fsu: check parent executable path

Only allow main program to launch fsu. This change and further checks in the main program reduces attack surface. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 18:52:23 +09:00 · 2024-10-28 18:52:23 +09:00 · aa1f96eeeb
parent 431dc095e5
commit aa1f96eeeb
2 changed files with 11 additions and 2 deletions
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@ -35,11 +35,20 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}

-	// check compiled in fortify path
+	// validate compiled in fortify path
 	if FortifyPath == fpPoison || !path.IsAbs(FortifyPath) {
 		log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
 	}

+	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
+	if p, err := os.Readlink(pexe); err != nil {
+		log.Fatalf("cannot read parent executable path: %v", err)
+	} else if strings.HasSuffix(p, " (deleted)") {
+		log.Fatal("fortify executable has been deleted")
+	} else if p != FortifyPath {
+		log.Fatal("this program must be started by fortify")
+	}
+
 	// uid = 1000000 +
 	//   fid * 10000 +
 	//           aid
--- a/package.nix
+++ b/package.nix
@ -21,7 +21,7 @@ buildGoModule rec {
    "-X"
    "main.Version=v${version}"
    "-X"
-    "main.FortifyPath=${placeholder "out"}/bin/fortify"
+    "main.FortifyPath=${placeholder "out"}/bin/.fortify-wrapped"
  ];

  buildInputs = [