proc/priv/init: merge init into main program
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -5,7 +5,6 @@ import "path"
|
||||
var (
|
||||
Fortify = compPoison
|
||||
Fsu = compPoison
|
||||
Finit = compPoison
|
||||
)
|
||||
|
||||
func Path(p string) (string, bool) {
|
||||
|
||||
173
internal/proc/priv/init/main.go
Normal file
173
internal/proc/priv/init/main.go
Normal file
@@ -0,0 +1,173 @@
|
||||
package init0
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/signal"
|
||||
"path"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/internal"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
"git.gensokyo.uk/security/fortify/internal/proc"
|
||||
)
|
||||
|
||||
const (
|
||||
// time to wait for linger processes after death of initial process
|
||||
residualProcessTimeout = 5 * time.Second
|
||||
)
|
||||
|
||||
// everything beyond this point runs within pid namespace
|
||||
// proceed with caution!
|
||||
|
||||
func Main() {
|
||||
// sharing stdout with shim
|
||||
// USE WITH CAUTION
|
||||
fmsg.SetPrefix("init")
|
||||
|
||||
// setting this prevents ptrace
|
||||
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
|
||||
fmsg.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
|
||||
panic("unreachable")
|
||||
}
|
||||
|
||||
if os.Getpid() != 1 {
|
||||
fmsg.Fatal("this process must run as pid 1")
|
||||
panic("unreachable")
|
||||
}
|
||||
|
||||
// re-exec
|
||||
if len(os.Args) > 0 && (os.Args[0] != "fortify" || os.Args[1] != "init" || len(os.Args) != 2) && path.IsAbs(os.Args[0]) {
|
||||
if err := syscall.Exec(os.Args[0], []string{"fortify", "init"}, os.Environ()); err != nil {
|
||||
fmsg.Println("cannot re-exec self:", err)
|
||||
// continue anyway
|
||||
}
|
||||
}
|
||||
|
||||
// receive setup payload
|
||||
var (
|
||||
payload Payload
|
||||
closeSetup func() error
|
||||
)
|
||||
if f, err := proc.Receive(Env, &payload); err != nil {
|
||||
if errors.Is(err, proc.ErrInvalid) {
|
||||
fmsg.Fatal("invalid config descriptor")
|
||||
}
|
||||
if errors.Is(err, proc.ErrNotSet) {
|
||||
fmsg.Fatal("FORTIFY_INIT not set")
|
||||
}
|
||||
|
||||
fmsg.Fatalf("cannot decode init setup payload: %v", err)
|
||||
panic("unreachable")
|
||||
} else {
|
||||
fmsg.SetVerbose(payload.Verbose)
|
||||
closeSetup = f
|
||||
|
||||
// child does not need to see this
|
||||
if err = os.Unsetenv(Env); err != nil {
|
||||
fmsg.Printf("cannot unset %s: %v", Env, err)
|
||||
// not fatal
|
||||
} else {
|
||||
fmsg.VPrintln("received configuration")
|
||||
}
|
||||
}
|
||||
|
||||
// die with parent
|
||||
if err := internal.PR_SET_PDEATHSIG__SIGKILL(); err != nil {
|
||||
fmsg.Fatalf("prctl(PR_SET_PDEATHSIG, SIGKILL): %v", err)
|
||||
}
|
||||
|
||||
cmd := exec.Command(payload.Argv0)
|
||||
cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
|
||||
cmd.Args = payload.Argv
|
||||
cmd.Env = os.Environ()
|
||||
|
||||
if err := cmd.Start(); err != nil {
|
||||
fmsg.Fatalf("cannot start %q: %v", payload.Argv0, err)
|
||||
}
|
||||
fmsg.Suspend()
|
||||
|
||||
// close setup pipe as setup is now complete
|
||||
if err := closeSetup(); err != nil {
|
||||
fmsg.Println("cannot close setup pipe:", err)
|
||||
// not fatal
|
||||
}
|
||||
|
||||
sig := make(chan os.Signal, 2)
|
||||
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
|
||||
|
||||
type winfo struct {
|
||||
wpid int
|
||||
wstatus syscall.WaitStatus
|
||||
}
|
||||
info := make(chan winfo, 1)
|
||||
done := make(chan struct{})
|
||||
|
||||
go func() {
|
||||
var (
|
||||
err error
|
||||
wpid = -2
|
||||
wstatus syscall.WaitStatus
|
||||
)
|
||||
|
||||
// keep going until no child process is left
|
||||
for wpid != -1 {
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
|
||||
if wpid != -2 {
|
||||
info <- winfo{wpid, wstatus}
|
||||
