system/tmpfiles: implement private tmpfiles

These are only available within the mount namespace and should significantly reduce attack surface.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/system/link.go

@@ -28,7 +28,7 @@ type Hardlink struct {
 func (l *Hardlink) Type() Enablement { return l.et }
 
 func (l *Hardlink) apply(_ *I) error {
-	fmsg.Verbose("linking ", l)
+	fmsg.Verbose("linking", l)
 	return fmsg.WrapErrorSuffix(os.Link(l.src, l.dst),
 		fmt.Sprintf("cannot link %q:", l.dst))
 }

internal/system/op_test.go

@@ -100,7 +100,7 @@ func TestI_Equal(t *testing.T) {
 			"op type mismatch",
 			system.New(150).
 				ChangeHosts("chronos").
-				CopyFile("/tmp/fortify.1971/30c9543e0a2c9621a8bfecb9d874c347/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"),
+				CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 0, 256),
 			system.New(150).
 				ChangeHosts("chronos").
 				Ensure("/run", 0755),

internal/system/tmpfiles.go

@@ -1,95 +1,72 @@
 package system
 
 import (
-	"errors"
+	"bytes"
 	"fmt"
 	"io"
 	"os"
-	"strconv"
+	"syscall"
 
-	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 
-// CopyFile registers an Op that copies path dst from src.
-func (sys *I) CopyFile(dst, src string) *I {
-	return sys.CopyFileType(Process, dst, src)
-}
+// CopyFile registers an Op that copies from src.
+// A buffer is initialised with size cap and the Op faults if bytes read exceed n.
+func (sys *I) CopyFile(payload *[]byte, src string, cap int, n int64) *I {
+	buf := new(bytes.Buffer)
+	buf.Grow(cap)
 
-// CopyFileType registers a file copying Op labelled with type et.
-func (sys *I) CopyFileType(et Enablement, dst, src string) *I {
 	sys.lock.Lock()
-	sys.ops = append(sys.ops, &Tmpfile{et, tmpfileCopy, dst, src})
+	sys.ops = append(sys.ops, &Tmpfile{payload, src, n, buf})
 	sys.lock.Unlock()
 
-	sys.UpdatePermType(et, dst, acl.Read)
-
 	return sys
 }
 
-const (
-	tmpfileCopy uint8 = iota
-)
-
 type Tmpfile struct {
-	et       Enablement
-	method   uint8
-	dst, src string
-}
-
-func (t *Tmpfile) Type() Enablement {
-	return t.et
+	payload *[]byte
+	src     string
+
+	n   int64
+	buf *bytes.Buffer
 }
 
+func (t *Tmpfile) Type() Enablement { return Process }
 func (t *Tmpfile) apply(_ *I) error {
-	switch t.method {
-	case tmpfileCopy:
-		fmsg.Verbose("publishing tmpfile", t)
-		return fmsg.WrapErrorSuffix(copyFile(t.dst, t.src),
-			fmt.Sprintf("cannot copy tmpfile %q:", t.dst))
-	default:
-		panic("invalid tmpfile method " + strconv.Itoa(int(t.method)))
-	}
-}
+	fmsg.Verbose("copying", t)
 
-func (t *Tmpfile) revert(_ *I, ec *Criteria) error {
-	if ec.hasType(t) {
-		fmsg.Verbosef("removing tmpfile %q", t.dst)
-		return fmsg.WrapErrorSuffix(os.Remove(t.dst),
-			fmt.Sprintf("cannot remove tmpfile %q:", t.dst))
+	if b, err := os.Stat(t.src); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			fmt.Sprintf("cannot stat %q:", t.src))
 	} else {
-		fmsg.Verbosef("skipping tmpfile %q", t.dst)
-		return nil
+		if b.IsDir() {
+			return fmsg.WrapErrorSuffix(syscall.EISDIR,
+				fmt.Sprintf("%q is a directory", t.src))
+		}
+		if s := b.Size(); s > t.n {
+			return fmsg.WrapErrorSuffix(syscall.ENOMEM,
+				fmt.Sprintf("file %q is too long: %d > %d",
+					t.src, s, t.n))
+		}
 	}
+
+	if f, err := os.Open(t.src); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			fmt.Sprintf("cannot open %q:", t.src))
+	} else if _, err = io.CopyN(t.buf, f, t.n); err != nil {
+		return fmsg.WrapErrorSuffix(err,
+			fmt.Sprintf("cannot read from %q:", t.src))
+	}
+
+	*t.payload = t.buf.Bytes()
+	return nil
 }
+func (t *Tmpfile) revert(*I, *Criteria) error { t.buf.Reset(); return nil }
 
