Compare commits
8 Commits
6d8bcb63f2
...
563c39c2d9
Author | SHA1 | Date |
---|---|---|
Ophestra Umiker | 563c39c2d9 | |
Ophestra Umiker | aa1f96eeeb | |
Ophestra Umiker | 431dc095e5 | |
Ophestra Umiker | 60e91b9b0f | |
Ophestra Umiker | d9cb2a9f2b | |
Ophestra Umiker | 09feda3783 | |
Ophestra Umiker | 51e84ba8a5 | |
Ophestra Umiker | 7df9d8d01d |
|
@ -0,0 +1,140 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"log"
|
||||
"os"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
const (
|
||||
fsuConfFile = "/etc/fsurc"
|
||||
envShim = "FORTIFY_SHIM"
|
||||
envAID = "FORTIFY_APP_ID"
|
||||
|
||||
fpPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
|
||||
)
|
||||
|
||||
// FortifyPath is the path to fortify, set at compile time.
|
||||
var FortifyPath = fpPoison
|
||||
|
||||
func main() {
|
||||
log.SetFlags(0)
|
||||
log.SetPrefix("fsu: ")
|
||||
log.SetOutput(os.Stderr)
|
||||
|
||||
if os.Geteuid() != 0 {
|
||||
log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
|
||||
}
|
||||
|
||||
puid := os.Getuid()
|
||||
if puid == 0 {
|
||||
log.Fatal("this program must not be started by root")
|
||||
}
|
||||
|
||||
// validate compiled in fortify path
|
||||
if FortifyPath == fpPoison || !path.IsAbs(FortifyPath) {
|
||||
log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
|
||||
}
|
||||
|
||||
pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
|
||||
if p, err := os.Readlink(pexe); err != nil {
|
||||
log.Fatalf("cannot read parent executable path: %v", err)
|
||||
} else if strings.HasSuffix(p, " (deleted)") {
|
||||
log.Fatal("fortify executable has been deleted")
|
||||
} else if p != FortifyPath {
|
||||
log.Fatal("this program must be started by fortify")
|
||||
}
|
||||
|
||||
// uid = 1000000 +
|
||||
// fid * 10000 +
|
||||
// aid
|
||||
uid := 1000000
|
||||
|
||||
// authenticate before accepting user input
|
||||
if fid, ok := parseConfig(fsuConfFile, puid); !ok {
|
||||
log.Fatalf("uid %d is not in the fsurc file", puid)
|
||||
} else {
|
||||
uid += fid * 10000
|
||||
}
|
||||
|
||||
// pass through setup path to shim
|
||||
var shimSetupPath string
|
||||
if s, ok := os.LookupEnv(envShim); !ok {
|
||||
log.Fatal("FORTIFY_SHIM not set")
|
||||
} else if !path.IsAbs(s) {
|
||||
log.Fatal("FORTIFY_SHIM is not absolute")
|
||||
} else {
|
||||
shimSetupPath = s
|
||||
}
|
||||
|
||||
// allowed aid range 0 to 9999
|
||||
if as, ok := os.LookupEnv(envAID); !ok {
|
||||
log.Fatal("FORTIFY_APP_ID not set")
|
||||
} else if aid, err := strconv.Atoi(as); err != nil || aid < 0 || aid > 9999 {
|
||||
log.Fatal("invalid aid")
|
||||
} else {
|
||||
uid += aid
|
||||
}
|
||||
|
||||
if err := syscall.Setresgid(uid, uid, uid); err != nil {
|
||||
log.Fatalf("cannot set gid: %v", err)
|
||||
}
|
||||
if err := syscall.Setresuid(uid, uid, uid); err != nil {
|
||||
log.Fatalf("cannot set uid: %v", err)
|
||||
}
|
||||
if err := syscall.Exec(FortifyPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
|
||||
log.Fatalf("cannot start shim: %v", err)
|
||||
}
|
||||
|
||||
panic("unreachable")
|
||||
}
|
||||
|
||||
func parseConfig(p string, puid int) (fid int, ok bool) {
|
||||
// refuse to run if fsurc is not protected correctly
|
||||
if s, err := os.Stat(p); err != nil {
|
||||
log.Fatal(err)
|
||||
} else if s.Mode().Perm() != 0400 {
|
||||
log.Fatal("bad fsurc perm")
|
||||
} else if st := s.Sys().(*syscall.Stat_t); st.Uid != 0 || st.Gid != 0 {
|
||||
log.Fatal("fsurc must be owned by uid 0")
|
||||
}
|
||||
|
||||
if r, err := os.Open(p); err != nil {
|
||||
log.Fatal(err)
|
||||
