security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

proc/priv/shim: merge shim into main program
All checks were successful
Build / Create distribution (push) Successful in 2m15s
Details
Test / Run NixOS test (push) Successful in 2m53s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-01-17 23:43:32 +09:00
parent 16db3dabe2
commit ea8f228af3
12 changed files with 29 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cmd/fsu/main.go
View File

@@ -24,7 +24,6 @@ const (
var (
Fmain = compPoison
Fshim = compPoison
)
func main() {
@@ -41,17 +40,12 @@ func main() {
log.Fatal("this program must not be started by root")
}
var fmain, fshim string
var fmain string
if p, ok := checkPath(Fmain); !ok {
log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
} else {
fmain = p
}
if p, ok := checkPath(Fshim); !ok {
log.Fatal("invalid fshim path, this copy of fsu is not compiled correctly")
} else {
fshim = p
}
pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
if p, err := os.Readlink(pexe); err != nil {
@@ -142,7 +136,7 @@ func main() {
if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
}
if err := syscall.Exec(fshim, []string{"fshim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
log.Fatalf("cannot start shim: %v", err)
}