Compare commits
No commits in common. "cfd05b10f17388fcc088c28e4a5fdd70a6182b44" and "563c39c2d9fd932b4d839fa7713f98a36dba03ec" have entirely different histories.
cfd05b10f1
...
563c39c2d9
|
@ -30,14 +30,8 @@ jobs:
|
||||||
|
|
||||||
- name: Build for Linux
|
- name: Build for Linux
|
||||||
run: >-
|
run: >-
|
||||||
go build -v -ldflags '-s -w
|
sh -c "go build -v -ldflags '-s -w -X main.Version=${{ github.ref_name }}' -o bin/fortify &&
|
||||||
-X git.ophivana.moe/security/fortify/internal.Version=${{ github.ref_name }}
|
sha256sum --tag -b bin/fortify > bin/fortify.sha256"
|
||||||
-X git.ophivana.moe/security/fortify/internal.Fsu=/usr/bin/fsu
|
|
||||||
-X git.ophivana.moe/security/fortify/internal.Fshim=/usr/libexec/fortify/fshim
|
|
||||||
-X git.ophivana.moe/security/fortify/internal.Finit=/usr/libexec/fortify/finit
|
|
||||||
-X main.Fmain=/usr/bin/fortify'
|
|
||||||
-o bin/ ./... &&
|
|
||||||
(cd bin && sha512sum --tag -b * > sha512sums)
|
|
||||||
|
|
||||||
- name: Release
|
- name: Release
|
||||||
id: use-go-action
|
id: use-go-action
|
||||||
|
|
|
@ -33,11 +33,5 @@ jobs:
|
||||||
|
|
||||||
- name: Build for Linux
|
- name: Build for Linux
|
||||||
run: >-
|
run: >-
|
||||||
go build -v -ldflags '-s -w
|
sh -c "go build -v -ldflags '-s -w -X main.Version=${{ github.ref_name }}' -o bin/fortify &&
|
||||||
-X git.ophivana.moe/security/fortify/internal.Version=${{ github.ref_name }}
|
sha256sum --tag -b bin/fortify > bin/fortify.sha256"
|
||||||
-X git.ophivana.moe/security/fortify/internal.Fsu=/usr/bin/fsu
|
|
||||||
-X git.ophivana.moe/security/fortify/internal.Fshim=/usr/libexec/fortify/fshim
|
|
||||||
-X git.ophivana.moe/security/fortify/internal.Finit=/usr/libexec/fortify/finit
|
|
||||||
-X main.Fmain=/usr/bin/fortify'
|
|
||||||
-o bin/ ./... &&
|
|
||||||
(cd bin && sha512sum --tag -b * > sha512sums)
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
// Package acl implements simple ACL manipulation via libacl.
|
|
||||||
package acl
|
package acl
|
||||||
|
|
||||||
import "unsafe"
|
import "unsafe"
|
||||||
|
|
|
@ -11,13 +11,15 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
|
|
||||||
fsuConfFile = "/etc/fsurc"
|
fsuConfFile = "/etc/fsurc"
|
||||||
envShim = "FORTIFY_SHIM"
|
envShim = "FORTIFY_SHIM"
|
||||||
envAID = "FORTIFY_APP_ID"
|
envAID = "FORTIFY_APP_ID"
|
||||||
|
|
||||||
|
fpPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
|
||||||
)
|
)
|
||||||
|
|
||||||
var Fmain = compPoison
|
// FortifyPath is the path to fortify, set at compile time.
|
||||||
|
var FortifyPath = fpPoison
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
log.SetFlags(0)
|
log.SetFlags(0)
|
||||||
|
@ -33,11 +35,9 @@ func main() {
|
||||||
log.Fatal("this program must not be started by root")
|
log.Fatal("this program must not be started by root")
|
||||||
}
|
}
|
||||||
|
|
||||||
var fmain string
|
// validate compiled in fortify path
|
||||||
if p, ok := checkPath(Fmain); !ok {
|
if FortifyPath == fpPoison || !path.IsAbs(FortifyPath) {
|
||||||
log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
|
log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
|
||||||
} else {
|
|
||||||
fmain = p
|
|
||||||
}
|
}
|
||||||
|
|
||||||
pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
|
pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
|
||||||
|
@ -45,7 +45,7 @@ func main() {
|
||||||
log.Fatalf("cannot read parent executable path: %v", err)
|
log.Fatalf("cannot read parent executable path: %v", err)
|
||||||
} else if strings.HasSuffix(p, " (deleted)") {
|
} else if strings.HasSuffix(p, " (deleted)") {
|
||||||
log.Fatal("fortify executable has been deleted")
|
log.Fatal("fortify executable has been deleted")
|
||||||
} else if p != fmain {
|
} else if p != FortifyPath {
|
||||||
log.Fatal("this program must be started by fortify")
|
log.Fatal("this program must be started by fortify")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -86,7 +86,7 @@ func main() {
|
||||||
if err := syscall.Setresuid(uid, uid, uid); err != nil {
|
if err := syscall.Setresuid(uid, uid, uid); err != nil {
|
||||||
log.Fatalf("cannot set uid: %v", err)
|
log.Fatalf("cannot set uid: %v", err)
|
||||||
}
|
}
|
||||||
if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
|
if err := syscall.Exec(FortifyPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
|
||||||
log.Fatalf("cannot start shim: %v", err)
|
log.Fatalf("cannot start shim: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -138,7 +138,3 @@ func parseConfig(p string, puid int) (fid int, ok bool) {
|
||||||
return -1, false
|
return -1, false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func checkPath(p string) (string, bool) {
|
|
||||||
return p, p != compPoison && p != "" && path.IsAbs(p)
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
// Package dbus wraps xdg-dbus-proxy and implements configuration and sandboxing of the underlying helper process.
|
|
||||||
package dbus
|
package dbus
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
// Package helper runs external helpers with optional sandboxing and manages their status/args pipes.
|
/*
|
||||||
|
Package helper runs external helpers and manages their status and args FDs.
|
||||||
|
*/
|
||||||
package helper
|
package helper
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
|
|
@ -3,8 +3,8 @@ package app
|
||||||
import (
|
import (
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim"
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
"git.ophivana.moe/security/fortify/internal/shim"
|
||||||
)
|
)
|
||||||
|
|
||||||
type App interface {
|
type App interface {
|
||||||
|
@ -25,7 +25,7 @@ type app struct {
|
||||||
// application unique identifier
|
// application unique identifier
|
||||||
id *ID
|
id *ID
|
||||||
// operating system interface
|
// operating system interface
|
||||||
os linux.System
|
os internal.System
|
||||||
// shim process manager
|
// shim process manager
|
||||||
shim *shim.Shim
|
shim *shim.Shim
|
||||||
// child process related information
|
// child process related information
|
||||||
|
@ -63,7 +63,7 @@ func (a *app) WaitErr() error {
|
||||||
return a.waitErr
|
return a.waitErr
|
||||||
}
|
}
|
||||||
|
|
||||||
func New(os linux.System) (App, error) {
|
func New(os internal.System) (App, error) {
|
||||||
a := new(app)
|
a := new(app)
|
||||||
a.id = new(ID)
|
a.id = new(ID)
|
||||||
a.os = os
|
a.os = os
|
||||||
|
|
|
@ -9,8 +9,8 @@ import (
|
||||||
"git.ophivana.moe/security/fortify/acl"
|
"git.ophivana.moe/security/fortify/acl"
|
||||||
"git.ophivana.moe/security/fortify/dbus"
|
"git.ophivana.moe/security/fortify/dbus"
|
||||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||||
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/app"
|
"git.ophivana.moe/security/fortify/internal/app"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -47,7 +47,7 @@ var testCasesNixos = []sealTestCase{
|
||||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||||
"TERM": "xterm-256color",
|
"TERM": "xterm-256color",
|
||||||
"USER": "chronos",
|
"USER": "chronos",
|
||||||
"XDG_RUNTIME_DIR": "/run/user/65534",
|
"XDG_RUNTIME_DIR": "/run/user/150",
|
||||||
"XDG_SESSION_CLASS": "user",
|
"XDG_SESSION_CLASS": "user",
|
||||||
"XDG_SESSION_TYPE": "tty"},
|
"XDG_SESSION_TYPE": "tty"},
|
||||||
Chmod: make(bwrap.ChmodConfig),
|
Chmod: make(bwrap.ChmodConfig),
|
||||||
|
@ -183,7 +183,7 @@ var testCasesNixos = []sealTestCase{
|
||||||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||||
Tmpfs("/run/user", 1048576).