return -1, false
|
||||
} else {
|
||||
s := bufio.NewScanner(r)
|
||||
var line int
|
||||
for s.Scan() {
|
||||
line++
|
||||
|
||||
// <puid> <fid>
|
||||
lf := strings.SplitN(s.Text(), " ", 2)
|
||||
if len(lf) != 2 {
|
||||
log.Fatalf("invalid entry on line %d", line)
|
||||
}
|
||||
|
||||
var puid0 int
|
||||
if puid0, err = strconv.Atoi(lf[0]); err != nil || puid0 < 1 {
|
||||
log.Fatalf("invalid parent uid on line %d", line)
|
||||
}
|
||||
|
||||
ok = puid0 == puid
|
||||
if ok {
|
||||
// allowed fid range 0 to 99
|
||||
if fid, err = strconv.Atoi(lf[1]); err != nil || fid < 0 || fid > 99 {
|
||||
log.Fatalf("invalid fortify uid on line %d", line)
|
||||
}
|
||||
return
|
||||
}
|
||||
}
|
||||
if err = s.Err(); err != nil {
|
||||
log.Fatalf("cannot read fsurc: %v", err)
|
||||
}
|
||||
return -1, false
|
||||
}
|
||||
}
|
|
@ -6,7 +6,6 @@ import (
|
|||
"fmt"
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/app"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
|
@ -50,7 +49,7 @@ func init() {
|
|||
|
||||
func init() {
|
||||
methodHelpString := "Method of launching the child process, can be one of \"sudo\""
|
||||
if internal.SdBootedV {
|
||||
if os.SdBooted() {
|
||||
methodHelpString += ", \"systemd\""
|
||||
}
|
||||
|
||||
|
|
|
@ -34,9 +34,7 @@
|
|||
|
||||
devShells = forAllSystems (system: {
|
||||
default = nixpkgsFor.${system}.mkShell {
|
||||
buildInputs =
|
||||
with nixpkgsFor.${system};
|
||||
self.packages.${system}.fortify.buildInputs;
|
||||
buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
|
||||
};
|
||||
|
||||
withPackage = nixpkgsFor.${system}.mkShell {
|
||||
|
|
|
@ -7,6 +7,7 @@ import (
|
|||
"strconv"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/app"
|
||||
|
@ -187,6 +188,262 @@ var testCasesNixos = []sealTestCase{
|
|||
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
|
||||
Tmpfs("/var/run/nscd", 8192),
|
||||
},
|
||||
{
|
||||
"nixos permissive defaults chromium", new(stubNixOS),
|
||||
&app.Config{
|
||||
ID: "org.chromium.Chromium",
|
||||
User: "chronos",
|
||||
Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "},
|
||||
Confinement: app.ConfinementConfig{
|
||||
SessionBus: &dbus.Config{
|
||||
Talk: []string{
|
||||
"org.freedesktop.Notifications",
|
||||
"org.freedesktop.FileManager1",
|
||||
"org.freedesktop.ScreenSaver",
|
||||
"org.freedesktop.secrets",
|
||||
"org.kde.kwalletd5",
|
||||
"org.kde.kwalletd6",
|
||||
"org.gnome.SessionManager",
|
||||
},
|
||||
Own: []string{
|
||||
"org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.chromium.*",
|
||||
},
|
||||
Call: map[string]string{
|
||||
"org.freedesktop.portal.*": "*",
|
||||
},
|
||||
Broadcast: map[string]string{
|
||||
"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
|
||||
},
|
||||
Filter: true,
|
||||
},
|
||||
SystemBus: &dbus.Config{
|
||||
Talk: []string{
|
||||
"org.bluez",
|
||||
"org.freedesktop.Avahi",
|
||||
"org.freedesktop.UPower",
|
||||
},
|
||||
Filter: true,
|
||||
},
|
||||
Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
|
||||
},
|
||||
Method: "systemd",
|
||||
},
|
||||
app.ID{
|
||||
0xeb, 0xf0, 0x83, 0xd1,
|
||||
0xb1, 0x75, 0x91, 0x17,
|
||||
0x82, 0xd4, 0x13, 0x36,
|
||||
0x9b, 0x64, 0xce, 0x7c,
|
||||
},
|
||||
system.New(150).
|
||||
Ensure("/tmp/fortify.1971", 0701).
|
||||
Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0701).
|
||||
Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
|
||||
Ensure("/tmp/fortify.1971/tmpdir/150", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/150", acl.Read, acl.Write, acl.Execute).
