treewide: rename to hakurei

Fortify makes little sense for a container tool. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-06-25 03:59:52 +09:00
parent 3992073212
commit 87e008d56d
137 changed files with 1044 additions and 1098 deletions
--- a/cmd/hsu/main.go
+++ b/cmd/hsu/main.go
@@ -0,0 +1,146 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"os"
+	"path"
+	"slices"
+	"strconv"
+	"strings"
+	"syscall"
+)
+
+const (
+	hsuConfFile = "/etc/hsurc"
+	envShim     = "HAKUREI_SHIM"
+	envAID      = "HAKUREI_APP_ID"
+	envGroups   = "HAKUREI_GROUPS"
+
+	PR_SET_NO_NEW_PRIVS = 0x26
+)
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("hsu: ")
+	log.SetOutput(os.Stderr)
+
+	if os.Geteuid() != 0 {
+		log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
+	}
+
+	puid := os.Getuid()
+	if puid == 0 {
+		log.Fatal("this program must not be started by root")
+	}
+
+	var toolPath string
+	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
+	if p, err := os.Readlink(pexe); err != nil {
+		log.Fatalf("cannot read parent executable path: %v", err)
+	} else if strings.HasSuffix(p, " (deleted)") {
+		log.Fatal("hakurei executable has been deleted")
+	} else if p != mustCheckPath(hmain) && p != mustCheckPath(fpkg) {
+		log.Fatal("this program must be started by hakurei")
+	} else {
+		toolPath = p
+	}
+
+	// uid = 1000000 +
+	//   fid * 10000 +
+	//           aid
+	uid := 1000000
+
+	// refuse to run if hsurc is not protected correctly
+	if s, err := os.Stat(hsuConfFile); err != nil {
+		log.Fatal(err)
+	} else if s.Mode().Perm() != 0400 {
+		log.Fatal("bad hsurc perm")
+	} else if st := s.Sys().(*syscall.Stat_t); st.Uid != 0 || st.Gid != 0 {
+		log.Fatal("hsurc must be owned by uid 0")
+	}
+
+	// authenticate before accepting user input
+	if f, err := os.Open(hsuConfFile); err != nil {
+		log.Fatal(err)
+	} else if fid, ok := mustParseConfig(f, puid); !ok {
+		log.Fatalf("uid %d is not in the hsurc file", puid)
+	} else {
+		uid += fid * 10000
+	}
+
+	// allowed aid range 0 to 9999
+	if as, ok := os.LookupEnv(envAID); !ok {
+		log.Fatal("HAKUREI_APP_ID not set")
+	} else if aid, err := parseUint32Fast(as); err != nil || aid < 0 || aid > 9999 {
+		log.Fatal("invalid aid")
+	} else {
+		uid += aid
+	}
+
+	// pass through setup fd to shim
+	var shimSetupFd string
+	if s, ok := os.LookupEnv(envShim); !ok {
+		// hakurei requests target uid
+		// print resolved uid and exit
+		fmt.Print(uid)
+		os.Exit(0)
+	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
+		log.Fatal("HAKUREI_SHIM holds an invalid value")
+	} else {
+		shimSetupFd = s
+	}
+
+	// supplementary groups
+	var suppGroups, suppCurrent []int
+
+	if gs, ok := os.LookupEnv(envGroups); ok {
+		if cur, err := os.Getgroups(); err != nil {
+			log.Fatalf("cannot get groups: %v", err)
+		} else {
+			suppCurrent = cur
+		}
+
+		// parse space-separated list of group ids
+		gss := bytes.Split([]byte(gs), []byte{' '})
+		suppGroups = make([]int, len(gss)+1)
+		for i, s := range gss {
+			if gid, err := strconv.Atoi(string(s)); err != nil {
+				log.Fatalf("cannot parse %q: %v", string(s), err)
+			} else if gid > 0 && gid != uid && gid != os.Getgid() && slices.Contains(suppCurrent, gid) {
+				suppGroups[i] = gid
+			} else {
+				log.Fatalf("invalid gid %d", gid)
+			}
+		}
+		suppGroups[len(suppGroups)-1] = uid
+	} else {
+		suppGroups = []int{uid}
+	}
+
+	// final bounds check to catch any bugs
+	if uid < 1000000 || uid >= 2000000 {
+		panic("uid out of bounds")
+	}
+
+	// careful! users in the allowlist is effectively allowed to drop groups via hsu
+
+	if err := syscall.Setresgid(uid, uid, uid); err != nil {
+		log.Fatalf("cannot set gid: %v", err)
+	}
+	if err := syscall.Setgroups(suppGroups); err != nil {
+		log.Fatalf("cannot set supplementary groups: %v", err)
+	}
+	if err := syscall.Setresuid(uid, uid, uid); err != nil {
+		log.Fatalf("cannot set uid: %v", err)
+	}
+	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
+		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
+	}
+	if err := syscall.Exec(toolPath, []string{"hakurei", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+		log.Fatalf("cannot start shim: %v", err)
+	}
+
+	panic("unreachable")
+}
--- a/cmd/hsu/package.nix
+++ b/cmd/hsu/package.nix
@@ -0,0 +1,30 @@
+{
+  lib,
+  buildGoModule,
+  hakurei ? abort "hakurei package required",
+}:
+
+buildGoModule {
+  pname = "${hakurei.pname}-hsu";
+  inherit (hakurei) version;
+
+  src = ./.;
+  inherit (hakurei) vendorHash;
+  env.CGO_ENABLED = 0;
+
+  preBuild = ''
+    go mod init hsu >& /dev/null
+  '';
+
+  ldflags =