}
|
||||
|
||||
err = syscall.EINTR
|
||||
for errors.Is(err, syscall.EINTR) {
|
||||
wpid, err = syscall.Wait4(-1, &wstatus, 0, nil)
|
||||
}
|
||||
}
|
||||
if !errors.Is(err, syscall.ECHILD) {
|
||||
fmsg.Println("unexpected wait4 response:", err)
|
||||
}
|
||||
|
||||
close(done)
|
||||
}()
|
||||
|
||||
// closed after residualProcessTimeout has elapsed after initial process death
|
||||
timeout := make(chan struct{})
|
||||
|
||||
r := 2
|
||||
for {
|
||||
select {
|
||||
case s := <-sig:
|
||||
fmsg.VPrintln("received", s.String())
|
||||
fmsg.Resume() // output could still be withheld at this point, so resume is called
|
||||
fmsg.Exit(0)
|
||||
case w := <-info:
|
||||
if w.wpid == cmd.Process.Pid {
|
||||
// initial process exited, output is most likely available again
|
||||
fmsg.Resume()
|
||||
|
||||
switch {
|
||||
case w.wstatus.Exited():
|
||||
r = w.wstatus.ExitStatus()
|
||||
case w.wstatus.Signaled():
|
||||
r = 128 + int(w.wstatus.Signal())
|
||||
default:
|
||||
r = 255
|
||||
}
|
||||
|
||||
go func() {
|
||||
time.Sleep(residualProcessTimeout)
|
||||
close(timeout)
|
||||
}()
|
||||
}
|
||||
case <-done:
|
||||
fmsg.Exit(r)
|
||||
case <-timeout:
|
||||
fmsg.Println("timeout exceeded waiting for lingering processes")
|
||||
fmsg.Exit(r)
|
||||
}
|
||||
}
|
||||
}
|
||||
13
internal/proc/priv/init/payload.go
Normal file
13
internal/proc/priv/init/payload.go
Normal file
@@ -0,0 +1,13 @@
|
||||
package init0
|
||||
|
||||
const Env = "FORTIFY_INIT"
|
||||
|
||||
type Payload struct {
|
||||
// target full exec path
|
||||
Argv0 string
|
||||
// child full argv
|
||||
Argv []string
|
||||
|
||||
// verbosity pass through
|
||||
Verbose bool
|
||||
}
|
||||
@@ -7,12 +7,12 @@ import (
|
||||
"strconv"
|
||||
"syscall"
|
||||
|
||||
init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
|
||||
"git.gensokyo.uk/security/fortify/fst"
|
||||
"git.gensokyo.uk/security/fortify/helper"
|
||||
"git.gensokyo.uk/security/fortify/internal"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
"git.gensokyo.uk/security/fortify/internal/proc"
|
||||
init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
|
||||
)
|
||||
|
||||
// everything beyond this point runs as unconstrained target user
|
||||
@@ -37,12 +37,12 @@ func Main() {
|
||||
}
|
||||
}
|
||||
|
||||
// check path to finit
|
||||
var finitPath string
|
||||
if p, ok := internal.Path(internal.Finit); !ok {
|
||||
fmsg.Fatal("invalid finit path, this copy of fortify is not compiled correctly")
|
||||
// check path to fortify
|
||||
var fortifyPath string
|
||||
if p, ok := internal.Path(internal.Fortify); !ok {
|
||||
fmsg.Fatal("invalid fortify path, this copy of fortify is not compiled correctly")
|
||||
} else {
|
||||
finitPath = p
|
||||
fortifyPath = p
|
||||
}
|
||||
|
||||
// receive setup payload
|
||||
@@ -132,13 +132,15 @@ func Main() {
|
||||
}()
|
||||
}
|
||||
|
||||
// bind finit inside sandbox
|
||||
finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
|
||||
conf.Bind(finitPath, finitInnerPath)
|
||||
// bind fortify inside sandbox
|
||||
innerSbin := path.Join(fst.Tmp, "sbin")
|
||||
fortifyInnerPath := path.Join(innerSbin, "fortify")
|
||||
conf.Bind(fortifyPath, fortifyInnerPath)
|
||||
conf.Symlink(fortifyInnerPath, path.Join(innerSbin, "init"))
|
||||
|
||||
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
|
||||
if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
|
||||
func(int, int) []string { return make([]string, 0) }); err != nil {
|
||||
if b, err := helper.NewBwrap(conf, nil, fortifyInnerPath,
|
||||
func(int, int) []string { return []string{"init"} }); err != nil {
|
||||
fmsg.Fatalf("malformed sandbox config: %v", err)
|
||||
} else {
|
||||
cmd := b.Unwrap()
|
||||
|
||||
Reference in New Issue
Block a user