|
||||
Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
|
||||
Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
|
||||
Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
|
||||
WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
|
||||
WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "fortify:x:65534:\n").
|
||||
Link("/run/user/1971/wayland-0", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland").
|
||||
UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
|
||||
Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
|
||||
CopyFile("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie").
|
||||
MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
|
||||
Talk: []string{
|
||||
"org.freedesktop.Notifications",
|
||||
"org.freedesktop.FileManager1",
|
||||
"org.freedesktop.ScreenSaver",
|
||||
"org.freedesktop.secrets",
|
||||
"org.kde.kwalletd5",
|
||||
"org.kde.kwalletd6",
|
||||
"org.gnome.SessionManager",
|
||||
},
|
||||
Own: []string{
|
||||
"org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.chromium.*",
|
||||
},
|
||||
Call: map[string]string{
|
||||
"org.freedesktop.portal.*": "*",
|
||||
},
|
||||
Broadcast: map[string]string{
|
||||
"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
|
||||
},
|
||||
Filter: true,
|
||||
}, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", &dbus.Config{
|
||||
Talk: []string{
|
||||
"org.bluez",
|
||||
"org.freedesktop.Avahi",
|
||||
"org.freedesktop.UPower",
|
||||
},
|
||||
Filter: true,
|
||||
}).
|
||||
UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
|
||||
UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
|
||||
(&bwrap.Config{
|
||||
Net: true,
|
||||
UserNS: true,
|
||||
Clearenv: true,
|
||||
SetEnv: map[string]string{
|
||||
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/150/bus",
|
||||
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
||||
"HOME": "/home/chronos",
|
||||
"PULSE_COOKIE": "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
|
||||
"PULSE_SERVER": "unix:/run/user/150/pulse/native",
|
||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||
"TERM": "xterm-256color",
|
||||
"USER": "chronos",
|
||||
"WAYLAND_DISPLAY": "/run/user/150/wayland-0",
|
||||
"XDG_RUNTIME_DIR": "/run/user/150",
|
||||
"XDG_SESSION_CLASS": "user",
|
||||
"XDG_SESSION_TYPE": "tty",
|
||||
},
|
||||
Chmod: make(bwrap.ChmodConfig),
|
||||
DieWithParent: true,
|
||||
AsInit: true,
|
||||
}).SetUID(65534).SetGID(65534).
|
||||
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||
Tmpfs("/dev/fortify", 4096).
|
||||
Bind("/bin", "/bin", false, true).
|
||||
Bind("/boot", "/boot", false, true).
|
||||
Bind("/etc", "/dev/fortify/etc").
|
||||
Bind("/home", "/home", false, true).
|
||||
Bind("/lib", "/lib", false, true).
|
||||
Bind("/lib64", "/lib64", false, true).
|
||||
Bind("/nix", "/nix", false, true).
|
||||
Bind("/root", "/root", false, true).
|
||||
Bind("/srv", "/srv", false, true).
|
||||
Bind("/sys", "/sys", false, true).
|
||||
Bind("/usr", "/usr", false, true).
|
||||
Bind("/var", "/var", false, true).
|
||||
Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
|
||||
Bind("/run/binfmt", "/run/binfmt", false, true).
|
||||
Bind("/run/booted-system", "/run/booted-system", false, true).
|
||||
Bind("/run/credentials", "/run/credentials", false, true).
|
||||
Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
|
||||
Bind("/run/current-system", "/run/current-system", false, true).
|
||||
Bind("/run/host", "/run/host", false, true).
|
||||
Bind("/run/keys", "/run/keys", false, true).
|
||||
Bind("/run/libvirt", "/run/libvirt", false, true).
|
||||
Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
|
||||
Bind("/run/lock", "/run/lock", false, true).
|
||||
Bind("/run/log", "/run/log", false, true).
|
||||
Bind("/run/lvm", "/run/lvm", false, true).
|
||||
Bind("/run/mount", "/run/mount", false, true).
|
||||
Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
|
||||
Bind("/run/nginx", "/run/nginx", false, true).
|
||||
Bind("/run/nixos", "/run/nixos", false, true).
|
||||
Bind("/run/nscd", "/run/nscd", false, true).
|
||||
Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
|
||||
Bind("/run/pppd", "/run/pppd", false, true).
|
||||
Bind("/run/resolvconf", "/run/resolvconf", false, true).
|
||||
Bind("/run/sddm", "/run/sddm", false, true).
|
||||
Bind("/run/store", "/run/store", false, true).
|
||||
Bind("/run/syncoid", "/run/syncoid", false, true).
|
||||
Bind("/run/system", "/run/system", false, true).
