", false, "Verbose output")
}

var os = new(internal.Std)

func main() {
	// linux/sched/coredump.h
	if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, 0, 0); errno != 0 {
		fmsg.Printf("fortify: cannot set SUID_DUMP_DISABLE: %s", errno.Error())
	}

	flag.Parse()
	fmsg.SetVerbose(flagVerbose)

	if internal.SdBootedV {
		fmsg.VPrintln("system booted with systemd as init system")
	}

	// shim/init early exit
	init0.Try()
	shim.Try()

	// root check
	if os.Geteuid() == 0 {
		fmsg.Fatal("this program must not run as root")
		panic("unreachable")
	}

	// version/license/template command early exit
	tryVersion()
	tryLicense()
	tryTemplate()

	// state query command early exit
	tryState()

	// invoke app
	a, err := app.New(os)
	if err != nil {
		fmsg.Fatalf("cannot create app: %s\n", err)
	} else if err = a.Seal(loadConfig()); err != nil {
		logBaseError(err, "cannot seal app:")
	} else if err = a.Start(); err != nil {
		logBaseError(err, "cannot start app:")
	}

	var r int
	// wait must be called regardless of result of start
	if r, err = a.Wait(); err != nil {
		if r < 1 {
			r = 1
		}
		logWaitError(err)
	}
	if err = a.WaitErr(); err != nil {
		fmsg.Println("inner wait failed:", err)
	}
	fmsg.Exit(r)
}