+    lib.attrsets.foldlAttrs
+      (
+        ldflags: name: value:
+        ldflags ++ [ "-X main.${name}=${value}" ]
+      )
+      [ "-s -w" ]
+      {
+        hmain = "${hakurei}/libexec/hakurei";
+        fpkg = "${hakurei}/libexec/fpkg";
+      };
+}
--- a/cmd/hsu/parse.go
+++ b/cmd/hsu/parse.go
@@ -0,0 +1,67 @@
+package main
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"strings"
+)
+
+func parseUint32Fast(s string) (int, error) {
+	sLen := len(s)
+	if sLen < 1 {
+		return -1, errors.New("zero length string")
+	}
+	if sLen > 10 {
+		return -1, errors.New("string too long")
+	}
+
+	n := 0
+	for i, ch := range []byte(s) {
+		ch -= '0'
+		if ch > 9 {
+			return -1, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
+		}
+		n = n*10 + int(ch)
+	}
+	return n, nil
+}
+
+func parseConfig(r io.Reader, puid int) (fid int, ok bool, err error) {
+	s := bufio.NewScanner(r)
+	var line, puid0 int
+	for s.Scan() {
+		line++
+
+		// <puid> <fid>
+		lf := strings.SplitN(s.Text(), " ", 2)
+		if len(lf) != 2 {
+			return -1, false, fmt.Errorf("invalid entry on line %d", line)
+		}
+
+		puid0, err = parseUint32Fast(lf[0])
+		if err != nil || puid0 < 1 {
+			return -1, false, fmt.Errorf("invalid parent uid on line %d", line)
+		}
+
+		ok = puid0 == puid
+		if ok {
+			// allowed fid range 0 to 99
+			if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
+				return -1, false, fmt.Errorf("invalid identity on line %d", line)
+			}
+			return
+		}
+	}
+	return -1, false, s.Err()
+}
+
+func mustParseConfig(r io.Reader, puid int) (int, bool) {
+	fid, ok, err := parseConfig(r, puid)
+	if err != nil {
+		log.Fatal(err)
+	}
+	return fid, ok
+}
--- a/cmd/hsu/parse_test.go
+++ b/cmd/hsu/parse_test.go
@@ -0,0 +1,96 @@
+package main
+
+import (
+	"bytes"
+	"strconv"
+	"testing"
+)
+
+func Test_parseUint32Fast(t *testing.T) {
+	t.Run("zero-length", func(t *testing.T) {
+		if _, err := parseUint32Fast(""); err == nil || err.Error() != "zero length string" {
+			t.Errorf(`parseUint32Fast(""): error = %v`, err)
+			return
+		}
+	})
+	t.Run("overflow", func(t *testing.T) {
+		if _, err := parseUint32Fast("10000000000"); err == nil || err.Error() != "string too long" {
+			t.Errorf("parseUint32Fast: error = %v", err)
+			return
+		}
+	})
+	t.Run("invalid byte", func(t *testing.T) {
+		if _, err := parseUint32Fast("meow"); err == nil || err.Error() != "invalid character 'm' at index 0" {
+			t.Errorf(`parseUint32Fast("meow"): error = %v`, err)
+			return
+		}
+	})
+	t.Run("full range", func(t *testing.T) {
+		testRange := func(i, end int) {
+			for ; i < end; i++ {
+				s := strconv.Itoa(i)
+				w := i
+				t.Run("parse "+s, func(t *testing.T) {
+					t.Parallel()
+					v, err := parseUint32Fast(s)
+					if err != nil {
+						t.Errorf("parseUint32Fast(%q): error = %v",
+							s, err)
+						return
+					}
+					if v != w {
+						t.Errorf("parseUint32Fast(%q): got %v",
+							s, v)
+						return
+					}
+				})
+			}
+		}
+
+		testRange(0, 5000)
+		testRange(105000, 110000)
+		testRange(23005000, 23010000)
+		testRange(456005000, 456010000)
+		testRange(7890005000, 7890010000)
+	})
+}
+
+func Test_parseConfig(t *testing.T) {
+	testCases := []struct {
+		name       string
+		puid, want int
+		wantErr    string
+		rc         string
+	}{
+		{"empty", 0, -1, "", ``},
+		{"invalid field", 0, -1, "invalid entry on line 1", `9`},
+		{"invalid puid", 0, -1, "invalid parent uid on line 1", `f 9`},
+		{"invalid fid", 1000, -1, "invalid identity on line 1", `1000 f`},
+		{"match", 1000, 0, "", `1000 0`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			fid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
+			if err == nil && tc.wantErr != "" {
+				t.Errorf("parseConfig: error = %v; wantErr %q",
+					err, tc.wantErr)
+				return
+			}
+			if err != nil && err.Error() != tc.wantErr {
+				t.Errorf("parseConfig: error = %q; wantErr %q",
+					err, tc.wantErr)
+				return
+			}
+			if ok == (tc.want == -1) {
+				t.Errorf("parseConfig: ok = %v; want %v",
+					ok, tc.want)
+				return
+			}
+			if fid != tc.want {
+				t.Errorf("parseConfig: fid = %v; want %v",
+					fid, tc.want)
+			}
+		})
+	}
+}
--- a/cmd/hsu/path.go
+++ b/cmd/hsu/path.go
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"log"
+	"path"
+)
+
+const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
+
+var (
+	hmain = compPoison
+	fpkg  = compPoison
+)
+
+func mustCheckPath(p string) string {
+	if p != compPoison && p != "" && path.IsAbs(p) {
+		return p
+	}
+	log.Fatal("this program is compiled incorrectly")
+	return compPoison
+}