treewide: rename to hakurei

Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/fpkg/app.go

@@ -6,46 +6,46 @@ import (
 	"os"
 	"path"
 
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
-	"git.gensokyo.uk/security/fortify/system"
+	"git.gensokyo.uk/security/hakurei/dbus"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
+	"git.gensokyo.uk/security/hakurei/system"
 )
 
 type appInfo struct {
 	Name    string `json:"name"`
 	Version string `json:"version"`
 
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	ID string `json:"id"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Identity int `json:"identity"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Groups []string `json:"groups,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Devel bool `json:"devel,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Userns bool `json:"userns,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Net bool `json:"net,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Device bool `json:"dev,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Tty bool `json:"tty,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	MapRealUID bool `json:"map_real_uid,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	DirectWayland bool `json:"direct_wayland,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	SystemBus *dbus.Config `json:"system_bus,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	SessionBus *dbus.Config `json:"session_bus,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Enablements system.Enablement `json:"enablements"`
 
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Multiarch bool `json:"multiarch,omitempty"`
-	// passed through to [fst.Config]
+	// passed through to [hst.Config]
 	Bluetooth bool `json:"bluetooth,omitempty"`
 
 	// allow gpu access within sandbox
@@ -62,8 +62,8 @@ type appInfo struct {
 	ActivationPackage string `json:"activation_package"`
 }
 
-func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *fst.Config {
-	config := &fst.Config{
+func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *hst.Config {
+	config := &hst.Config{
 		ID: app.ID,
 
 		Path: argv[0],
@@ -75,7 +75,7 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 		SessionBus:    app.SessionBus,
 		DirectWayland: app.DirectWayland,
 
-		Username: "fortify",
+		Username: "hakurei",
 		Shell:    shellPath,
 		Data:     pathSet.homeDir,
 		Dir:      path.Join("/data/data", app.ID),
@@ -83,7 +83,7 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 		Identity: app.Identity,
 		Groups:   app.Groups,
 
-		Container: &fst.ContainerConfig{
+		Container: &hst.ContainerConfig{
 			Hostname:   formatHostname(app.Name),
 			Devel:      app.Devel,
 			Userns:     app.Userns,
@@ -91,9 +91,9 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 			Device:     app.Device,
 			Tty:        app.Tty || flagDropShell,
 			MapRealUID: app.MapRealUID,
-			Filesystem: []*fst.FilesystemConfig{
+			Filesystem: []*hst.FilesystemConfig{
 				{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
-				{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
+				{Src: pathSet.metaPath, Dst: path.Join(hst.Tmp, "app"), Must: true},
 				{Src: "/etc/resolv.conf"},
 				{Src: "/sys/block"},
 				{Src: "/sys/bus"},
@@ -109,7 +109,7 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 			Etc:     path.Join(pathSet.cacheDir, "etc"),
 			AutoEtc: true,
 		},
-		ExtraPerms: []*fst.ExtraPermConfig{
+		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
@@ -147,7 +147,7 @@ func loadAppInfo(name string, beforeFail func()) *appInfo {
 func formatHostname(name string) string {
 	if h, err := os.Hostname(); err != nil {
 		log.Printf("cannot get hostname: %v", err)
-		return "fortify-" + name
+		return "hakurei-" + name
 	} else {
 		return h + "-" + name
 	}

cmd/fpkg/build.nix

@@ -57,7 +57,7 @@ let
     modules = modules ++ [
       {
         home = {
-          username = "fortify";
+          username = "hakurei";
           homeDirectory = "/data/data/${id}";
           stateVersion = "22.11";
         };
@@ -65,7 +65,7 @@ let
     ];
   };
 
-  launcher = writeScript "fortify-${pname}" ''
+  launcher = writeScript "hakurei-${pname}" ''
     #!${runtimeShell} -el
     ${script}
   '';

cmd/fpkg/main.go

@@ -10,13 +10,13 @@ import (
 	"path"
 	"syscall"
 
-	"git.gensokyo.uk/security/fortify/command"
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/app/instance"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/sys"
-	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/hakurei/command"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal"
+	"git.gensokyo.uk/security/hakurei/internal/app/instance"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
+	"git.gensokyo.uk/security/hakurei/internal/sys"
+	"git.gensokyo.uk/security/hakurei/sandbox"
 )
 
 const shellPath = "/run/current-system/sw/bin/bash"
@@ -28,7 +28,7 @@ var (
 )
 
 func init() {
-	fmsg.Prepare("fpkg")
+	hlog.Prepare("fpkg")
 	if err := os.Setenv("SHELL", shellPath); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
 	}
@@ -36,7 +36,7 @@ func init() {
 
 func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
-	sandbox.TryArgv0(fmsg.Output{}, fmsg.Prepare, internal.InstallFmsg)
+	sandbox.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallFmsg)
 