 func (t *Tmpfile) Is(o Op) bool {
 	t0, ok := o.(*Tmpfile)
-	return ok && t0 != nil && *t == *t0
-}
-
-func (t *Tmpfile) Path() string { return t.src }
-
-func (t *Tmpfile) String() string {
-	switch t.method {
-	case tmpfileCopy:
-		return fmt.Sprintf("%q from %q", t.dst, t.src)
-	default:
-		panic("invalid tmpfile method " + strconv.Itoa(int(t.method)))
-	}
-}
-
-func copyFile(dst, src string) error {
-	dstD, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return err
-	}
-
-	srcD, err := os.Open(src)
-	if err != nil {
-		return errors.Join(err, dstD.Close())
-	}
-
-	_, err = io.Copy(dstD, srcD)
-	return errors.Join(err, dstD.Close(), srcD.Close())
+	return ok && t0 != nil &&
+		t.src == t0.src && t.n == t0.n
 }
+func (t *Tmpfile) Path() string   { return t.src }
+func (t *Tmpfile) String() string { return fmt.Sprintf("up to %d bytes from %q", t.n, t.src) }

internal/system/tmpfiles_test.go

@@ -1,46 +1,25 @@
 package system
 
 import (
+	"strconv"
 	"testing"
-
-	"git.gensokyo.uk/security/fortify/acl"
 )
 
 func TestCopyFile(t *testing.T) {
-	testCases := []struct {
-		dst, src string
-	}{
-		{"/tmp/fortify.1971/f587afe9fce3c8e1ad5b64deb6c41ad5/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"},
-		{"/tmp/fortify.1971/62154f708b5184ab01f9dcc2bbe7a33b/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"},
-	}
-	for _, tc := range testCases {
-		t.Run("copy file "+tc.dst+" from "+tc.src, func(t *testing.T) {
-			sys := New(150)
-			sys.CopyFile(tc.dst, tc.src)
-			(&tcOp{Process, tc.src}).test(t, sys.ops, []Op{
-				&Tmpfile{Process, tmpfileCopy, tc.dst, tc.src},
-				&ACL{Process, tc.dst, []acl.Perm{acl.Read}},
-			}, "CopyFile")
-		})
-	}
-}
-
-func TestCopyFileType(t *testing.T) {
 	testCases := []struct {
 		tcOp
-		dst string
+		cap int
+		n   int64
 	}{
-		{tcOp{User, "/tmp/fortify.1971/f587afe9fce3c8e1ad5b64deb6c41ad5/pulse-cookie"}, "/home/ophestra/xdg/config/pulse/cookie"},
-		{tcOp{Process, "/tmp/fortify.1971/62154f708b5184ab01f9dcc2bbe7a33b/pulse-cookie"}, "/home/ophestra/xdg/config/pulse/cookie"},
+		{tcOp{Process, "/home/ophestra/xdg/config/pulse/cookie"}, 256, 256},
 	}
 	for _, tc := range testCases {
-		t.Run("copy file "+tc.dst+" from "+tc.path+" with type "+TypeString(tc.et), func(t *testing.T) {
+		t.Run("copy file "+tc.path+" with cap = "+strconv.Itoa(tc.cap)+" n = "+strconv.Itoa(int(tc.n)), func(t *testing.T) {
 			sys := New(150)
-			sys.CopyFileType(tc.et, tc.dst, tc.path)
+			sys.CopyFile(new([]byte), tc.path, tc.cap, tc.n)
 			tc.test(t, sys.ops, []Op{
-				&Tmpfile{tc.et, tmpfileCopy, tc.dst, tc.path},
-				&ACL{tc.et, tc.dst, []acl.Perm{acl.Read}},
-			}, "CopyFileType")
+				&Tmpfile{nil, tc.path, tc.n, nil},
+			}, "CopyFile")
 		})
 	}
 }
@@ -83,33 +62,18 @@ func TestLinkFileType(t *testing.T) {
 }
 
 func TestTmpfile_String(t *testing.T) {
-	t.Run("invalid method panic", func(t *testing.T) {
-		defer func() {
-			wantPanic := "invalid tmpfile method 255"
-			if r := recover(); r != wantPanic {
-				t.Errorf("String() panic = %v, want %v",
-					r, wantPanic)
-			}
-		}()
-		_ = (&Tmpfile{method: 255}).String()
-	})
-
 	testCases := []struct {
-		method   uint8
-		dst, src string
-		want     string
+		src  string
+		n    int64
+		want string
 	}{
-		{tmpfileCopy, "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie",
-			`"/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse-cookie" from "/home/ophestra/xdg/config/pulse/cookie"`},
+		{"/home/ophestra/xdg/config/pulse/cookie", 256,
+			`up to 256 bytes from "/home/ophestra/xdg/config/pulse/cookie"`},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.want, func(t *testing.T) {
-			if got := (&Tmpfile{
-				method: tc.method,
-				dst:    tc.dst,
-				src:    tc.src,
-			}).String(); got != tc.want {
+			if got := (&Tmpfile{src: tc.src, n: tc.n}).String(); got != tc.want {
 				t.Errorf("String() = %v, want %v", got, tc.want)
 			}
 		})