|
||||
Bind("/run/systemd", "/run/systemd", false, true).
|
||||
Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
|
||||
Bind("/run/udev", "/run/udev", false, true).
|
||||
Bind("/run/udisks2", "/run/udisks2", false, true).
|
||||
Bind("/run/utmp", "/run/utmp", false, true).
|
||||
Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
|
||||
Bind("/run/wrappers", "/run/wrappers", false, true).
|
||||
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
||||
Bind("/run/zed.state", "/run/zed.state", false, true).
|
||||
Bind("/dev/dri", "/dev/dri", true, true, true).
|
||||
Symlink("/dev/fortify/etc/alsa", "/etc/alsa").
|
||||
Symlink("/dev/fortify/etc/bashrc", "/etc/bashrc").
|
||||
Symlink("/dev/fortify/etc/binfmt.d", "/etc/binfmt.d").
|
||||
Symlink("/dev/fortify/etc/dbus-1", "/etc/dbus-1").
|
||||
Symlink("/dev/fortify/etc/default", "/etc/default").
|
||||
Symlink("/dev/fortify/etc/ethertypes", "/etc/ethertypes").
|
||||
Symlink("/dev/fortify/etc/fonts", "/etc/fonts").
|
||||
Symlink("/dev/fortify/etc/fstab", "/etc/fstab").
|
||||
Symlink("/dev/fortify/etc/fuse.conf", "/etc/fuse.conf").
|
||||
Symlink("/dev/fortify/etc/host.conf", "/etc/host.conf").
|
||||
Symlink("/dev/fortify/etc/hostid", "/etc/hostid").
|
||||
Symlink("/dev/fortify/etc/hostname", "/etc/hostname").
|
||||
Symlink("/dev/fortify/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
|
||||
Symlink("/dev/fortify/etc/hosts", "/etc/hosts").
|
||||
Symlink("/dev/fortify/etc/inputrc", "/etc/inputrc").
|
||||
Symlink("/dev/fortify/etc/ipsec.d", "/etc/ipsec.d").
|
||||
Symlink("/dev/fortify/etc/issue", "/etc/issue").
|
||||
Symlink("/dev/fortify/etc/kbd", "/etc/kbd").
|
||||
Symlink("/dev/fortify/etc/libblockdev", "/etc/libblockdev").
|
||||
Symlink("/dev/fortify/etc/locale.conf", "/etc/locale.conf").
|
||||
Symlink("/dev/fortify/etc/localtime", "/etc/localtime").
|
||||
Symlink("/dev/fortify/etc/login.defs", "/etc/login.defs").
|
||||
Symlink("/dev/fortify/etc/lsb-release", "/etc/lsb-release").
|
||||
Symlink("/dev/fortify/etc/lvm", "/etc/lvm").
|
||||
Symlink("/dev/fortify/etc/machine-id", "/etc/machine-id").
|
||||
Symlink("/dev/fortify/etc/man_db.conf", "/etc/man_db.conf").
|
||||
Symlink("/dev/fortify/etc/modprobe.d", "/etc/modprobe.d").
|
||||
Symlink("/dev/fortify/etc/modules-load.d", "/etc/modules-load.d").
|
||||
Symlink("/proc/mounts", "/etc/mtab").
|
||||
Symlink("/dev/fortify/etc/nanorc", "/etc/nanorc").
|
||||
Symlink("/dev/fortify/etc/netgroup", "/etc/netgroup").
|
||||
Symlink("/dev/fortify/etc/NetworkManager", "/etc/NetworkManager").
|
||||
Symlink("/dev/fortify/etc/nix", "/etc/nix").
|
||||
Symlink("/dev/fortify/etc/nixos", "/etc/nixos").
|
||||
Symlink("/dev/fortify/etc/NIXOS", "/etc/NIXOS").
|
||||
Symlink("/dev/fortify/etc/nscd.conf", "/etc/nscd.conf").
|
||||
Symlink("/dev/fortify/etc/nsswitch.conf", "/etc/nsswitch.conf").
|
||||
Symlink("/dev/fortify/etc/opensnitchd", "/etc/opensnitchd").
|
||||
Symlink("/dev/fortify/etc/os-release", "/etc/os-release").
|
||||
Symlink("/dev/fortify/etc/pam", "/etc/pam").
|
||||
Symlink("/dev/fortify/etc/pam.d", "/etc/pam.d").
|
||||
Symlink("/dev/fortify/etc/pipewire", "/etc/pipewire").
|
||||
Symlink("/dev/fortify/etc/pki", "/etc/pki").
