cmd: shim and init into separate binaries
All checks were successful
test / test (push) Successful in 19s
All checks were successful
test / test (push) Successful in 19s
This change also fixes a deadlock when shim fails to connect and complete the setup. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
@@ -3,8 +3,8 @@ package app
|
||||
import (
|
||||
"sync"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/shim"
|
||||
"git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim"
|
||||
"git.ophivana.moe/security/fortify/internal/linux"
|
||||
)
|
||||
|
||||
type App interface {
|
||||
@@ -25,7 +25,7 @@ type app struct {
|
||||
// application unique identifier
|
||||
id *ID
|
||||
// operating system interface
|
||||
os internal.System
|
||||
os linux.System
|
||||
// shim process manager
|
||||
shim *shim.Shim
|
||||
// child process related information
|
||||
@@ -63,7 +63,7 @@ func (a *app) WaitErr() error {
|
||||
return a.waitErr
|
||||
}
|
||||
|
||||
func New(os internal.System) (App, error) {
|
||||
func New(os linux.System) (App, error) {
|
||||
a := new(app)
|
||||
a.id = new(ID)
|
||||
a.os = os
|
||||
|
||||
@@ -9,8 +9,8 @@ import (
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/app"
|
||||
"git.ophivana.moe/security/fortify/internal/linux"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
@@ -579,8 +579,12 @@ func (s *stubNixOS) Exit(code int) {
|
||||
panic("called exit on stub with code " + strconv.Itoa(code))
|
||||
}
|
||||
|
||||
func (s *stubNixOS) Paths() internal.Paths {
|
||||
return internal.Paths{
|
||||
func (s *stubNixOS) FshimPath() string {
|
||||
return "/nix/store/00000000000000000000000000000000-fortify-0.0.10/bin/.fshim"
|
||||
}
|
||||
|
||||
func (s *stubNixOS) Paths() linux.Paths {
|
||||
return linux.Paths{
|
||||
SharePath: "/tmp/fortify.1971",
|
||||
RuntimePath: "/run/user/1971",
|
||||
RunDirPath: "/run/user/1971/fortify",
|
||||
|
||||
@@ -7,14 +7,14 @@ import (
|
||||
"time"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/app"
|
||||
"git.ophivana.moe/security/fortify/internal/linux"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
type sealTestCase struct {
|
||||
name string
|
||||
os internal.System
|
||||
os linux.System
|
||||
config *app.Config
|
||||
id app.ID
|
||||
wantSys *system.I
|
||||
|
||||
@@ -2,11 +2,11 @@ package app
|
||||
|
||||
import (
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/linux"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
func NewWithID(id ID, os internal.System) App {
|
||||
func NewWithID(id ID, os linux.System) App {
|
||||
a := new(app)
|
||||
a.id = &id
|
||||
a.os = os
|
||||
|
||||
@@ -47,8 +47,8 @@ func (a *app) commandBuilderMachineCtl(shimEnv string) (args []string) {
|
||||
}
|
||||
innerCommand.WriteString("; ")
|
||||
|
||||
// launch fortify as shim
|
||||
innerCommand.WriteString("exec " + a.seal.sys.executable + " shim")
|
||||
// launch fortify shim
|
||||
innerCommand.WriteString("exec " + a.os.FshimPath())
|
||||
|
||||
// append inner command
|
||||
args = append(args, innerCommand.String())
|
||||
|
||||
@@ -24,7 +24,7 @@ func (a *app) commandBuilderSudo(shimEnv string) (args []string) {
|
||||
args = append(args, shimEnv)
|
||||
|
||||
// -- $@
|
||||
args = append(args, "--", a.seal.sys.executable, "shim")
|
||||
args = append(args, "--", a.os.FshimPath())
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
@@ -7,10 +7,10 @@ import (
|
||||
"path"
|
||||
"strconv"
|
||||
|
||||
shim "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/shim"
|
||||
"git.ophivana.moe/security/fortify/internal/linux"
|
||||
"git.ophivana.moe/security/fortify/internal/state"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
@@ -66,7 +66,7 @@ type appSeal struct {
|
||||
// seal system-level component
|
||||
sys *appSealSys
|
||||
|
||||
internal.Paths
|
||||
linux.Paths
|
||||
|
||||
// protected by upstream mutex
|
||||
}
|
||||
@@ -127,13 +127,6 @@ func (a *app) Seal(config *Config) error {
|
||||
// create seal system component
|
||||
seal.sys = new(appSealSys)
|
||||
|
||||
// look up fortify executable path
|
||||
if p, err := a.os.Executable(); err != nil {
|
||||
