sandbox: move params setup functions
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -9,7 +9,6 @@ import (
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/helper/proc"
|
||||
"git.gensokyo.uk/security/fortify/internal"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
"git.gensokyo.uk/security/fortify/internal/sandbox"
|
||||
@@ -42,11 +41,11 @@ func Main() {
|
||||
payload Payload
|
||||
closeSetup func() error
|
||||
)
|
||||
if f, err := proc.Receive(Env, &payload, nil); err != nil {
|
||||
if errors.Is(err, proc.ErrInvalid) {
|
||||
if f, err := sandbox.Receive(Env, &payload, nil); err != nil {
|
||||
if errors.Is(err, sandbox.ErrInvalid) {
|
||||
log.Fatal("invalid config descriptor")
|
||||
}
|
||||
if errors.Is(err, proc.ErrNotSet) {
|
||||
if errors.Is(err, sandbox.ErrNotSet) {
|
||||
log.Fatal("FORTIFY_INIT not set")
|
||||
}
|
||||
|
||||
|
||||
@@ -13,7 +13,6 @@ import (
|
||||
|
||||
"git.gensokyo.uk/security/fortify/fst"
|
||||
"git.gensokyo.uk/security/fortify/helper"
|
||||
"git.gensokyo.uk/security/fortify/helper/proc"
|
||||
"git.gensokyo.uk/security/fortify/internal"
|
||||
"git.gensokyo.uk/security/fortify/internal/app/init0"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
@@ -38,11 +37,11 @@ func Main() {
|
||||
payload Payload
|
||||
closeSetup func() error
|
||||
)
|
||||
if f, err := proc.Receive(Env, &payload, nil); err != nil {
|
||||
if errors.Is(err, proc.ErrInvalid) {
|
||||
if f, err := sandbox.Receive(Env, &payload, nil); err != nil {
|
||||
if errors.Is(err, sandbox.ErrInvalid) {
|
||||
log.Fatal("invalid config descriptor")
|
||||
}
|
||||
if errors.Is(err, proc.ErrNotSet) {
|
||||
if errors.Is(err, sandbox.ErrNotSet) {
|
||||
log.Fatal("FORTIFY_SHIM not set")
|
||||
}
|
||||
|
||||
@@ -108,7 +107,7 @@ func Main() {
|
||||
var extraFiles []*os.File
|
||||
|
||||
// serve setup payload
|
||||
if fd, encoder, err := proc.Setup(&extraFiles); err != nil {
|
||||
if fd, encoder, err := sandbox.Setup(&extraFiles); err != nil {
|
||||
log.Fatalf("cannot pipe: %v", err)
|
||||
} else {
|
||||
conf.SetEnv[init0.Env] = strconv.Itoa(fd)
|
||||
|
||||
@@ -13,6 +13,7 @@ import (
|
||||
"git.gensokyo.uk/security/fortify/helper/proc"
|
||||
"git.gensokyo.uk/security/fortify/internal"
|
||||
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
||||
"git.gensokyo.uk/security/fortify/internal/sandbox"
|
||||
)
|
||||
|
||||
// used by the parent process
|
||||
@@ -56,7 +57,7 @@ func (s *Shim) Start(
|
||||
s.cmd = exec.Command(fsuPath)
|
||||
|
||||
// pass shim setup pipe
|
||||
if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil {
|
||||
if fd, e, err := sandbox.Setup(&s.cmd.ExtraFiles); err != nil {
|
||||
return nil, fmsg.WrapErrorSuffix(err,
|
||||
"cannot create shim setup pipe:")
|
||||
} else {
|
||||
|
||||
@@ -13,7 +13,6 @@ import (
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/helper/proc"
|
||||
"git.gensokyo.uk/security/fortify/seccomp"
|
||||
)
|
||||
|
||||
@@ -163,7 +162,7 @@ func (p *Container) Start() error {
|
||||
}
|
||||
|
||||
// place setup pipe before user supplied extra files, this is later restored by init
|
||||
if fd, e, err := proc.Setup(&p.cmd.ExtraFiles); err != nil {
|
||||
if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil {
|
||||
return wrapErrSuffix(err,
|
||||
"cannot create shim setup pipe:")
|
||||
} else {
|
||||
|
||||
@@ -13,7 +13,6 @@ import (
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/helper/proc"
|
||||
"git.gensokyo.uk/security/fortify/seccomp"
|
||||
)
|
||||
|
||||
@@ -56,11 +55,11 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
||||
setupFile *os.File
|
||||
offsetSetup int
|
||||
)
|
||||
if f, err := proc.Receive(setupEnv, ¶ms, &setupFile); err != nil {
|
||||
if errors.Is(err, proc.ErrInvalid) {
|
||||
if f, err := Receive(setupEnv, ¶ms, &setupFile); err != nil {
|
||||
if errors.Is(err, ErrInvalid) {
|
||||
log.Fatal("invalid setup descriptor")
|
||||
}
|
||||
if errors.Is(err, proc.ErrNotSet) {
|
||||
if errors.Is(err, ErrNotSet) {
|
||||
log.Fatal("FORTIFY_SETUP not set")
|
||||
}
|
||||
|
||||
|
||||
47
internal/sandbox/params.go
Normal file
47
internal/sandbox/params.go
Normal file
@@ -0,0 +1,47 @@
|
||||
package sandbox
|
||||
|
||||
import (
|
||||
"encoding/gob"
|
||||
"errors"
|
||||
"os"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrNotSet = errors.New("environment variable not set")
|
||||
ErrInvalid = errors.New("bad file descriptor")
|
||||
)
|
||||
|
||||
// Setup appends the read end of a pipe for setup params transmission and returns its fd.
|
||||
func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
|
||||
if r, w, err := os.Pipe(); err != nil {
|
||||
return -1, nil, err
|
||||
} else {
|
||||
fd := 3 + len(*extraFiles)
|
||||
*extraFiles = append(*extraFiles, r)
|
||||
return fd, gob.NewEncoder(w), nil
|
||||
}
|
||||
}
|
||||
|
||||
// Receive retrieves setup fd from the environment and receives params.
|
||||
func Receive(key string, e any, v **os.File) (func() error, error) {
|
||||
var setup *os.File
|
||||
|
||||
if s, ok := os.LookupEnv(key); !ok {
|
||||
return nil, ErrNotSet
|
||||
} else {
|
||||
if fd, err := strconv.Atoi(s); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
setup = os.NewFile(uintptr(fd), "setup")
|
||||
if setup == nil {
|
||||
return nil, ErrInvalid
|
||||
}
|
||||
if v != nil {
|
||||
*v = setup
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return setup.Close, gob.NewDecoder(setup).Decode(e)
|
||||
}
|
||||
Reference in New Issue
Block a user