|
Tmpfs("/run/user", 1048576).
|
||||||
Tmpfs("/run/user/65534", 8388608).
|
Tmpfs("/run/user/150", 8388608).
|
||||||
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
|
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
|
||||||
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
|
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
|
||||||
Tmpfs("/var/run/nscd", 8192),
|
Tmpfs("/var/run/nscd", 8192),
|
||||||
|
@ -287,16 +287,16 @@ var testCasesNixos = []sealTestCase{
|
||||||
UserNS: true,
|
UserNS: true,
|
||||||
Clearenv: true,
|
Clearenv: true,
|
||||||
SetEnv: map[string]string{
|
SetEnv: map[string]string{
|
||||||
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
|
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/150/bus",
|
||||||
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
||||||
"HOME": "/home/chronos",
|
"HOME": "/home/chronos",
|
||||||
"PULSE_COOKIE": "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
|
"PULSE_COOKIE": "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
|
||||||
"PULSE_SERVER": "unix:/run/user/65534/pulse/native",
|
"PULSE_SERVER": "unix:/run/user/150/pulse/native",
|
||||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||||
"TERM": "xterm-256color",
|
"TERM": "xterm-256color",
|
||||||
"USER": "chronos",
|
"USER": "chronos",
|
||||||
"WAYLAND_DISPLAY": "/run/user/65534/wayland-0",
|
"WAYLAND_DISPLAY": "/run/user/150/wayland-0",
|
||||||
"XDG_RUNTIME_DIR": "/run/user/65534",
|
"XDG_RUNTIME_DIR": "/run/user/150",
|
||||||
"XDG_SESSION_CLASS": "user",
|
"XDG_SESSION_CLASS": "user",
|
||||||
"XDG_SESSION_TYPE": "tty",
|
"XDG_SESSION_TYPE": "tty",
|
||||||
},
|
},
|
||||||
|
@ -434,13 +434,13 @@ var testCasesNixos = []sealTestCase{
|
||||||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||||
Tmpfs("/run/user", 1048576).
|
Tmpfs("/run/user", 1048576).
|
||||||
Tmpfs("/run/user/65534", 8388608).
|
Tmpfs("/run/user/150", 8388608).
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
|
||||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0").
|
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/150/wayland-0").
|
||||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
|
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/150/pulse/native").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/150/bus").
|
||||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
|
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
|
||||||
Tmpfs("/var/run/nscd", 8192),
|
Tmpfs("/var/run/nscd", 8192),
|
||||||
},
|
},
|
||||||
|
@ -579,12 +579,8 @@ func (s *stubNixOS) Exit(code int) {
|
||||||
panic("called exit on stub with code " + strconv.Itoa(code))
|
panic("called exit on stub with code " + strconv.Itoa(code))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *stubNixOS) FshimPath() string {
|
func (s *stubNixOS) Paths() internal.Paths {
|
||||||
return "/nix/store/00000000000000000000000000000000-fortify-0.0.10/bin/.fshim"
|
return internal.Paths{
|
||||||
}
|
|
||||||
|
|
||||||
func (s *stubNixOS) Paths() linux.Paths {
|
|
||||||
return linux.Paths{
|
|
||||||
SharePath: "/tmp/fortify.1971",
|
SharePath: "/tmp/fortify.1971",
|
||||||
RuntimePath: "/run/user/1971",
|
RuntimePath: "/run/user/1971",
|
||||||
RunDirPath: "/run/user/1971/fortify",
|
RunDirPath: "/run/user/1971/fortify",
|
||||||
|
|
|
@ -7,14 +7,14 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||||
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/app"
|
"git.ophivana.moe/security/fortify/internal/app"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
|
||||||
type sealTestCase struct {
|
type sealTestCase struct {
|
||||||
name string
|
name string
|
||||||
os linux.System
|
os internal.System
|
||||||
config *app.Config
|
config *app.Config
|
||||||
id app.ID
|
id app.ID
|
||||||
wantSys *system.I
|
wantSys *system.I
|
||||||
|
|
|
@ -49,8 +49,6 @@ type SandboxConfig struct {
|
||||||
Net bool `json:"net,omitempty"`
|
Net bool `json:"net,omitempty"`
|
||||||
// do not run in new session
|
// do not run in new session
|
||||||
NoNewSession bool `json:"no_new_session,omitempty"`
|
NoNewSession bool `json:"no_new_session,omitempty"`
|
||||||
// map target user uid to privileged user uid in the user namespace
|
|
||||||
UseRealUID bool `json:"use_real_uid"`
|
|
||||||
// mediated access to wayland socket
|
// mediated access to wayland socket
|
||||||
Wayland bool `json:"wayland,omitempty"`
|
Wayland bool `json:"wayland,omitempty"`
|
||||||
|
|
||||||
|
@ -79,15 +77,11 @@ type FilesystemConfig struct {
|
||||||
|
|
||||||
// Bwrap returns the address of the corresponding bwrap.Config to s.
|
// Bwrap returns the address of the corresponding bwrap.Config to s.
|
||||||
// Note that remaining tmpfs entries must be queued by the caller prior to launch.
|
// Note that remaining tmpfs entries must be queued by the caller prior to launch.
|
||||||
func (s *SandboxConfig) Bwrap(uid int) *bwrap.Config {
|
func (s *SandboxConfig) Bwrap() *bwrap.Config {
|
||||||
if s == nil {
|
if s == nil {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if !s.UseRealUID {
|
|
||||||
uid = 65534
|
|
||||||
}
|
|
||||||
|
|
||||||
conf := (&bwrap.Config{
|
conf := (&bwrap.Config{
|
||||||
Net: s.Net,
|
Net: s.Net,
|
||||||
UserNS: s.UserNS,
|
UserNS: s.UserNS,
|
||||||
|
@ -101,7 +95,7 @@ func (s *SandboxConfig) Bwrap(uid int) *bwrap.Config {
|
||||||
// initialise map
|
// initialise map
|
||||||
Chmod: make(map[string]os.FileMode),
|
Chmod: make(map[string]os.FileMode),
|
||||||
}).
|
}).
|
||||||
SetUID(uid).SetGID(uid).
|
SetUID(65534).SetGID(65534).
