From aa1f96eeebecaa8e4cbbccb826fe168c9270228d Mon Sep 17 00:00:00 2001
From: Ophestra Umiker <cat@ophivana.moe>
Date: Mon, 28 Oct 2024 18:52:23 +0900
Subject: [PATCH] fsu: check parent executable path

Only allow main program to launch fsu. This change and further checks in the main program reduces attack surface.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
---
 cmd/fsu/main.go | 11 ++++++++++-
 package.nix     |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/cmd/fsu/main.go b/cmd/fsu/main.go
index 99c25c9..af0315e 100644
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@@ -35,11 +35,20 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}
 
-	// check compiled in fortify path
+	// validate compiled in fortify path
 	if FortifyPath == fpPoison || !path.IsAbs(FortifyPath) {
 		log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
 	}
 
+	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
+	if p, err := os.Readlink(pexe); err != nil {
+		log.Fatalf("cannot read parent executable path: %v", err)
+	} else if strings.HasSuffix(p, " (deleted)") {
+		log.Fatal("fortify executable has been deleted")
+	} else if p != FortifyPath {
+		log.Fatal("this program must be started by fortify")
+	}
+
 	// uid = 1000000 +
 	//   fid * 10000 +
 	//           aid
diff --git a/package.nix b/package.nix
index 4293f47..b2c72f6 100644
--- a/package.nix
+++ b/package.nix
@@ -21,7 +21,7 @@ buildGoModule rec {
     "-X"
     "main.Version=v${version}"
     "-X"
-    "main.FortifyPath=${placeholder "out"}/bin/fortify"
+    "main.FortifyPath=${placeholder "out"}/bin/.fortify-wrapped"
   ];
 
   buildInputs = [