|
||||
Symlink("/dev/fortify/etc/polkit-1", "/etc/polkit-1").
|
||||
Symlink("/dev/fortify/etc/profile", "/etc/profile").
|
||||
Symlink("/dev/fortify/etc/protocols", "/etc/protocols").
|
||||
Symlink("/dev/fortify/etc/qemu", "/etc/qemu").
|
||||
Symlink("/dev/fortify/etc/resolv.conf", "/etc/resolv.conf").
|
||||
Symlink("/dev/fortify/etc/resolvconf.conf", "/etc/resolvconf.conf").
|
||||
Symlink("/dev/fortify/etc/rpc", "/etc/rpc").
|
||||
Symlink("/dev/fortify/etc/samba", "/etc/samba").
|
||||
Symlink("/dev/fortify/etc/sddm.conf", "/etc/sddm.conf").
|
||||
Symlink("/dev/fortify/etc/secureboot", "/etc/secureboot").
|
||||
Symlink("/dev/fortify/etc/services", "/etc/services").
|
||||
Symlink("/dev/fortify/etc/set-environment", "/etc/set-environment").
|
||||
Symlink("/dev/fortify/etc/shadow", "/etc/shadow").
|
||||
Symlink("/dev/fortify/etc/shells", "/etc/shells").
|
||||
Symlink("/dev/fortify/etc/ssh", "/etc/ssh").
|
||||
Symlink("/dev/fortify/etc/ssl", "/etc/ssl").
|
||||
Symlink("/dev/fortify/etc/static", "/etc/static").
|
||||
Symlink("/dev/fortify/etc/subgid", "/etc/subgid").
|
||||
Symlink("/dev/fortify/etc/subuid", "/etc/subuid").
|
||||
Symlink("/dev/fortify/etc/sudoers", "/etc/sudoers").
|
||||
Symlink("/dev/fortify/etc/sysctl.d", "/etc/sysctl.d").
|
||||
Symlink("/dev/fortify/etc/systemd", "/etc/systemd").
|
||||
Symlink("/dev/fortify/etc/terminfo", "/etc/terminfo").
|
||||
Symlink("/dev/fortify/etc/tmpfiles.d", "/etc/tmpfiles.d").
|
||||
Symlink("/dev/fortify/etc/udev", "/etc/udev").
|
||||
Symlink("/dev/fortify/etc/udisks2", "/etc/udisks2").
|
||||
Symlink("/dev/fortify/etc/UPower", "/etc/UPower").
|
||||
Symlink("/dev/fortify/etc/vconsole.conf", "/etc/vconsole.conf").
|
||||
Symlink("/dev/fortify/etc/X11", "/etc/X11").
|
||||
Symlink("/dev/fortify/etc/zfs", "/etc/zfs").
|
||||
Symlink("/dev/fortify/etc/zinputrc", "/etc/zinputrc").
|
||||
Symlink("/dev/fortify/etc/zoneinfo", "/etc/zoneinfo").
|
||||
Symlink("/dev/fortify/etc/zprofile", "/etc/zprofile").
|
||||
Symlink("/dev/fortify/etc/zshenv", "/etc/zshenv").
|
||||
Symlink("/dev/fortify/etc/zshrc", "/etc/zshrc").
|
||||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||
Tmpfs("/run/user", 1048576).
|
||||
Tmpfs("/run/user/150", 8388608).
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
|
||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/150/wayland-0").