 	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
 		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
@@ -60,7 +60,7 @@ func main() {
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
-		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next fortify action")
+		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")
 
 	c.Command("shim", command.UsageInternal, func([]string) error { instance.ShimMain(); return errSuccess })
 
@@ -166,10 +166,10 @@ func main() {
 				}
 
 				// sec: should compare version string
-				fmsg.Verbosef("installing application %q version %q over local %q",
+				hlog.Verbosef("installing application %q version %q over local %q",
 					bundle.ID, bundle.Version, a.Version)
 			} else {
-				fmsg.Verbosef("application %q clean installation", bundle.ID)
+				hlog.Verbosef("application %q clean installation", bundle.ID)
 				// sec: should install credentials
 			}
 
@@ -179,7 +179,7 @@ func main() {
 
 			withCacheDir(ctx, "install", []string{
 				// export inner bundle path in the environment
-				"export BUNDLE=" + fst.Tmp + "/bundle",
+				"export BUNDLE=" + hst.Tmp + "/bundle",
 				// replace inner /etc
 				"mkdir -p etc",
 				"chmod -R +w etc",
@@ -218,7 +218,7 @@ func main() {
 				"rm -rf .local/state/{nix,home-manager}",
 				// run activation script
 				bundle.ActivationPackage + "/activate",
-			}, false, func(config *fst.Config) *fst.Config { return config },
+			}, false, func(config *hst.Config) *hst.Config { return config },
 				bundle, pathSet, flagDropShellActivate, cleanup)
 
 			/*
@@ -291,8 +291,8 @@ func main() {
 						"--out-link /nix/.nixGL/auto/vulkan " +
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL + "#nixVulkanNvidia",
-				}, true, func(config *fst.Config) *fst.Config {
-					config.Container.Filesystem = append(config.Container.Filesystem, []*fst.FilesystemConfig{
+				}, true, func(config *hst.Config) *hst.Config {
+					config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
 						{Src: "/etc/resolv.conf"},
 						{Src: "/sys/block"},
 						{Src: "/sys/bus"},
@@ -325,7 +325,7 @@ func main() {
 
 			if a.GPU {
 				config.Container.Filesystem = append(config.Container.Filesystem,
-					&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")})
+					&hst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(hst.Tmp, "nixGL")})
 				appendGPUFilesystem(config)
 			}
 
@@ -341,9 +341,9 @@ func main() {
 	}
 
 	c.MustParse(os.Args[1:], func(err error) {
-		fmsg.Verbosef("command returned %v", err)
+		hlog.Verbosef("command returned %v", err)
 		if errors.Is(err, errSuccess) {
-			fmsg.BeforeExit()
+			hlog.BeforeExit()
 			os.Exit(0)
 		}
 	})

cmd/fpkg/paths.go

@@ -8,8 +8,8 @@ import (
 	"strconv"
 	"sync/atomic"
 
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
 )
 
 var (
@@ -18,10 +18,10 @@ var (
 
 func init() {
 	// dataHome
-	if p, ok := os.LookupEnv("FORTIFY_DATA_HOME"); ok {
+	if p, ok := os.LookupEnv("HAKUREI_DATA_HOME"); ok {
 		dataHome = p
 	} else {
-		dataHome = "/var/lib/fortify/" + strconv.Itoa(os.Getuid())
+		dataHome = "/var/lib/hakurei/" + strconv.Itoa(os.Getuid())
 	}
 }
 
@@ -37,7 +37,7 @@ func lookPath(file string) string {
 var beforeRunFail = new(atomic.Pointer[func()])
 
 func mustRun(name string, arg ...string) {
-	fmsg.Verbosef("spawning process: %q %q", name, arg)
+	hlog.Verbosef("spawning process: %q %q", name, arg)
 	cmd := exec.Command(name, arg...)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	if err := cmd.Run(); err != nil {
@@ -71,8 +71,8 @@ func pathSetByApp(id string) *appPathSet {
 	return pathSet
 }
 
-func appendGPUFilesystem(config *fst.Config) {
-	config.Container.Filesystem = append(config.Container.Filesystem, []*fst.FilesystemConfig{
+func appendGPUFilesystem(config *hst.Config) {
+	config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
 		{Src: "/dev/dri", Device: true},
 		// mali

cmd/fpkg/proc.go

@@ -4,19 +4,19 @@ import (
 	"context"
 	"os"
 
