fortify/internal/app/setup.go

package app

import (
	"errors"
	"fmt"
	"os"
	"os/user"
	"strconv"

	"git.ophivana.moe/cat/fortify/internal/state"
	"git.ophivana.moe/cat/fortify/internal/util"
	"git.ophivana.moe/cat/fortify/internal/verbose"
)

type App struct {
	launchOptionText string

	uid     int
	env     []string
	command []string

	launchOption uint8
	toolPath     string

	enablements state.Enablements
	*user.User

	// absolutely *no* method of this type is thread-safe
	// so don't treat it as if it is
}

func (a *App) LaunchOption() uint8 {
	return a.launchOption
}

func (a *App) setEnablement(e state.Enablement) {
	if a.enablements.Has(e) {
		panic("enablement " + e.String() + " set twice")
	}

	a.enablements |= e.Mask()
}

func New(userName string, args []string, launchOptionText string) *App {
	a := &App{command: args, launchOptionText: launchOptionText}

	if u, err := user.Lookup(userName); err != nil {
		if errors.As(err, new(user.UnknownUserError)) {
			fmt.Println("unknown user", userName)
		} else {
			// unreachable
			panic(err)
		}

		// too early for fatal
		os.Exit(1)
	} else {
		a.User = u
	}

	if u, err := strconv.Atoi(a.Uid); err != nil {
		// usually unreachable
		panic("uid parse")
	} else {
		a.uid = u
	}

	verbose.Println("Running as user", a.Username, "("+a.Uid+"),", "command:", a.command)
	if util.SdBootedV {
		verbose.Println("System booted with systemd as init system (PID 1).")
	}

	switch a.launchOptionText {
	case "sudo":
		a.launchOption = LaunchMethodSudo
		if sudoPath, ok := util.Which("sudo"); !ok {
			fmt.Println("Did not find 'sudo' in PATH")
			os.Exit(1)
		} else {
			a.toolPath = sudoPath
		}
	case "bubblewrap":
		a.launchOption = LaunchMethodBwrap
		if bwrapPath, ok := util.Which("bwrap"); !ok {
			fmt.Println("Did not find 'bwrap' in PATH")
			os.Exit(1)
		} else {
			a.toolPath = bwrapPath
		}
	case "systemd":
		a.launchOption = LaunchMethodMachineCtl
		if !util.SdBootedV {
			fmt.Println("System has not been booted with systemd as init system (PID 1).")
			os.Exit(1)
		}

		if machineCtlPath, ok := util.Which("machinectl"); !ok {
			fmt.Println("Did not find 'machinectl' in PATH")
		} else {
			a.toolPath = machineCtlPath
		}
	default:
		fmt.Println("invalid launch method")
		os.Exit(1)
	}

	verbose.Println("Determined launch method to be", a.launchOptionText, "with tool at", a.toolPath)

	return a
}
rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-04 01:20:12 +09:00			`package app`

			`import (`
			`"errors"`
			`"fmt"`
			`"os"`
			`"os/user"`
			`"strconv"`

			`"git.ophivana.moe/cat/fortify/internal/state"`
app: handle launch method in New function Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-12 20:53:33 +09:00			`"git.ophivana.moe/cat/fortify/internal/util"`
verbose: remove system package interaction Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-12 21:07:05 +09:00			`"git.ophivana.moe/cat/fortify/internal/verbose"`
rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-04 01:20:12 +09:00			`)`

			`type App struct {`
app: handle launch method in New function Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-12 20:53:33 +09:00			`launchOptionText string`

rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-04 01:20:12 +09:00			`uid int`
			`env []string`
			`command []string`

app: handle launch method in New function Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-12 20:53:33 +09:00			`launchOption uint8`
			`toolPath string`

clean up setup/launcher code and enable better control over shares In the past Wayland, X and PulseAudio are shared unconditionally. This can unnecessarily increase attack surface as some of these resources might not be needed at all. This commit moves all environment preparation code to the internal app package and selectively call them based on flags. An "enablements" bitfield is introduced tracking all enabled shares. This value is registered after successful child process launch and stored in launcher states. Code responsible for running the child process is isolated to its own app/run file and cleaned up. Launch method selection is also extensively cleaned up. The internal state/track readLaunchers function now takes uid as an argument. Launcher state is now printed using text/tabwriter and argv is only emitted when verbose. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-08 02:24:01 +09:00			`enablements state.Enablements`
rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-04 01:20:12 +09:00			`*user.User`