|
||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/150/pulse/native").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/150/bus").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
|
||||
Tmpfs("/var/run/nscd", 8192),
|
||||
},
|
||||
}
|
||||
|
||||
// fs methods are not implemented using a real FS
|
||||
|
@ -206,6 +463,14 @@ func (s *stubNixOS) LookupEnv(key string) (string, bool) {
|
|||
return "/run/current-system/sw/bin/zsh", true
|
||||
case "TERM":
|
||||
return "xterm-256color", true
|
||||
case "WAYLAND_DISPLAY":
|
||||
return "wayland-0", true
|
||||
case "PULSE_COOKIE":
|
||||
return "", false
|
||||
case "HOME":
|
||||
return "/home/ophestra", true
|
||||
case "XDG_CONFIG_HOME":
|
||||
return "/home/ophestra/xdg/config", true
|
||||
default:
|
||||
panic(fmt.Sprintf("attempted to access unexpected environment variable %q", key))
|
||||
}
|
||||
|
@ -225,6 +490,8 @@ func (s *stubNixOS) LookPath(file string) (string, error) {
|
|||
switch file {
|
||||
case "sudo":
|
||||
return "/run/wrappers/bin/sudo", nil
|
||||
case "machinectl":
|
||||
return "/home/ophestra/.nix-profile/bin/machinectl", nil
|
||||
default:
|
||||
panic(fmt.Sprintf("attempted to look up unexpected executable %q", file))
|
||||
}
|
||||
|
@ -288,6 +555,14 @@ func (s *stubNixOS) Stat(name string) (fs.FileInfo, error) {
|
|||
switch name {
|
||||
case "/var/run/nscd":
|
||||
return nil, nil
|
||||
case "/run/user/1971/pulse":
|
||||
return nil, nil
|
||||
case "/run/user/1971/pulse/native":
|
||||
return stubFileInfoMode(0666), nil
|
||||
case "/home/ophestra/.pulse-cookie":
|
||||
return stubFileInfoIsDir(true), nil
|
||||
case "/home/ophestra/xdg/config/pulse/cookie":
|
||||
return stubFileInfoIsDir(false), nil
|
||||
default:
|
||||
panic(fmt.Sprintf("attempted to stat unexpected path %q", name))
|
||||
}
|
||||
|
@ -311,3 +586,7 @@ func (s *stubNixOS) Paths() internal.Paths {
|
|||
RunDirPath: "/run/user/1971/fortify",
|
||||
}
|
||||
}
|
||||
|
||||
func (s *stubNixOS) SdBooted() bool {
|
||||
return true
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@ import (
|
|||
"io/fs"
|
||||
"reflect"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
|
@ -79,3 +80,55 @@ func (p stubDirEntryPath) Type() fs.FileMode {
|
|||
func (p stubDirEntryPath) Info() (fs.FileInfo, error) {
|
||||
panic("attempted to call Info")
|
||||
}
|
||||
|
||||
type stubFileInfoMode fs.FileMode
|
||||
|
||||
func (s stubFileInfoMode) Name() string {
|
||||
panic("attempted to call Name")
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) Size() int64 {
|
||||
panic("attempted to call Size")
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) Mode() fs.FileMode {
|
||||
return fs.FileMode(s)
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) ModTime() time.Time {
|
||||
panic("attempted to call ModTime")
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) IsDir() bool {
|
||||
panic("attempted to call IsDir")
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) Sys() any {
|
||||
panic("attempted to call Sys")
|
||||
}
|
||||
|
||||
type stubFileInfoIsDir bool
|
||||
|
||||
func (s stubFileInfoIsDir) Name() string {
|
||||
panic("attempted to call Name")
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) Size() int64 {
|
||||
panic("attempted to call Size")
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) Mode() fs.FileMode {
|
||||
panic("attempted to call Mode")
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) ModTime() time.Time {
|
||||
panic("attempted to call ModTime")
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) IsDir() bool {
|
||||
return bool(s)
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) Sys() any {
|
||||
panic("attempted to call Sys")
|
||||
}
|
||||
|
|
|
@ -108,7 +108,7 @@ func (a *app) Seal(config *Config) error {
|
|||
}
|
||||
case method[LaunchMethodMachineCtl]:
|
||||
seal.launchOption = LaunchMethodMachineCtl
|
||||
if !internal.SdBootedV {
|
||||
if !a.os.SdBooted() {
|
||||
return fmsg.WrapError(ErrSystemd,
|
||||
"system has not been booted with systemd as init system")
|
||||
}
|
||||
|
|
|
@ -61,6 +61,9 @@ func (a *app) Start() error {
|
|||
|
||||
Verbose: fmsg.Verbose(),
|
||||
},
|
||||
// checkPid is impossible at the moment since there is no reliable way to obtain shim's pid
|
||||
// this feature is disabled here until sudo is replaced by fortify suid wrapper
|
||||
false,
|
||||
)
|
||||
|
||||
// startup will go ahead, commit system setup
|
||||
|
@ -105,7 +108,7 @@ type StateStoreError struct {
|
|||
}
|
||||
|
||||
func (e *StateStoreError) equiv(a ...any) error {
|
||||
if e.Inner == true && e.DoErr == nil && e.InnerErr == nil && e.Err == nil {
|
||||
if e.Inner && e.DoErr == nil && e.InnerErr == nil && e.Err == nil {
|
||||
return nil
|
||||
} else {
|
||||
return fmsg.WrapErrorSuffix(e, a...)