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/app"
-	"git.gensokyo.uk/security/fortify/internal/app/instance"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/internal/app/instance"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
 )
 
-func mustRunApp(ctx context.Context, config *fst.Config, beforeFail func()) {
+func mustRunApp(ctx context.Context, config *hst.Config, beforeFail func()) {
 	rs := new(app.RunState)
 	a := instance.MustNew(instance.ISetuid, ctx, std)
 
 	var code int
 	if sa, err := a.Seal(config); err != nil {
-		fmsg.PrintBaseError(err, "cannot seal app:")
+		hlog.PrintBaseError(err, "cannot seal app:")
 		code = 1
 	} else {
 		code = instance.PrintRunStateErr(instance.ISetuid, rs, sa.Run(rs))

cmd/fpkg/test/configuration.nix

@@ -50,9 +50,9 @@
     ];
   };
 
-  environment.fortify = {
+  environment.hakurei = {
     enable = true;
-    stateDir = "/var/lib/fortify";
+    stateDir = "/var/lib/hakurei";
     users.alice = 0;
 
     extraHomeConfig = {

cmd/fpkg/test/default.nix

@@ -18,7 +18,7 @@ nixosTest {
     imports = [
       ./configuration.nix
 
-      self.nixosModules.fortify
+      self.nixosModules.hakurei
       self.inputs.home-manager.nixosModules.home-manager
     ];
   };

cmd/fpkg/test/test.py

@@ -47,22 +47,22 @@ def wait_for_window(pattern):
 
 
 def collect_state_ui(name):
-    swaymsg(f"exec fortify ps > '/tmp/{name}.ps'")
+    swaymsg(f"exec hakurei ps > '/tmp/{name}.ps'")
     machine.copy_from_vm(f"/tmp/{name}.ps", "")
-    swaymsg(f"exec fortify --json ps > '/tmp/{name}.json'")
+    swaymsg(f"exec hakurei --json ps > '/tmp/{name}.json'")
     machine.copy_from_vm(f"/tmp/{name}.json", "")
     machine.screenshot(name)
 
 
 def check_state(name, enablements):
-    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 fortify --json ps"))
+    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
     if len(instances) != 1:
         raise Exception(f"unexpected state length {len(instances)}")
     instance = next(iter(instances.values()))
 
     config = instance['config']
 
-    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"fortify-{name}-" not in (config['args'][0]):
+    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (config['args'][0]):
         raise Exception(f"unexpected args {instance['config']['args']}")
 
     if config['enablements'] != enablements:
@@ -72,15 +72,15 @@ def check_state(name, enablements):
 start_all()
 machine.wait_for_unit("multi-user.target")
 
-# To check fortify's version:
-print(machine.succeed("sudo -u alice -i fortify version"))
+# To check hakurei's version:
+print(machine.succeed("sudo -u alice -i hakurei version"))
 
 # Wait for Sway to complete startup:
 machine.wait_for_file("/run/user/1000/wayland-1")
 machine.wait_for_file("/tmp/sway-ipc.sock")
 
 # Prepare fpkg directory:
-machine.succeed("install -dm 0700 -o alice -g users /var/lib/fortify/1000")
+machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")
 
 # Install fpkg app:
 swaymsg("exec fpkg -v install /etc/foot.pkg && touch /tmp/fpkg-install-done")
@@ -88,9 +88,9 @@ machine.wait_for_file("/tmp/fpkg-install-done")
 
 # Start app (foot) with Wayland enablement:
 swaymsg("exec fpkg -v start org.codeberg.dnkl.foot")
-wait_for_window("fortify@machine-foot")
+wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
-machine.wait_for_file("/tmp/fortify.1000/tmpdir/2/success-client")
+machine.wait_for_file("/tmp/hakurei.1000/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
 check_state("foot", 13)
 # Verify acl on XDG_RUNTIME_DIR:
@@ -104,5 +104,5 @@ machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/
 swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")
 
-# Print fortify runDir contents:
-print(machine.succeed("find /run/user/1000/fortify"))
+# Print hakurei runDir contents:
+print(machine.succeed("find /run/user/1000/hakurei"))

cmd/fpkg/with.go

@@ -5,17 +5,17 @@ import (
 	"path"
 	"strings"
 
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 )
 
 func withNixDaemon(
 	ctx context.Context,
-	action string, command []string, net bool, updateConfig func(config *fst.Config) *fst.Config,
+	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
 ) {
-	mustRunAppDropShell(ctx, updateConfig(&fst.Config{
+	mustRunAppDropShell(ctx, updateConfig(&hst.Config{
 		ID: app.ID,
 
 		Path: shellPath,
@@ -31,24 +31,24 @@ func withNixDaemon(
 			" && pkill nix-daemon",
 		},
 
-		Username: "fortify",
+		Username: "hakurei",
 		Shell:    shellPath,
 		Data:     pathSet.homeDir,
 		Dir:      path.Join("/data/data", app.ID),
-		ExtraPerms: []*fst.ExtraPermConfig{
+		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 
 		Identity: app.Identity,
 
-		Container: &fst.ContainerConfig{
+		Container: &hst.ContainerConfig{
 			Hostname: formatHostname(app.Name) + "-" + action,
 			Userns:   true, // nix sandbox requires userns
 			Net:      net,
 			Seccomp:  seccomp.FilterMultiarch,
 			Tty:      dropShell,
-			Filesystem: []*fst.FilesystemConfig{
+			Filesystem: []*hst.FilesystemConfig{
 				{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
 			},
 			Link: [][2]string{
@@ -66,7 +66,7 @@ func withCacheDir(
 	ctx context.Context,
 	action string, command []string, workDir string,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
-	mustRunAppDropShell(ctx, &fst.Config{
+	mustRunAppDropShell(ctx, &hst.Config{
 		ID: app.ID,
 
 		Path: shellPath,
@@ -76,7 +76,7 @@ func withCacheDir(
 		Shell:    shellPath,
 		Data:     pathSet.cacheDir, // this also ensures cacheDir via shim
 		Dir:      path.Join("/data/data", app.ID, "cache"),
-		ExtraPerms: []*fst.ExtraPermConfig{
+		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 			{Path: workDir, Execute: true},
@@ -84,13 +84,13 @@ func withCacheDir(
 
 		Identity: app.Identity,
 
-		Container: &fst.ContainerConfig{
+		Container: &hst.ContainerConfig{
 			Hostname: formatHostname(app.Name) + "-" + action,
 			Seccomp:  seccomp.FilterMultiarch,
 			Tty:      dropShell,
-			Filesystem: []*fst.FilesystemConfig{
+			Filesystem: []*hst.FilesystemConfig{
 				{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
-				{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
+				{Src: workDir, Dst: path.Join(hst.Tmp, "bundle"), Must: true},
 			},
 			Link: [][2]string{
 				{app.CurrentSystem, "/run/current-system"},
@@ -103,7 +103,7 @@ func withCacheDir(
 	}, dropShell, beforeFail)
 }
 
-func mustRunAppDropShell(ctx context.Context, config *fst.Config, dropShell bool, beforeFail func()) {
+func mustRunAppDropShell(ctx context.Context, config *hst.Config, dropShell bool, beforeFail func()) {
 	if dropShell {
 		config.Args = []string{shellPath, "-l"}
 		mustRunApp(ctx, config, beforeFail)

cmd/hsu/main.go

@@ -13,17 +13,17 @@ import (
 )
 
 const (
-	fsuConfFile = "/etc/fsurc"
-	envShim     = "FORTIFY_SHIM"
-	envAID      = "FORTIFY_APP_ID"
-	envGroups   = "FORTIFY_GROUPS"
+	hsuConfFile = "/etc/hsurc"
+	envShim     = "HAKUREI_SHIM"
+	envAID      = "HAKUREI_APP_ID"
+	envGroups   = "HAKUREI_GROUPS"
 
 	PR_SET_NO_NEW_PRIVS = 0x26
 )
 
 func main() {
 	log.SetFlags(0)
-	log.SetPrefix("fsu: ")
+	log.SetPrefix("hsu: ")
 	log.SetOutput(os.Stderr)
 
 	if os.Geteuid() != 0 {
@@ -40,9 +40,9 @@ func main() {
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
-		log.Fatal("fortify executable has been deleted")
-	} else if p != mustCheckPath(fmain) && p != mustCheckPath(fpkg) {
-		log.Fatal("this program must be started by fortify")
+		log.Fatal("hakurei executable has been deleted")
+	} else if p != mustCheckPath(hmain) && p != mustCheckPath(fpkg) {
+		log.Fatal("this program must be started by hakurei")
 	} else {
 		toolPath = p
 	}
@@ -52,27 +52,27 @@ func main() {
 	//           aid
 	uid := 1000000
 
-	// refuse to run if fsurc is not protected correctly
-	if s, err := os.Stat(fsuConfFile); err != nil {
+	// refuse to run if hsurc is not protected correctly
+	if s, err := os.Stat(hsuConfFile); err != nil {
 		log.Fatal(err)
 	} else if s.Mode().Perm() != 0400 {
-		log.Fatal("bad fsurc perm")
+		log.Fatal("bad hsurc perm")
 	} else if st := s.Sys().(*syscall.Stat_t); st.Uid != 0 || st.Gid != 0 {
-		log.Fatal("fsurc must be owned by uid 0")
+		log.Fatal("hsurc must be owned by uid 0")
 	}
 
 	// authenticate before accepting user input
-	if f, err := os.Open(fsuConfFile); err != nil {
+	if f, err := os.Open(hsuConfFile); err != nil {
 		log.Fatal(err)
 	} else if fid, ok := mustParseConfig(f, puid); !ok {
-		log.Fatalf("uid %d is not in the fsurc file", puid)
+		log.Fatalf("uid %d is not in the hsurc file", puid)
 	} else {
 		uid += fid * 10000
 	}
 
 	// allowed aid range 0 to 9999
 	if as, ok := os.LookupEnv(envAID); !ok {
-		log.Fatal("FORTIFY_APP_ID not set")
+		log.Fatal("HAKUREI_APP_ID not set")
 	} else if aid, err := parseUint32Fast(as); err != nil || aid < 0 || aid > 9999 {
 		log.Fatal("invalid aid")
 	} else {
@@ -82,12 +82,12 @@ func main() {
 	// pass through setup fd to shim
 	var shimSetupFd string
 	if s, ok := os.LookupEnv(envShim); !ok {
-		// fortify requests target uid
+		// hakurei requests target uid
 		// print resolved uid and exit
 		fmt.Print(uid)
 		os.Exit(0)
 	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
-		log.Fatal("FORTIFY_SHIM holds an invalid value")
+		log.Fatal("HAKUREI_SHIM holds an invalid value")
 	} else {
 		shimSetupFd = s
 	}
@@ -124,7 +124,7 @@ func main() {
 		panic("uid out of bounds")
 	}
 
-	// careful! users in the allowlist is effectively allowed to drop groups via fsu
+	// careful! users in the allowlist is effectively allowed to drop groups via hsu
 
 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set gid: %v", err)
@@ -138,7 +138,7 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(toolPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+	if err := syscall.Exec(toolPath, []string{"hakurei", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}
 

cmd/hsu/package.nix

@@ -1,19 +1,19 @@
 {
   lib,
   buildGoModule,
-  fortify ? abort "fortify package required",
+  hakurei ? abort "hakurei package required",
 }:
 
 buildGoModule {
-  pname = "${fortify.pname}-fsu";
-  inherit (fortify) version;
+  pname = "${hakurei.pname}-hsu";
+  inherit (hakurei) version;
 
   src = ./.;
-  inherit (fortify) vendorHash;
+  inherit (hakurei) vendorHash;
   env.CGO_ENABLED = 0;
 
   preBuild = ''
-    go mod init fsu >& /dev/null
+    go mod init hsu >& /dev/null
   '';
 
   ldflags =
@@ -24,7 +24,7 @@ buildGoModule {
       )
       [ "-s -w" ]
       {
-        fmain = "${fortify}/libexec/fortify";
-        fpkg = "${fortify}/libexec/fpkg";
+        hmain = "${hakurei}/libexec/hakurei";
+        fpkg = "${hakurei}/libexec/fpkg";
       };
 }

cmd/hsu/parse.go

@@ -50,7 +50,7 @@ func parseConfig(r io.Reader, puid int) (fid int, ok bool, err error) {
 		if ok {
 			// allowed fid range 0 to 99
 			if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
-				return -1, false, fmt.Errorf("invalid fortify uid on line %d", line)
+				return -1, false, fmt.Errorf("invalid identity on line %d", line)
 			}
 			return
 		}

cmd/hsu/parse_test.go

@@ -65,7 +65,7 @@ func Test_parseConfig(t *testing.T) {
 		{"empty", 0, -1, "", ``},
 		{"invalid field", 0, -1, "invalid entry on line 1", `9`},
 		{"invalid puid", 0, -1, "invalid parent uid on line 1", `f 9`},
-		{"invalid fid", 1000, -1, "invalid fortify uid on line 1", `1000 f`},
+		{"invalid fid", 1000, -1, "invalid identity on line 1", `1000 f`},
 		{"match", 1000, 0, "", `1000 0`},
 	}
 

cmd/hsu/path.go

@@ -8,7 +8,7 @@ import (
 const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
 
 var (
-	fmain = compPoison
+	hmain = compPoison
 	fpkg  = compPoison
 )