|
||||||
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||||
Tmpfs("/dev/fortify", 4*1024)
|
Tmpfs("/dev/fortify", 4*1024)
|
||||||
|
|
||||||
|
|
|
@ -2,11 +2,11 @@ package app
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
|
||||||
func NewWithID(id ID, os linux.System) App {
|
func NewWithID(id ID, os internal.System) App {
|
||||||
a := new(app)
|
a := new(app)
|
||||||
a.id = &id
|
a.id = &id
|
||||||
a.os = os
|
a.os = os
|
||||||
|
|
|
@ -47,8 +47,8 @@ func (a *app) commandBuilderMachineCtl(shimEnv string) (args []string) {
|
||||||
}
|
}
|
||||||
innerCommand.WriteString("; ")
|
innerCommand.WriteString("; ")
|
||||||
|
|
||||||
// launch fortify shim
|
// launch fortify as shim
|
||||||
innerCommand.WriteString("exec " + a.os.FshimPath())
|
innerCommand.WriteString("exec " + a.seal.sys.executable + " shim")
|
||||||
|
|
||||||
// append inner command
|
// append inner command
|
||||||
args = append(args, innerCommand.String())
|
args = append(args, innerCommand.String())
|
||||||
|
|
|
@ -24,7 +24,7 @@ func (a *app) commandBuilderSudo(shimEnv string) (args []string) {
|
||||||
args = append(args, shimEnv)
|
args = append(args, shimEnv)
|
||||||
|
|
||||||
// -- $@
|
// -- $@
|
||||||
args = append(args, "--", a.os.FshimPath())
|
args = append(args, "--", a.seal.sys.executable, "shim")
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,10 +7,10 @@ import (
|
||||||
"path"
|
"path"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
|
||||||
shim "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
|
|
||||||
"git.ophivana.moe/security/fortify/dbus"
|
"git.ophivana.moe/security/fortify/dbus"
|
||||||
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
"git.ophivana.moe/security/fortify/internal/shim"
|
||||||
"git.ophivana.moe/security/fortify/internal/state"
|
"git.ophivana.moe/security/fortify/internal/state"
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
@ -41,8 +41,6 @@ type appSeal struct {
|
||||||
id string
|
id string
|
||||||
// wayland mediation, disabled if nil
|
// wayland mediation, disabled if nil
|
||||||
wl *shim.Wayland
|
wl *shim.Wayland
|
||||||
// dbus proxy message buffer retriever
|
|
||||||
dbusMsg func(f func(msgbuf []string))
|
|
||||||
|
|
||||||
// freedesktop application ID
|
// freedesktop application ID
|
||||||
fid string
|
fid string
|
||||||
|
@ -68,7 +66,7 @@ type appSeal struct {
|
||||||
// seal system-level component
|
// seal system-level component
|
||||||
sys *appSealSys
|
sys *appSealSys
|
||||||
|
|
||||||
linux.Paths
|
internal.Paths
|
||||||
|
|
||||||
// protected by upstream mutex
|
// protected by upstream mutex
|
||||||
}
|
}
|
||||||
|
@ -129,14 +127,12 @@ func (a *app) Seal(config *Config) error {
|
||||||
// create seal system component
|
// create seal system component
|
||||||
seal.sys = new(appSealSys)
|
seal.sys = new(appSealSys)
|
||||||
|
|
||||||
// mapped uid
|
// look up fortify executable path
|
||||||
if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.UseRealUID {
|
if p, err := a.os.Executable(); err != nil {
|
||||||
seal.sys.mappedID = a.os.Geteuid()
|
return fmsg.WrapErrorSuffix(err, "cannot look up fortify executable path:")
|
||||||
} else {
|
} else {
|
||||||
seal.sys.mappedID = 65534
|
seal.sys.executable = p
|
||||||
}
|
}
|
||||||
seal.sys.mappedIDString = strconv.Itoa(seal.sys.mappedID)
|
|
||||||
seal.sys.runtime = path.Join("/run/user", seal.sys.mappedIDString)
|
|
||||||
|
|
||||||
// look up user from system
|
// look up user from system
|
||||||
if u, err := a.os.Lookup(config.User); err != nil {
|
if u, err := a.os.Lookup(config.User); err != nil {
|
||||||
|
@ -148,6 +144,7 @@ func (a *app) Seal(config *Config) error {
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
seal.sys.user = u
|
seal.sys.user = u
|
||||||
|
seal.sys.runtime = path.Join("/run/user", u.Uid)
|
||||||
}
|
}
|
||||||
|
|
||||||
// map sandbox config to bwrap
|
// map sandbox config to bwrap
|
||||||
|
@ -236,7 +233,7 @@ func (a *app) Seal(config *Config) error {
|
||||||
|
|
||||||
config.Confinement.Sandbox = conf
|
config.Confinement.Sandbox = conf
|
||||||
}
|
}
|
||||||
seal.sys.bwrap = config.Confinement.Sandbox.Bwrap(a.os.Geteuid())
|
seal.sys.bwrap = config.Confinement.Sandbox.Bwrap()
|
||||||
seal.sys.override = config.Confinement.Sandbox.Override
|
seal.sys.override = config.Confinement.Sandbox.Override
|
||||||
if seal.sys.bwrap.SetEnv == nil {
|
if seal.sys.bwrap.SetEnv == nil {
|
||||||
seal.sys.bwrap.SetEnv = make(map[string]string)
|
seal.sys.bwrap.SetEnv = make(map[string]string)
|
||||||
|
|
|
@ -22,10 +22,8 @@ func (seal *appSeal) shareDBus(config [2]*dbus.Config) error {
|
||||||
sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
|
sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
|
||||||
|
|
||||||
// configure dbus proxy
|
// configure dbus proxy
|
||||||
if f, err := seal.sys.ProxyDBus(config[0], config[1], sessionPath, systemPath); err != nil {
|
if err := seal.sys.ProxyDBus(config[0], config[1], sessionPath, systemPath); err != nil {
|
||||||
return err
|
return err
|
||||||
} else {
|
|
||||||
seal.dbusMsg = f
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// share proxy sockets
|
// share proxy sockets
|
||||||
|
|
|
@ -5,8 +5,8 @@ import (
|
||||||
"path"
|
"path"
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/acl"
|
"git.ophivana.moe/security/fortify/acl"
|
||||||
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -23,7 +23,7 @@ var (
|
||||||
ErrXDisplay = errors.New(display + " unset")
|
ErrXDisplay = errors.New(display + " unset")
|
||||||
)
|
)
|
||||||
|
|
||||||
func (seal *appSeal) shareDisplay(os linux.System) error {
|
func (seal *appSeal) shareDisplay(os internal.System) error {
|
||||||
// pass $TERM to launcher
|
// pass $TERM to launcher
|
||||||
if t, ok := os.LookupEnv(term); ok {
|
if t, ok := os.LookupEnv(term); ok {
|
||||||
seal.sys.bwrap.SetEnv[term] = t
|
seal.sys.bwrap.SetEnv[term] = t
|
||||||
|
|
|
@ -6,8 +6,8 @@ import (
|
||||||
"io/fs"
|
"io/fs"
|
||||||
"path"
|
"path"
|
||||||
|
|
||||||
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -25,7 +25,7 @@ var (
|
||||||
ErrPulseMode = errors.New("unexpected pulse socket mode")
|
ErrPulseMode = errors.New("unexpected pulse socket mode")
|
||||||
)
|
)
|
||||||
|
|
||||||
func (seal *appSeal) sharePulse(os linux.System) error {
|
func (seal *appSeal) sharePulse(os internal.System) error {
|
||||||
if !seal.et.Has(system.EPulse) {
|
if !seal.et.Has(system.EPulse) {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -78,7 +78,7 @@ func (seal *appSeal) sharePulse(os linux.System) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
|
// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
|
||||||
func discoverPulseCookie(os linux.System) (string, error) {
|
func discoverPulseCookie(os internal.System) (string, error) {
|
||||||
if p, ok := os.LookupEnv(pulseCookie); ok {
|
if p, ok := os.LookupEnv(pulseCookie); ok {
|
||||||
return p, nil
|
return p, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,7 +4,7 @@ import (
|
||||||
"path"
|
"path"
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/acl"
|
"git.ophivana.moe/security/fortify/acl"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ func (seal *appSeal) shareSystem() {
|
||||||
seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024)
|
seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (seal *appSeal) sharePasswd(os linux.System) {
|
func (seal *appSeal) sharePasswd(os internal.System) {
|
||||||
// look up shell
|
// look up shell
|
||||||
sh := "/bin/sh"
|
sh := "/bin/sh"
|
||||||
if s, ok := os.LookupEnv(shell); ok {
|
if s, ok := os.LookupEnv(shell); ok {
|
||||||
|
@ -58,12 +58,12 @@ func (seal *appSeal) sharePasswd(os linux.System) {
|
||||||
homeDir = seal.sys.user.HomeDir
|
homeDir = seal.sys.user.HomeDir
|
||||||
seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir
|
seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir
|
||||||
}
|
}
|
||||||
passwd := username + ":x:" + seal.sys.mappedIDString + ":" + seal.sys.mappedIDString + ":Fortify:" + homeDir + ":" + sh + "\n"
|
passwd := username + ":x:65534:65534:Fortify:" + homeDir + ":" + sh + "\n"
|
||||||
seal.sys.Write(passwdPath, passwd)
|