|
||||
|
@ -151,6 +154,11 @@ func (a *app) Wait() (int, error) {
|
|||
a.lock.Lock()
|
||||
defer a.lock.Unlock()
|
||||
|
||||
if a.shim == nil {
|
||||
fmsg.VPrintln("shim not initialised, skipping cleanup")
|
||||
return 1, nil
|
||||
}
|
||||
|
||||
var r int
|
||||
|
||||
if cmd := a.shim.Unwrap(); cmd == nil {
|
||||
|
|
|
@ -1,35 +0,0 @@
|
|||
package internal
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io/fs"
|
||||
"os"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
const (
|
||||
systemdCheckPath = "/run/systemd/system"
|
||||
)
|
||||
|
||||
var SdBootedV = func() bool {
|
||||
if v, err := SdBooted(); err != nil {
|
||||
fmsg.Println("cannot read systemd marker:", err)
|
||||
return false
|
||||
} else {
|
||||
return v
|
||||
}
|
||||
}()
|
||||
|
||||
// SdBooted implements https://www.freedesktop.org/software/systemd/man/sd_booted.html
|
||||
func SdBooted() (bool, error) {
|
||||
_, err := os.Stat(systemdCheckPath)
|
||||
if err != nil {
|
||||
if errors.Is(err, fs.ErrNotExist) {
|
||||
err = nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
|
@ -37,10 +37,8 @@ type Shim struct {
|
|||
payload *Payload
|
||||
}
|
||||
|
||||
func New(executable string, uid uint32, socket string, wl *Wayland, payload *Payload) *Shim {
|
||||
// checkPid is impossible at the moment since there is no way to obtain shim's pid
|
||||
// this feature is disabled here until sudo is replaced by fortify suid wrapper
|
||||
return &Shim{uid: uid, executable: executable, socket: socket, wl: wl, payload: payload}
|
||||
func New(executable string, uid uint32, socket string, wl *Wayland, payload *Payload, checkPid bool) *Shim {
|
||||
return &Shim{uid: uid, executable: executable, socket: socket, wl: wl, payload: payload, checkPid: checkPid}
|
||||
}
|
||||
|
||||
func (s *Shim) String() string {
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package internal
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io/fs"
|
||||
"os"
|
||||
"os/exec"
|
||||
|
@ -37,6 +38,8 @@ type System interface {
|
|||
|
||||
// Paths returns a populated [Paths] struct.
|
||||
Paths() Paths
|
||||
// SdBooted implements https://www.freedesktop.org/software/systemd/man/sd_booted.html
|
||||
SdBooted() bool
|
||||
}
|
||||
|
||||
// Paths contains environment dependent paths used by fortify.
|
||||
|
@ -71,46 +74,21 @@ func CopyPaths(os System, v *Paths) {
|
|||
type Std struct {
|
||||
paths Paths
|
||||
pathsOnce sync.Once
|
||||
|
||||
sdBooted bool
|
||||
sdBootedOnce sync.Once
|
||||
}
|
||||
|
||||
func (s *Std) Geteuid() int {
|
||||
return os.Geteuid()
|
||||
}
|
||||
|
||||
func (s *Std) LookupEnv(key string) (string, bool) {
|
||||
return os.LookupEnv(key)
|
||||
}
|
||||
|
||||
func (s *Std) TempDir() string {
|
||||
return os.TempDir()
|
||||
}
|
||||
|
||||
func (s *Std) LookPath(file string) (string, error) {
|
||||
return exec.LookPath(file)
|
||||
}
|
||||
|
||||
func (s *Std) Executable() (string, error) {
|
||||
return os.Executable()
|
||||
}
|
||||
|
||||
func (s *Std) Lookup(username string) (*user.User, error) {
|
||||
return user.Lookup(username)
|
||||
}
|
||||
|
||||
func (s *Std) ReadDir(name string) ([]os.DirEntry, error) {
|
||||
return os.ReadDir(name)
|
||||
}
|
||||
|
||||
func (s *Std) Stat(name string) (fs.FileInfo, error) {
|
||||
return os.Stat(name)
|
||||
}
|
||||
|
||||
func (s *Std) Open(name string) (fs.File, error) {
|
||||
return os.Open(name)
|
||||
}
|
||||
func (s *Std) Exit(code int) {
|
||||
fmsg.Exit(code)
|
||||
}
|
||||
func (s *Std) Geteuid() int { return os.Geteuid() }
|
||||
func (s *Std) LookupEnv(key string) (string, bool) { return os.LookupEnv(key) }