clean up setup/launcher code and enable better control over shares In the past Wayland, X and PulseAudio are shared unconditionally. This can unnecessarily increase attack surface as some of these resources might not be needed at all. This commit moves all environment preparation code to the internal app package and selectively call them based on flags. An "enablements" bitfield is introduced tracking all enabled shares. This value is registered after successful child process launch and stored in launcher states. Code responsible for running the child process is isolated to its own app/run file and cleaned up. Launch method selection is also extensively cleaned up. The internal state/track readLaunchers function now takes uid as an argument. Launcher state is now printed using text/tabwriter and argv is only emitted when verbose. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-08 02:24:01 +09:00			`// absolutely no method of this type is thread-safe`
			`// so don't treat it as if it is`
			`}`
rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-04 01:20:12 +09:00
app: handle launch method in New function Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-12 20:53:33 +09:00			`func (a *App) LaunchOption() uint8 {`
			`return a.launchOption`
			`}`

clean up setup/launcher code and enable better control over shares In the past Wayland, X and PulseAudio are shared unconditionally. This can unnecessarily increase attack surface as some of these resources might not be needed at all. This commit moves all environment preparation code to the internal app package and selectively call them based on flags. An "enablements" bitfield is introduced tracking all enabled shares. This value is registered after successful child process launch and stored in launcher states. Code responsible for running the child process is isolated to its own app/run file and cleaned up. Launch method selection is also extensively cleaned up. The internal state/track readLaunchers function now takes uid as an argument. Launcher state is now printed using text/tabwriter and argv is only emitted when verbose. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-08 02:24:01 +09:00			`func (a *App) setEnablement(e state.Enablement) {`
			`if a.enablements.Has(e) {`
			`panic("enablement " + e.String() + " set twice")`
rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-04 01:20:12 +09:00			`}`

clean up setup/launcher code and enable better control over shares In the past Wayland, X and PulseAudio are shared unconditionally. This can unnecessarily increase attack surface as some of these resources might not be needed at all. This commit moves all environment preparation code to the internal app package and selectively call them based on flags. An "enablements" bitfield is introduced tracking all enabled shares. This value is registered after successful child process launch and stored in launcher states. Code responsible for running the child process is isolated to its own app/run file and cleaned up. Launch method selection is also extensively cleaned up. The internal state/track readLaunchers function now takes uid as an argument. Launcher state is now printed using text/tabwriter and argv is only emitted when verbose. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-08 02:24:01 +09:00			`a.enablements \|= e.Mask()`
rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-04 01:20:12 +09:00			`}`

app: handle launch method in New function Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-12 20:53:33 +09:00			`func New(userName string, args []string, launchOptionText string) *App {`
			`a := &App{command: args, launchOptionText: launchOptionText}`
rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-04 01:20:12 +09:00
			`if u, err := user.Lookup(userName); err != nil {`
			`if errors.As(err, new(user.UnknownUserError)) {`
			`fmt.Println("unknown user", userName)`
			`} else {`
			`// unreachable`
			`panic(err)`
			`}`

			`// too early for fatal`
			`os.Exit(1)`
			`} else {`
			`a.User = u`
			`}`

			`if u, err := strconv.Atoi(a.Uid); err != nil {`
			`// usually unreachable`
			`panic("uid parse")`
			`} else {`
			`a.uid = u`
			`}`

verbose: remove system package interaction Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-12 21:07:05 +09:00			`verbose.Println("Running as user", a.Username, "("+a.Uid+"),", "command:", a.command)`
			`if util.SdBootedV {`
			`verbose.Println("System booted with systemd as init system (PID 1).")`
app: handle launch method in New function Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-12 20:53:33 +09:00			`}`

			`switch a.launchOptionText {`
			`case "sudo":`
			`a.launchOption = LaunchMethodSudo`
			`if sudoPath, ok := util.Which("sudo"); !ok {`
			`fmt.Println("Did not find 'sudo' in PATH")`
			`os.Exit(1)`
			`} else {`
			`a.toolPath = sudoPath`
			`}`
			`case "bubblewrap":`
			`a.launchOption = LaunchMethodBwrap`
			`if bwrapPath, ok := util.Which("bwrap"); !ok {`
			`fmt.Println("Did not find 'bwrap' in PATH")`
			`os.Exit(1)`
			`} else {`
			`a.toolPath = bwrapPath`
			`}`
			`case "systemd":`
			`a.launchOption = LaunchMethodMachineCtl`
			`if !util.SdBootedV {`
			`fmt.Println("System has not been booted with systemd as init system (PID 1).")`
			`os.Exit(1)`
			`}`

			`if machineCtlPath, ok := util.Which("machinectl"); !ok {`
			`fmt.Println("Did not find 'machinectl' in PATH")`
			`} else {`
			`a.toolPath = machineCtlPath`
			`}`
			`default:`
			`fmt.Println("invalid launch method")`
			`os.Exit(1)`
			`}`

verbose: remove system package interaction Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-12 21:07:05 +09:00			`verbose.Println("Determined launch method to be", a.launchOptionText, "with tool at", a.toolPath)`
rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-04 01:20:12 +09:00
			`return a`
			`}`