return fmsg.WrapErrorSuffix(err, "cannot look up fortify executable path:")
|
||||
} else {
|
||||
seal.sys.executable = p
|
||||
}
|
||||
|
||||
// look up user from system
|
||||
if u, err := a.os.Lookup(config.User); err != nil {
|
||||
if errors.As(err, new(user.UnknownUserError)) {
|
||||
|
||||
@@ -5,8 +5,8 @@ import (
|
||||
"path"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/linux"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
@@ -23,7 +23,7 @@ var (
|
||||
ErrXDisplay = errors.New(display + " unset")
|
||||
)
|
||||
|
||||
func (seal *appSeal) shareDisplay(os internal.System) error {
|
||||
func (seal *appSeal) shareDisplay(os linux.System) error {
|
||||
// pass $TERM to launcher
|
||||
if t, ok := os.LookupEnv(term); ok {
|
||||
seal.sys.bwrap.SetEnv[term] = t
|
||||
|
||||
@@ -6,8 +6,8 @@ import (
|
||||
"io/fs"
|
||||
"path"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/linux"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
@@ -25,7 +25,7 @@ var (
|
||||
ErrPulseMode = errors.New("unexpected pulse socket mode")
|
||||
)
|
||||
|
||||
func (seal *appSeal) sharePulse(os internal.System) error {
|
||||
func (seal *appSeal) sharePulse(os linux.System) error {
|
||||
if !seal.et.Has(system.EPulse) {
|
||||
return nil
|
||||
}
|
||||
@@ -78,7 +78,7 @@ func (seal *appSeal) sharePulse(os internal.System) error {
|
||||
}
|
||||
|
||||
// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
|
||||
func discoverPulseCookie(os internal.System) (string, error) {
|
||||
func discoverPulseCookie(os linux.System) (string, error) {
|
||||
if p, ok := os.LookupEnv(pulseCookie); ok {
|
||||
return p, nil
|
||||
}
|
||||
|
||||
@@ -4,7 +4,7 @@ import (
|
||||
"path"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/linux"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
@@ -38,7 +38,7 @@ func (seal *appSeal) shareSystem() {
|
||||
seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024)
|
||||
}
|
||||
|
||||
func (seal *appSeal) sharePasswd(os internal.System) {
|
||||
func (seal *appSeal) sharePasswd(os linux.System) {
|
||||
// look up shell
|
||||
sh := "/bin/sh"
|
||||
if s, ok := os.LookupEnv(shell); ok {
|
||||
|
||||
@@ -8,9 +8,10 @@ import (
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
shim0 "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
|
||||
"git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim"
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/shim"
|
||||
"git.ophivana.moe/security/fortify/internal/state"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
@@ -22,9 +23,9 @@ func (a *app) Start() error {
|
||||
defer a.lock.Unlock()
|
||||
|
||||
// resolve exec paths
|
||||
shimExec := [3]string{a.seal.sys.executable, helper.BubblewrapName}
|
||||
shimExec := [2]string{helper.BubblewrapName}
|
||||
if len(a.seal.command) > 0 {
|
||||
shimExec[2] = a.seal.command[0]
|
||||
shimExec[1] = a.seal.command[0]
|
||||
}
|
||||
for i, n := range shimExec {
|
||||
if len(n) == 0 {
|
||||
@@ -53,7 +54,7 @@ func (a *app) Start() error {
|
||||
|
||||
// construct shim manager
|
||||
a.shim = shim.New(a.seal.toolPath, uint32(a.seal.sys.UID()), path.Join(a.seal.share, "shim"), a.seal.wl,
|
||||
&shim.Payload{
|
||||
&shim0.Payload{
|
||||
Argv: a.seal.command,
|
||||
Exec: shimExec,
|
||||
Bwrap: a.seal.sys.bwrap,
|
||||
|
||||
@@ -5,7 +5,7 @@ import (
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/linux"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
@@ -17,8 +17,6 @@ type appSealSys struct {
|
||||
|
||||
// default formatted XDG_RUNTIME_DIR of User
|
||||
runtime string
|
||||
// sealed path to fortify executable, used by shim
|
||||
executable string
|
||||
// target user sealed from config
|
||||
user *user.User
|
||||
|
||||
@@ -30,7 +28,7 @@ type appSealSys struct {
|
||||
}
|
||||
|
||||
// shareAll calls all share methods in sequence
|
||||
func (seal *appSeal) shareAll(bus [2]*dbus.Config, os internal.System) error {
|
||||
func (seal *appSeal) shareAll(bus [2]*dbus.Config, os linux.System) error {
|
||||
if seal.shared {
|
||||
panic("seal shared twice")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user