|
||||
func (s *Std) TempDir() string { return os.TempDir() }
|
||||
func (s *Std) LookPath(file string) (string, error) { return exec.LookPath(file) }
|
||||
func (s *Std) Executable() (string, error) { return os.Executable() }
|
||||
func (s *Std) Lookup(username string) (*user.User, error) { return user.Lookup(username) }
|
||||
func (s *Std) ReadDir(name string) ([]os.DirEntry, error) { return os.ReadDir(name) }
|
||||
func (s *Std) Stat(name string) (fs.FileInfo, error) { return os.Stat(name) }
|
||||
func (s *Std) Open(name string) (fs.File, error) { return os.Open(name) }
|
||||
func (s *Std) Exit(code int) { fmsg.Exit(code) }
|
||||
|
||||
const xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
||||
|
||||
|
@ -118,3 +96,31 @@ func (s *Std) Paths() Paths {
|
|||
s.pathsOnce.Do(func() { CopyPaths(s, &s.paths) })
|
||||
return s.paths
|
||||
}
|
||||
|
||||
func (s *Std) SdBooted() bool {
|
||||
s.sdBootedOnce.Do(func() { s.sdBooted = copySdBooted() })
|
||||
return s.sdBooted
|
||||
}
|
||||
|
||||
const systemdCheckPath = "/run/systemd/system"
|
||||
|
||||
func copySdBooted() bool {
|
||||
if v, err := sdBooted(); err != nil {
|
||||
fmsg.Println("cannot read systemd marker:", err)
|
||||
return false
|
||||
} else {
|
||||
return v
|
||||
}
|
||||
}
|
||||
|
||||
func sdBooted() (bool, error) {
|
||||
_, err := os.Stat(systemdCheckPath)
|
||||
if err != nil {
|
||||
if errors.Is(err, fs.ErrNotExist) {
|
||||
err = nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
||||
|
|
|
@ -12,6 +12,14 @@ var (
|
|||
ErrDBusConfig = errors.New("dbus config not supplied")
|
||||
)
|
||||
|
||||
func (sys *I) MustProxyDBus(sessionPath string, session *dbus.Config, systemPath string, system *dbus.Config) *I {
|
||||
if err := sys.ProxyDBus(session, system, sessionPath, systemPath); err != nil {
|
||||
panic(err.Error())
|
||||
} else {
|
||||
return sys
|
||||
}
|
||||
}
|
||||
|
||||
func (sys *I) ProxyDBus(session, system *dbus.Config, sessionPath, systemPath string) error {
|
||||
d := new(DBus)
|
||||
|
||||
|
@ -144,7 +152,9 @@ func (d *DBus) revert(_ *I, _ *Criteria) error {
|
|||
|
||||
func (d *DBus) Is(o Op) bool {
|
||||
d0, ok := o.(*DBus)
|
||||
return ok && d0 != nil && *d == *d0
|
||||
return ok && d0 != nil &&
|
||||
((d.proxy == nil && d0.proxy == nil) ||
|
||||
(d.proxy != nil && d0.proxy != nil && d.proxy.String() == d0.proxy.String()))
|
||||
}
|
||||
|
||||
func (d *DBus) Path() string {
|
||||
|
|
3
main.go
3
main.go
|
@ -30,7 +30,7 @@ func main() {
|
|||
flag.Parse()
|
||||
fmsg.SetVerbose(flagVerbose)
|
||||
|
||||
if internal.SdBootedV {
|
||||
if os.SdBooted() {
|
||||
fmsg.VPrintln("system booted with systemd as init system")
|
||||
}
|
||||
|
||||
|
@ -58,6 +58,7 @@ func main() {
|
|||
fmsg.Fatalf("cannot create app: %s\n", err)
|
||||
} else if err = a.Seal(loadConfig()); err != nil {
|
||||
logBaseError(err, "cannot seal app:")
|
||||
fmsg.Exit(1)
|
||||
} else if err = a.Start(); err != nil {
|
||||
logBaseError(err, "cannot start app:")
|
||||
}
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
|
||||
buildGoModule rec {
|
||||
pname = "fortify";
|
||||
version = "0.0.9";
|
||||
version = "0.0.10";
|
||||
|
||||
src = ./.;
|
||||
vendorHash = null;
|
||||
|
@ -20,6 +20,8 @@ buildGoModule rec {
|
|||
"-w"
|
||||
"-X"
|
||||
"main.Version=v${version}"
|
||||
"-X"
|
||||
"main.FortifyPath=${placeholder "out"}/bin/.fortify-wrapped"
|
||||
];
|
||||
|
||||
buildInputs = [
|
||||
|
@ -36,5 +38,7 @@ buildGoModule rec {
|
|||
xdg-dbus-proxy
|
||||
]
|
||||
}
|
||||
|
||||
mv $out/bin/fsu $out/bin/.fsu
|
||||
'';
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue