proc/priv/init: early init check

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/proc/priv/init/early.go

@@ -0,0 +1,18 @@
+package init0
+
+import (
+	"os"
+	"path"
+
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+// used by the parent process
+
+// TryArgv0 calls [Main] if argv0 indicates the process is started from a file named "init".
+func TryArgv0() {
+	if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" {
+		Main()
+		fmsg.Exit(0)
+	}
+}

internal/proc/priv/init/main.go

@@ -5,7 +5,6 @@ import (
 	"os"
 	"os/exec"
 	"os/signal"
-	"path"
 	"syscall"
 	"time"
 
@@ -38,14 +37,6 @@ func Main() {
 		panic("unreachable")
 	}
 
-	// re-exec
-	if len(os.Args) > 0 && (os.Args[0] != "fortify" || os.Args[1] != "init" || len(os.Args) != 2) && path.IsAbs(os.Args[0]) {
-		if err := syscall.Exec(os.Args[0], []string{"fortify", "init"}, os.Environ()); err != nil {
-			fmsg.Println("cannot re-exec self:", err)
-			// continue anyway
-		}
-	}
-
 	// receive setup payload
 	var (
 		payload    Payload

internal/proc/priv/shim/main.go

@@ -125,14 +125,17 @@ func Main() {
 	}
 
 	// bind fortify inside sandbox
-	innerSbin := path.Join(fst.Tmp, "sbin")
-	fortifyInnerPath := path.Join(innerSbin, "fortify")
-	conf.Bind(proc.MustExecutable(), fortifyInnerPath)
-	conf.Symlink(fortifyInnerPath, path.Join(innerSbin, "init"))
+	var (
+		innerSbin    = path.Join(fst.Tmp, "sbin")
+		innerFortify = path.Join(innerSbin, "fortify")
+		innerInit    = path.Join(innerSbin, "init")
+	)
+	conf.Bind(proc.MustExecutable(), innerFortify)
+	conf.Symlink("fortify", innerInit)
 
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, fortifyInnerPath,
-		func(int, int) []string { return []string{"init"} }); err != nil {
+	if b, err := helper.NewBwrap(conf, nil, innerInit,
+		func(int, int) []string { return make([]string, 0) }); err != nil {
 		fmsg.Fatalf("malformed sandbox config: %v", err)
 	} else {
 		cmd := b.Unwrap()