seal.sys.Write(passwdPath, passwd)
|
||||||
|
|
||||||
// write /etc/group
|
// write /etc/group
|
||||||
groupPath := path.Join(seal.share, "group")
|
groupPath := path.Join(seal.share, "group")
|
||||||
seal.sys.Write(groupPath, "fortify:x:"+seal.sys.mappedIDString+":\n")
|
seal.sys.Write(groupPath, "fortify:x:65534:\n")
|
||||||
|
|
||||||
// bind /etc/passwd and /etc/group
|
// bind /etc/passwd and /etc/group
|
||||||
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
||||||
|
|
|
@ -8,10 +8,9 @@ import (
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
shim0 "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
|
|
||||||
"git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim"
|
|
||||||
"git.ophivana.moe/security/fortify/helper"
|
"git.ophivana.moe/security/fortify/helper"
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
|
"git.ophivana.moe/security/fortify/internal/shim"
|
||||||
"git.ophivana.moe/security/fortify/internal/state"
|
"git.ophivana.moe/security/fortify/internal/state"
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
@ -23,9 +22,9 @@ func (a *app) Start() error {
|
||||||
defer a.lock.Unlock()
|
defer a.lock.Unlock()
|
||||||
|
|
||||||
// resolve exec paths
|
// resolve exec paths
|
||||||
shimExec := [2]string{helper.BubblewrapName}
|
shimExec := [3]string{a.seal.sys.executable, helper.BubblewrapName}
|
||||||
if len(a.seal.command) > 0 {
|
if len(a.seal.command) > 0 {
|
||||||
shimExec[1] = a.seal.command[0]
|
shimExec[2] = a.seal.command[0]
|
||||||
}
|
}
|
||||||
for i, n := range shimExec {
|
for i, n := range shimExec {
|
||||||
if len(n) == 0 {
|
if len(n) == 0 {
|
||||||
|
@ -54,7 +53,7 @@ func (a *app) Start() error {
|
||||||
|
|
||||||
// construct shim manager
|
// construct shim manager
|
||||||
a.shim = shim.New(a.seal.toolPath, uint32(a.seal.sys.UID()), path.Join(a.seal.share, "shim"), a.seal.wl,
|
a.shim = shim.New(a.seal.toolPath, uint32(a.seal.sys.UID()), path.Join(a.seal.share, "shim"), a.seal.wl,
|
||||||
&shim0.Payload{
|
&shim.Payload{
|
||||||
Argv: a.seal.command,
|
Argv: a.seal.command,
|
||||||
Exec: shimExec,
|
Exec: shimExec,
|
||||||
Bwrap: a.seal.sys.bwrap,
|
Bwrap: a.seal.sys.bwrap,
|
||||||
|
@ -185,15 +184,6 @@ func (a *app) Wait() (int, error) {
|
||||||
// child process exited, resume output
|
// child process exited, resume output
|
||||||
fmsg.Resume()
|
fmsg.Resume()
|
||||||
|
|
||||||
// print queued up dbus messages
|
|
||||||
if a.seal.dbusMsg != nil {
|
|
||||||
a.seal.dbusMsg(func(msgbuf []string) {
|
|
||||||
for _, msg := range msgbuf {
|
|
||||||
fmsg.Println(msg)
|
|
||||||
}
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
// close wayland connection
|
// close wayland connection
|
||||||
if a.seal.wl != nil {
|
if a.seal.wl != nil {
|
||||||
if err := a.seal.wl.Close(); err != nil {
|
if err := a.seal.wl.Close(); err != nil {
|
||||||
|
|
|
@ -5,7 +5,7 @@ import (
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/dbus"
|
"git.ophivana.moe/security/fortify/dbus"
|
||||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/system"
|
"git.ophivana.moe/security/fortify/internal/system"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -17,14 +17,11 @@ type appSealSys struct {
|
||||||
|
|
||||||
// default formatted XDG_RUNTIME_DIR of User
|
// default formatted XDG_RUNTIME_DIR of User
|
||||||
runtime string
|
runtime string
|
||||||
|
// sealed path to fortify executable, used by shim
|
||||||
|
executable string
|
||||||
// target user sealed from config
|
// target user sealed from config
|
||||||
user *user.User
|
user *user.User
|
||||||
|
|
||||||
// mapped uid and gid in user namespace
|
|
||||||
mappedID int
|
|
||||||
// string representation of mappedID
|
|
||||||
mappedIDString string
|
|
||||||
|
|
||||||
needRevert bool
|
needRevert bool
|
||||||
saveState bool
|
saveState bool
|
||||||
*system.I
|
*system.I
|
||||||
|
@ -33,7 +30,7 @@ type appSealSys struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// shareAll calls all share methods in sequence
|
// shareAll calls all share methods in sequence
|
||||||
func (seal *appSeal) shareAll(bus [2]*dbus.Config, os linux.System) error {
|
func (seal *appSeal) shareAll(bus [2]*dbus.Config, os internal.System) error {
|
||||||
if seal.shared {
|
if seal.shared {
|
||||||
panic("seal shared twice")
|
panic("seal shared twice")
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
package internal
|
|
||||||
|
|
||||||
const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
|
|
||||||
|
|
||||||
var (
|
|
||||||
Version = compPoison
|
|
||||||
)
|
|
||||||
|
|
||||||
// Check validates string value set at compile time.
|
|
||||||
func Check(s string) (string, bool) {
|
|
||||||
return s, s != compPoison && s != ""
|
|
||||||
}
|
|
|
@ -8,7 +8,6 @@ import (
|
||||||
|
|
||||||
var (
|
var (
|
||||||
wstate atomic.Bool
|
wstate atomic.Bool
|
||||||
dropped atomic.Uint64
|
|
||||||
withhold = make(chan struct{}, 1)
|
withhold = make(chan struct{}, 1)
|
||||||
msgbuf = make(chan dOp, 64) // these ops are tiny so a large buffer is allocated for withholding output
|
msgbuf = make(chan dOp, 64) // these ops are tiny so a large buffer is allocated for withholding output
|
||||||
|
|
||||||
|
@ -30,25 +29,6 @@ func dequeue() {
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
|
|
||||||
// queue submits ops to msgbuf but drops messages
|
|
||||||
// when the buffer is full and dequeue is withholding
|
|
||||||
func queue(op dOp) {
|
|
||||||
select {
|
|
||||||
case msgbuf <- op:
|
|
||||||
queueSync.Add(1)
|
|
||||||
default:
|
|
||||||
// send the op anyway if not withholding
|
|
||||||
// as dequeue will get to it eventually
|
|
||||||
if !wstate.Load() {
|
|
||||||
queueSync.Add(1)
|
|
||||||
msgbuf <- op
|
|
||||||
} else {
|
|
||||||
// increment dropped message count
|
|
||||||
dropped.Add(1)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type dOp interface{ Do() }
|
type dOp interface{ Do() }
|
||||||
|
|
||||||
func Exit(code int) {
|
func Exit(code int) {
|
||||||
|
@ -67,9 +47,6 @@ func Resume() {
|
||||||
dequeueOnce.Do(dequeue)
|
dequeueOnce.Do(dequeue)
|
||||||
if wstate.CompareAndSwap(true, false) {
|
if wstate.CompareAndSwap(true, false) {
|
||||||
withhold <- struct{}{}
|
withhold <- struct{}{}
|
||||||
if d := dropped.Swap(0); d != 0 {
|
|
||||||
Printf("dropped %d messages during withhold", d)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -16,17 +16,20 @@ func SetPrefix(prefix string) {
|
||||||
|
|
||||||
func Print(v ...any) {
|
func Print(v ...any) {
|
||||||
dequeueOnce.Do(dequeue)
|
dequeueOnce.Do(dequeue)
|
||||||
queue(dPrint(v))
|
queueSync.Add(1)
|
||||||
|
msgbuf <- dPrint(v)
|
||||||
}
|
}
|
||||||
|
|
||||||
func Printf(format string, v ...any) {
|
func Printf(format string, v ...any) {
|
||||||
dequeueOnce.Do(dequeue)
|
dequeueOnce.Do(dequeue)
|
||||||
queue(&dPrintf{format, v})
|
queueSync.Add(1)
|
||||||
|
msgbuf <- &dPrintf{format, v}
|
||||||
}
|
}
|
||||||
|
|
||||||
func Println(v ...any) {
|
func Println(v ...any) {
|
||||||
dequeueOnce.Do(dequeue)
|
dequeueOnce.Do(dequeue)
|
||||||
queue(dPrintln(v))
|
queueSync.Add(1)
|
||||||
|
msgbuf <- dPrintln(v)
|
||||||
}
|
}
|
||||||
|
|
||||||
func Fatal(v ...any) {
|
func Fatal(v ...any) {
|
||||||
|
|
|
@ -1,8 +1,9 @@
|
||||||
package main
|
package init0
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/gob"
|
"encoding/gob"
|
||||||
"errors"
|
"errors"
|
||||||
|
"flag"
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"os/signal"
|
"os/signal"
|
||||||
|
@ -11,80 +12,58 @@ import (
|
||||||
"syscall"
|
"syscall"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
init0 "git.ophivana.moe/security/fortify/cmd/finit/ipc"
|
|
||||||
"git.ophivana.moe/security/fortify/internal"
|
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// time to wait for linger processes after death of initial process
|
// time to wait for linger processes after death initial process
|
||||||
residualProcessTimeout = 5 * time.Second
|
residualProcessTimeout = 5 * time.Second
|
||||||
)
|
)
|
||||||
|
|
||||||
// everything beyond this point runs within pid namespace
|
// everything beyond this point runs within pid namespace
|
||||||
// proceed with caution!
|
// proceed with caution!
|
||||||
|
|
||||||
func main() {
|
func doInit(fd uintptr) {
|
||||||
// sharing stdout with shim
|
|
||||||
// USE WITH CAUTION
|
|
||||||
fmsg.SetPrefix("init")
|
fmsg.SetPrefix("init")
|
||||||
|
|
||||||
// setting this prevents ptrace
|
|
||||||
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
|
|
||||||
fmsg.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
|
|
||||||
panic("unreachable")
|
|
||||||
}
|
|
||||||
|
|
||||||
if os.Getpid() != 1 {
|
|
||||||
fmsg.Fatal("this process must run as pid 1")
|
|
||||||
panic("unreachable")
|
|
||||||
}
|
|
||||||
|
|
||||||
// re-exec
|
// re-exec
|
||||||
if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
|
if len(os.Args) > 0 && os.Args[0] != "fortify" && path.IsAbs(os.Args[0]) {
|
||||||
if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil {
|
if err := syscall.Exec(os.Args[0], []string{"fortify", "init"}, os.Environ()); err != nil {
|
||||||
fmsg.Println("cannot re-exec self:", err)
|
fmsg.Println("cannot re-exec self:", err)
|
||||||
// continue anyway
|
// continue anyway
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// setup pipe fd from environment
|
var payload Payload
|
||||||
var setup *os.File
|
p := os.NewFile(fd, "config-stream")
|
||||||
if s, ok := os.LookupEnv(init0.Env); !ok {
|
if p == nil {
|
||||||
fmsg.Fatal("FORTIFY_INIT not set")
|
fmsg.Fatal("invalid config descriptor")
|
||||||
panic("unreachable")
|
|
||||||
} else {
|
|
||||||
if fd, err := strconv.Atoi(s); err != nil {
|
|
||||||
fmsg.Fatalf("cannot parse %q: %v", s, err)
|
|
||||||
panic("unreachable")
|
|
||||||
} else {
|
|
||||||
setup = os.NewFile(uintptr(fd), "setup")
|
|
||||||
if setup == nil {
|
|
||||||
fmsg.Fatal("invalid config descriptor")
|
|
||||||
panic("unreachable")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
if err := gob.NewDecoder(p).Decode(&payload); err != nil {
|
||||||
var payload init0.Payload
|
fmsg.Fatal("cannot decode init payload:", err)
|
||||||
if err := gob.NewDecoder(setup).Decode(&payload); err != nil {
|
|
||||||
fmsg.Fatal("cannot decode init setup payload:", err)
|
|
||||||
panic("unreachable")
|
|
||||||
} else {
|
} else {
|
||||||
|
// sharing stdout with parent
|
||||||
|
// USE WITH CAUTION
|
||||||
fmsg.SetVerbose(payload.Verbose)
|
fmsg.SetVerbose(payload.Verbose)
|
||||||
|
|
||||||
// child does not need to see this
|
// child does not need to see this
|
||||||
if err = os.Unsetenv(init0.Env); err != nil {
|
if err = os.Unsetenv(EnvInit); err != nil {
|
||||||
fmsg.Printf("cannot unset %s: %v", init0.Env, err)
|
fmsg.Println("cannot unset", EnvInit+":", err)
|
||||||
// not fatal
|
// not fatal
|
||||||
} else {
|
} else {
|
||||||
fmsg.VPrintln("received configuration")
|
fmsg.VPrintln("received configuration")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// close config fd
|
||||||
|
if err := p.Close(); err != nil {
|
||||||
|
fmsg.Println("cannot close config fd:", err)
|
||||||
|
// not fatal
|
||||||
|
}
|
||||||
|
|
||||||
// die with parent
|
// die with parent
|
||||||
if err := internal.PR_SET_PDEATHSIG__SIGKILL(); err != nil {
|
if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 {
|
||||||
fmsg.Fatalf("prctl(PR_SET_PDEATHSIG, SIGKILL): %v", err)
|
fmsg.Fatal("prctl(PR_SET_PDEATHSIG, SIGKILL):", errno.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd := exec.Command(payload.Argv0)
|
cmd := exec.Command(payload.Argv0)
|
||||||
|
@ -103,13 +82,6 @@ func main() {
|
||||||
if err := cmd.Start(); err != nil {
|
if err := cmd.Start(); err != nil {
|
||||||
fmsg.Fatalf("cannot start %q: %v", payload.Argv0, err)
|
fmsg.Fatalf("cannot start %q: %v", payload.Argv0, err)
|
||||||
}
|
}
|
||||||
fmsg.Withhold()
|
|
||||||
|
|
||||||
// close setup pipe as setup is now complete
|
|
||||||
if err := setup.Close(); err != nil {
|
|
||||||
fmsg.Println("cannot close setup pipe:", err)
|
|
||||||
// not fatal
|
|
||||||
}
|
|
||||||
|
|
||||||
sig := make(chan os.Signal, 2)
|
sig := make(chan os.Signal, 2)
|
||||||
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
|
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
|
||||||
|
@ -150,7 +122,6 @@ func main() {
|
||||||
close(done)
|
close(done)
|
||||||
}()
|
}()
|
||||||
|
|
||||||
// closed after residualProcessTimeout has elapsed after initial process death
|
|
||||||
timeout := make(chan struct{})
|
timeout := make(chan struct{})
|
||||||
|
|
||||||
r := 2
|
r := 2
|
||||||
|
@ -158,13 +129,9 @@ func main() {
|
||||||
select {
|
select {
|
||||||
case s := <-sig:
|
case s := <-sig:
|
||||||
fmsg.VPrintln("received", s.String())
|
fmsg.VPrintln("received", s.String())
|
||||||
fmsg.Resume() // output could still be withheld at this point, so resume is called
|
|
||||||
fmsg.Exit(0)
|
fmsg.Exit(0)
|
||||||
case w := <-info:
|
case w := <-info:
|
||||||
if w.wpid == cmd.Process.Pid {
|
if w.wpid == cmd.Process.Pid {
|
||||||
// initial process exited, output is most likely available again
|
|
||||||
fmsg.Resume()
|
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
case w.wstatus.Exited():
|
case w.wstatus.Exited():
|
||||||
r = w.wstatus.ExitStatus()
|
r = w.wstatus.ExitStatus()
|
||||||
|
@ -187,3 +154,21 @@ func main() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Try runs init and stops execution if FORTIFY_INIT is set.
|
||||||
|
func Try() {
|
||||||
|
if os.Getpid() != 1 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if args := flag.Args(); len(args) == 1 && args[0] == "init" {
|
||||||
|
if s, ok := os.LookupEnv(EnvInit); ok {
|
||||||
|
if fd, err := strconv.Atoi(s); err != nil {
|
||||||
|
fmsg.Fatalf("cannot parse %q: %v", s, err)
|
||||||
|
} else {
|
||||||
|
doInit(uintptr(fd))
|
||||||
|
}
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
package init0
|
package init0
|
||||||
|
|
||||||
const Env = "FORTIFY_INIT"
|
const EnvInit = "FORTIFY_INIT"
|
||||||
|
|
||||||
type Payload struct {
|
type Payload struct {
|
||||||
// target full exec path
|
// target full exec path
|
|
@ -1,83 +0,0 @@
|
||||||
package linux
|
|
||||||
|
|
||||||
import (
|
|
||||||
"errors"
|
|
||||||
"io/fs"
|
|
||||||
"os"
|
|
||||||
"os/exec"
|
|
||||||
"os/user"
|
|
||||||
"sync"
|
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/internal"
|
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Std implements System using the standard library.
|
|
||||||
type Std struct {
|
|
||||||
paths Paths
|
|
||||||
pathsOnce sync.Once
|
|
||||||
|
|
||||||
sdBooted bool
|
|
||||||
sdBootedOnce sync.Once
|
|
||||||
|
|
||||||
fshim string
|
|
||||||
fshimOnce sync.Once
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Std) Geteuid() int { return os.Geteuid() }
|
|
||||||
func (s *Std) LookupEnv(key string) (string, bool) { return os.LookupEnv(key) }
|
|
||||||
func (s *Std) TempDir() string { return os.TempDir() }
|
|
||||||
func (s *Std) LookPath(file string) (string, error) { return exec.LookPath(file) }
|
|
||||||
func (s *Std) Executable() (string, error) { return os.Executable() }
|
|
||||||
func (s *Std) Lookup(username string) (*user.User, error) { return user.Lookup(username) }
|
|
||||||
func (s *Std) ReadDir(name string) ([]os.DirEntry, error) { return os.ReadDir(name) }
|
|
||||||
func (s *Std) Stat(name string) (fs.FileInfo, error) { return os.Stat(name) }
|
|
||||||
func (s *Std) Open(name string) (fs.File, error) { return os.Open(name) }
|
|
||||||
func (s *Std) Exit(code int) { fmsg.Exit(code) }
|
|
||||||
|
|
||||||
const xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
|
||||||
|
|
||||||
func (s *Std) FshimPath() string {
|
|
||||||
s.fshimOnce.Do(func() {
|
|
||||||
p, ok := internal.Path(internal.Fshim)
|
|
||||||
if !ok {
|
|
||||||
fmsg.Fatal("invalid fshim path, this copy of fortify is not compiled correctly")
|
|
||||||
}
|
|
||||||
s.fshim = p
|
|
||||||
})
|
|
||||||
|
|
||||||
return s.fshim
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Std) Paths() Paths {
|
|
||||||
s.pathsOnce.Do(func() { CopyPaths(s, &s.paths) })
|
|
||||||
return s.paths
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Std) SdBooted() bool {
|
|
||||||
s.sdBootedOnce.Do(func() { s.sdBooted = copySdBooted() })
|
|
||||||
return s.sdBooted
|
|
||||||
}
|
|
||||||
|
|
||||||
const systemdCheckPath = "/run/systemd/system"
|
|
||||||
|
|
||||||
func copySdBooted() bool {
|
|
||||||
if v, err := sdBooted(); err != nil {
|
|
||||||
fmsg.Println("cannot read systemd marker:", err)
|
|
||||||
return false
|
|
||||||
} else {
|
|
||||||
return v
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func sdBooted() (bool, error) {
|
|
||||||
_, err := os.Stat(systemdCheckPath)
|
|
||||||
if err != nil {
|
|
||||||
if errors.Is(err, fs.ErrNotExist) {
|
|
||||||
err = nil
|
|
||||||
}
|
|
||||||
return false, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return true, nil
|
|
||||||
}
|
|
|
@ -1,13 +0,0 @@
|
||||||
package internal
|
|
||||||
|
|
||||||
import "path"
|
|
||||||
|
|
||||||
var (
|
|
||||||
Fsu = compPoison
|
|
||||||
Fshim = compPoison
|
|
||||||
Finit = compPoison
|
|
||||||
)
|
|
||||||
|
|
||||||
func Path(p string) (string, bool) {
|
|
||||||
return p, p != compPoison && p != "" && path.IsAbs(p)
|
|
||||||
}
|
|
|
@ -1,20 +0,0 @@
|
||||||
package internal
|
|
||||||
|
|
||||||
import "syscall"
|
|
||||||
|
|
||||||
func PR_SET_DUMPABLE__SUID_DUMP_DISABLE() error {
|
|
||||||
// linux/sched/coredump.h
|
|
||||||
if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, 0, 0); errno != 0 {
|
|
||||||
return errno
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func PR_SET_PDEATHSIG__SIGKILL() error {
|
|
||||||
if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 {
|
|
||||||
return errno
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
|
@ -1,63 +1,37 @@
|
||||||
package main
|
package shim
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/gob"
|
"encoding/gob"
|
||||||
"errors"
|
"errors"
|
||||||
|
"flag"
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"path"
|
"path"
|
||||||
"strconv"
|
"strconv"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
init0 "git.ophivana.moe/security/fortify/cmd/finit/ipc"
|
|
||||||
shim "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
|
|
||||||
"git.ophivana.moe/security/fortify/helper"
|
"git.ophivana.moe/security/fortify/helper"
|
||||||
"git.ophivana.moe/security/fortify/internal"
|
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
|
init0 "git.ophivana.moe/security/fortify/internal/init"
|
||||||
)
|
)
|
||||||
|
|
||||||
// everything beyond this point runs as unconstrained target user
|
// everything beyond this point runs as target user
|
||||||
// proceed with caution!
|
// proceed with caution!
|
||||||
|
|
||||||
func main() {
|
func doShim(socket string) {
|
||||||
// sharing stdout with fortify
|
|
||||||
// USE WITH CAUTION
|
|
||||||
fmsg.SetPrefix("shim")
|
fmsg.SetPrefix("shim")
|
||||||
|
|
||||||
// setting this prevents ptrace
|
|
||||||
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
|
|
||||||
fmsg.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
|
|
||||||
panic("unreachable")
|
|
||||||
}
|
|
||||||
|
|
||||||
// re-exec
|
// re-exec
|
||||||
if len(os.Args) > 0 && (os.Args[0] != "fshim" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
|
if len(os.Args) > 0 && os.Args[0] != "fortify" && path.IsAbs(os.Args[0]) {
|
||||||
if err := syscall.Exec(os.Args[0], []string{"fshim"}, os.Environ()); err != nil {
|
if err := syscall.Exec(os.Args[0], []string{"fortify", "shim"}, os.Environ()); err != nil {
|
||||||
fmsg.Println("cannot re-exec self:", err)
|
fmsg.Println("cannot re-exec self:", err)
|
||||||
// continue anyway
|
// continue anyway
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// lookup socket path from environment
|
|
||||||
var socketPath string
|
|
||||||
if s, ok := os.LookupEnv(shim.Env); !ok {
|
|
||||||
fmsg.Fatal("FORTIFY_SHIM not set")
|
|
||||||
panic("unreachable")
|
|
||||||
} else {
|
|
||||||
socketPath = s
|
|
||||||
}
|
|
||||||
|
|
||||||
// check path to finit
|
|
||||||
var finitPath string
|
|
||||||
if p, ok := internal.Path(internal.Finit); !ok {
|
|
||||||
fmsg.Fatal("invalid finit path, this copy of fshim is not compiled correctly")
|
|
||||||
} else {
|
|
||||||
finitPath = p
|
|
||||||
}
|
|
||||||
|
|
||||||
// dial setup socket
|
// dial setup socket
|
||||||
var conn *net.UnixConn
|
var conn *net.UnixConn
|
||||||
if c, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: socketPath, Net: "unix"}); err != nil {
|
if c, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: socket, Net: "unix"}); err != nil {
|
||||||
fmsg.Fatal("cannot dial setup socket:", err)
|
fmsg.Fatal("cannot dial setup socket:", err)
|
||||||
panic("unreachable")
|
panic("unreachable")
|
||||||
} else {
|
} else {
|
||||||
|
@ -65,10 +39,12 @@ func main() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// decode payload gob stream
|
// decode payload gob stream
|
||||||
var payload shim.Payload
|
var payload Payload
|
||||||
if err := gob.NewDecoder(conn).Decode(&payload); err != nil {
|
if err := gob.NewDecoder(conn).Decode(&payload); err != nil {
|
||||||
fmsg.Fatal("cannot decode shim payload:", err)
|
fmsg.Fatal("cannot decode shim payload:", err)
|
||||||
} else {
|
} else {
|
||||||
|
// sharing stdout with parent
|
||||||
|
// USE WITH CAUTION
|
||||||
fmsg.SetVerbose(payload.Verbose)
|
fmsg.SetVerbose(payload.Verbose)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -98,7 +74,7 @@ func main() {
|
||||||
ic.Argv = payload.Argv
|
ic.Argv = payload.Argv
|
||||||
if len(ic.Argv) > 0 {
|
if len(ic.Argv) > 0 {
|
||||||
// looked up from $PATH by parent
|
// looked up from $PATH by parent
|
||||||
ic.Argv0 = payload.Exec[1]
|
ic.Argv0 = payload.Exec[2]
|
||||||
} else {
|
} else {
|
||||||
// no argv, look up shell instead
|
// no argv, look up shell instead
|
||||||
var ok bool
|
var ok bool
|
||||||
|
@ -127,7 +103,7 @@ func main() {
|
||||||
if r, w, err := os.Pipe(); err != nil {
|
if r, w, err := os.Pipe(); err != nil {
|
||||||
fmsg.Fatal("cannot pipe:", err)
|
fmsg.Fatal("cannot pipe:", err)
|
||||||
} else {
|
} else {
|
||||||
conf.SetEnv[init0.Env] = strconv.Itoa(3 + len(extraFiles))
|
conf.SetEnv[init0.EnvInit] = strconv.Itoa(3 + len(extraFiles))
|
||||||
extraFiles = append(extraFiles, r)
|
extraFiles = append(extraFiles, r)
|
||||||
|
|
||||||
fmsg.VPrintln("transmitting config to init")
|
fmsg.VPrintln("transmitting config to init")
|
||||||
|
@ -139,9 +115,8 @@ func main() {
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
|
|
||||||
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
|
helper.BubblewrapName = payload.Exec[1] // resolved bwrap path by parent
|
||||||
if b, err := helper.NewBwrap(conf, nil, finitPath,
|
if b, err := helper.NewBwrap(conf, nil, payload.Exec[0], func(int, int) []string { return []string{"init"} }); err != nil {
|
||||||
func(int, int) []string { return make([]string, 0) }); err != nil {
|
|
||||||
fmsg.Fatal("malformed sandbox config:", err)
|
fmsg.Fatal("malformed sandbox config:", err)
|
||||||
} else {
|
} else {
|
||||||
cmd := b.Unwrap()
|
cmd := b.Unwrap()
|
||||||
|
@ -192,3 +167,13 @@ func receiveWLfd(conn *net.UnixConn) (int, error) {
|
||||||
return fds[0], nil
|
return fds[0], nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Try runs shim and stops execution if FORTIFY_SHIM is set.
|
||||||
|
func Try() {
|
||||||
|
if args := flag.Args(); len(args) == 1 && args[0] == "shim" {
|
||||||
|
if s, ok := os.LookupEnv(EnvShim); ok {
|
||||||
|
doShim(s)
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -11,12 +11,9 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/acl"
|
"git.ophivana.moe/security/fortify/acl"
|
||||||
shim0 "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
|
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
)
|
)
|
||||||
|
|
||||||
const shimSetupTimeout = 5 * time.Second
|
|
||||||
|
|
||||||
// used by the parent process
|
// used by the parent process
|
||||||
|
|
||||||
type Shim struct {
|
type Shim struct {
|
||||||
|
@ -35,12 +32,12 @@ type Shim struct {
|
||||||
abortErr atomic.Pointer[error]
|
abortErr atomic.Pointer[error]
|
||||||
abortOnce sync.Once
|
abortOnce sync.Once
|
||||||
// wayland mediation, nil if disabled
|
// wayland mediation, nil if disabled
|
||||||
wl *shim0.Wayland
|
wl *Wayland
|
||||||
// shim setup payload
|
// shim setup payload
|
||||||
payload *shim0.Payload
|
payload *Payload
|
||||||
}
|
}
|
||||||
|
|
||||||
func New(executable string, uid uint32, socket string, wl *shim0.Wayland, payload *shim0.Payload, checkPid bool) *Shim {
|
func New(executable string, uid uint32, socket string, wl *Wayland, payload *Payload, checkPid bool) *Shim {
|
||||||
return &Shim{uid: uid, executable: executable, socket: socket, wl: wl, payload: payload, checkPid: checkPid}
|
return &Shim{uid: uid, executable: executable, socket: socket, wl: wl, payload: payload, checkPid: checkPid}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -87,7 +84,7 @@ func (s *Shim) Start(f CommandBuilder) (*time.Time, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// start user switcher process and save time
|
// start user switcher process and save time
|
||||||
s.cmd = exec.Command(s.executable, f(shim0.Env+"="+s.socket)...)
|
s.cmd = exec.Command(s.executable, f(EnvShim+"="+s.socket)...)
|
||||||
s.cmd.Env = []string{}
|
s.cmd.Env = []string{}
|
||||||
s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
|
s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
|
||||||
s.cmd.Dir = "/"
|
s.cmd.Dir = "/"
|
||||||
|
@ -108,19 +105,9 @@ func (s *Shim) Start(f CommandBuilder) (*time.Time, error) {
|
||||||
defer func() { killShim() }()
|
defer func() { killShim() }()
|
||||||
|
|
||||||
accept()
|
accept()
|
||||||
var conn *net.UnixConn
|
conn := <-cf
|
||||||
select {
|
if conn == nil {
|
||||||
case c := <-cf:
|
return &startTime, fmsg.WrapErrorSuffix(*s.abortErr.Load(), "cannot accept call on setup socket:")
|
||||||
if c == nil {
|
|
||||||
return &startTime, fmsg.WrapErrorSuffix(*s.abortErr.Load(), "cannot accept call on setup socket:")
|
|
||||||
} else {
|
|
||||||
conn = c
|
|
||||||
}
|
|
||||||
case <-time.After(shimSetupTimeout):
|
|
||||||
err := fmsg.WrapError(errors.New("timed out waiting for shim"),
|
|
||||||
"timed out waiting for shim to connect")
|
|
||||||
s.AbortWait(err)
|
|
||||||
return &startTime, err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// authenticate against called provided uid and shim pid
|
// authenticate against called provided uid and shim pid
|
||||||
|
@ -142,7 +129,7 @@ func (s *Shim) Start(f CommandBuilder) (*time.Time, error) {
|
||||||
|
|
||||||
// serve payload and wayland fd if enabled
|
// serve payload and wayland fd if enabled
|
||||||
// this also closes the connection
|
// this also closes the connection
|
||||||
err := s.payload.Serve(conn, s.wl)
|
err := s.payload.serve(conn, s.wl)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
killShim = func() {}
|
killShim = func() {}
|
||||||
}
|
}
|
||||||
|
@ -171,7 +158,6 @@ func (s *Shim) serve() (chan *net.UnixConn, func(), error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
go func() {
|
go func() {
|
||||||
cfWg := new(sync.WaitGroup)
|
|
||||||
for {
|
for {
|
||||||
select {
|
select {
|
||||||
case err = <-s.abort:
|
case err = <-s.abort:
|
||||||
|
@ -182,24 +168,15 @@ func (s *Shim) serve() (chan *net.UnixConn, func(), error) {
|
||||||
fmsg.Println("cannot close setup socket:", err)
|
fmsg.Println("cannot close setup socket:", err)
|
||||||
}
|
}
|
||||||
close(s.abort)
|
close(s.abort)
|
||||||
go func() {
|
close(cf)
|
||||||
cfWg.Wait()
|
|
||||||
close(cf)
|
|
||||||
}()
|
|
||||||
return
|
return
|
||||||
case <-accept:
|
case <-accept:
|
||||||
cfWg.Add(1)
|
if conn, err0 := l.AcceptUnix(); err0 != nil {
|
||||||
go func() {
|
s.Abort(err0) // does not block, breaks loop
|
||||||
defer cfWg.Done()
|
cf <- nil // receiver sees nil value and loads err0 stored during abort
|
||||||
if conn, err0 := l.AcceptUnix(); err0 != nil {
|
} else {
|
||||||
// breaks loop
|
cf <- conn
|
||||||
s.Abort(err0)
|
}
|
||||||
// receiver sees nil value and loads err0 stored during abort
|
|
||||||
cf <- nil
|
|
||||||
} else {
|
|
||||||
cf <- conn
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}()
|
}()
|
|
@ -1,4 +1,4 @@
|
||||||
package shim0
|
package shim
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/gob"
|
"encoding/gob"
|
||||||
|
@ -9,13 +9,13 @@ import (
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
)
|
)
|
||||||
|
|
||||||
const Env = "FORTIFY_SHIM"
|
const EnvShim = "FORTIFY_SHIM"
|
||||||
|
|
||||||
type Payload struct {
|
type Payload struct {
|
||||||
// child full argv
|
// child full argv
|
||||||
Argv []string
|
Argv []string
|
||||||
// bwrap, target full exec path
|
// fortify, bwrap, target full exec path
|
||||||
Exec [2]string
|
Exec [3]string
|
||||||
// bwrap config
|
// bwrap config
|
||||||
Bwrap *bwrap.Config
|
Bwrap *bwrap.Config
|
||||||
// whether to pass wayland fd
|
// whether to pass wayland fd
|
||||||
|
@ -25,7 +25,7 @@ type Payload struct {
|
||||||
Verbose bool
|
Verbose bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *Payload) Serve(conn *net.UnixConn, wl *Wayland) error {
|
func (p *Payload) serve(conn *net.UnixConn, wl *Wayland) error {
|
||||||
if err := gob.NewEncoder(conn).Encode(*p); err != nil {
|
if err := gob.NewEncoder(conn).Encode(*p); err != nil {
|
||||||
return fmsg.WrapErrorSuffix(err,
|
return fmsg.WrapErrorSuffix(err,
|
||||||
"cannot stream shim payload:")
|
"cannot stream shim payload:")
|
|
@ -1,4 +1,4 @@
|
||||||
package shim0
|
package shim
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
|
@ -1,10 +1,14 @@
|
||||||
package linux
|
package internal
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"errors"
|
||||||
"io/fs"
|
"io/fs"
|
||||||
|
"os"
|
||||||
|
"os/exec"
|
||||||
"os/user"
|
"os/user"
|
||||||
"path"
|
"path"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
"sync"
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
)
|
)
|
||||||
|
@ -32,8 +36,6 @@ type System interface {
|
||||||
// Exit provides [os.Exit].
|
// Exit provides [os.Exit].
|
||||||
Exit(code int)
|
Exit(code int)
|
||||||
|
|
||||||
// FshimPath returns an absolute path to the fshim binary.
|
|
||||||
FshimPath() string
|
|
||||||
// Paths returns a populated [Paths] struct.
|
// Paths returns a populated [Paths] struct.
|
||||||
Paths() Paths
|
Paths() Paths
|
||||||
// SdBooted implements https://www.freedesktop.org/software/systemd/man/sd_booted.html
|
// SdBooted implements https://www.freedesktop.org/software/systemd/man/sd_booted.html
|
||||||
|
@ -67,3 +69,58 @@ func CopyPaths(os System, v *Paths) {
|
||||||
|
|
||||||
fmsg.VPrintf("runtime directory at %q", v.RunDirPath)
|
fmsg.VPrintf("runtime directory at %q", v.RunDirPath)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Std implements System using the standard library.
|
||||||
|
type Std struct {
|
||||||
|
paths Paths
|
||||||
|
pathsOnce sync.Once
|
||||||
|
|
||||||
|
sdBooted bool
|
||||||
|
sdBootedOnce sync.Once
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Std) Geteuid() int { return os.Geteuid() }
|
||||||
|
func (s *Std) LookupEnv(key string) (string, bool) { return os.LookupEnv(key) }
|
||||||
|
func (s *Std) TempDir() string { return os.TempDir() }
|
||||||
|
func (s *Std) LookPath(file string) (string, error) { return exec.LookPath(file) }
|
||||||
|
func (s *Std) Executable() (string, error) { return os.Executable() }
|
||||||
|
func (s *Std) Lookup(username string) (*user.User, error) { return user.Lookup(username) }
|
||||||
|
func (s *Std) ReadDir(name string) ([]os.DirEntry, error) { return os.ReadDir(name) }
|
||||||
|
func (s *Std) Stat(name string) (fs.FileInfo, error) { return os.Stat(name) }
|
||||||
|
func (s *Std) Open(name string) (fs.File, error) { return os.Open(name) }
|
||||||
|
func (s *Std) Exit(code int) { fmsg.Exit(code) }
|
||||||
|
|
||||||
|
const xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
||||||
|
|
||||||
|
func (s *Std) Paths() Paths {
|
||||||
|
s.pathsOnce.Do(func() { CopyPaths(s, &s.paths) })
|
||||||
|
return s.paths
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Std) SdBooted() bool {
|
||||||
|
s.sdBootedOnce.Do(func() { s.sdBooted = copySdBooted() })
|
||||||
|
return s.sdBooted
|
||||||
|
}
|
||||||
|
|
||||||
|
const systemdCheckPath = "/run/systemd/system"
|
||||||
|
|
||||||
|
func copySdBooted() bool {
|
||||||
|
if v, err := sdBooted(); err != nil {
|
||||||
|
fmsg.Println("cannot read systemd marker:", err)
|
||||||
|
return false
|
||||||
|
} else {
|
||||||
|
return v
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func sdBooted() (bool, error) {
|
||||||
|
_, err := os.Stat(systemdCheckPath)
|
||||||
|
if err != nil {
|
||||||
|
if errors.Is(err, fs.ErrNotExist) {
|
||||||
|
err = nil
|
||||||
|
}
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return true, nil
|
||||||
|
}
|
|
@ -1,11 +1,8 @@
|
||||||
package system
|
package system
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
|
||||||
"errors"
|
"errors"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
|
||||||
"sync"
|
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/dbus"
|
"git.ophivana.moe/security/fortify/dbus"
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
|
@ -16,14 +13,14 @@ var (
|
||||||
)
|
)
|
||||||
|
|
||||||
func (sys *I) MustProxyDBus(sessionPath string, session *dbus.Config, systemPath string, system *dbus.Config) *I {
|
func (sys *I) MustProxyDBus(sessionPath string, session *dbus.Config, systemPath string, system *dbus.Config) *I {
|
||||||
if _, err := sys.ProxyDBus(session, system, sessionPath, systemPath); err != nil {
|
if err := sys.ProxyDBus(session, system, sessionPath, systemPath); err != nil {
|
||||||
panic(err.Error())
|
panic(err.Error())
|
||||||
} else {
|
} else {
|
||||||
return sys
|
return sys
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sys *I) ProxyDBus(session, system *dbus.Config, sessionPath, systemPath string) (func(f func(msgbuf []string)), error) {
|
func (sys *I) ProxyDBus(session, system *dbus.Config, sessionPath, systemPath string) error {
|
||||||
d := new(DBus)
|
d := new(DBus)
|
||||||
|
|
||||||
// used by waiting goroutine to notify process exit
|
// used by waiting goroutine to notify process exit
|
||||||
|
@ -31,7 +28,7 @@ func (sys *I) ProxyDBus(session, system *dbus.Config, sessionPath, systemPath st
|
||||||
|
|
||||||
// session bus is mandatory
|
// session bus is mandatory
|
||||||
if session == nil {
|
if session == nil {
|
||||||
return nil, fmsg.WrapError(ErrDBusConfig,
|
return fmsg.WrapError(ErrDBusConfig,
|
||||||
"attempted to seal message bus proxy without session bus config")
|
"attempted to seal message bus proxy without session bus config")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -64,15 +61,13 @@ func (sys *I) ProxyDBus(session, system *dbus.Config, sessionPath, systemPath st
|
||||||
sys.ops = append(sys.ops, d)
|
sys.ops = append(sys.ops, d)
|
||||||
|
|
||||||
// seal dbus proxy
|
// seal dbus proxy
|
||||||
d.out = &scanToFmsg{msg: new(strings.Builder)}
|
return fmsg.WrapErrorSuffix(d.proxy.Seal(session, system),
|
||||||
return d.out.F, fmsg.WrapErrorSuffix(d.proxy.Seal(session, system),
|
|
||||||
"cannot seal message bus proxy:")
|
"cannot seal message bus proxy:")
|
||||||
}
|
}
|
||||||
|
|
||||||
type DBus struct {
|
type DBus struct {
|
||||||
proxy *dbus.Proxy
|
proxy *dbus.Proxy
|
||||||
|
|
||||||
out *scanToFmsg
|
|
||||||
// whether system bus proxy is enabled
|
// whether system bus proxy is enabled
|
||||||
system bool
|
system bool
|
||||||
// notification from goroutine waiting for dbus.Proxy
|
// notification from goroutine waiting for dbus.Proxy
|
||||||
|
@ -93,7 +88,7 @@ func (d *DBus) apply(_ *I) error {
|
||||||
ready := make(chan error, 1)
|
ready := make(chan error, 1)
|
||||||
|
|
||||||
// background dbus proxy start
|
// background dbus proxy start
|
||||||
if err := d.proxy.Start(ready, d.out, true); err != nil {
|
if err := d.proxy.Start(ready, os.Stderr, true); err != nil {
|
||||||
return fmsg.WrapErrorSuffix(err,
|
return fmsg.WrapErrorSuffix(err,
|
||||||
"cannot start message bus proxy:")
|
"cannot start message bus proxy:")
|
||||||
}
|
}
|
||||||
|
@ -169,34 +164,3 @@ func (d *DBus) Path() string {
|
||||||
func (d *DBus) String() string {
|
func (d *DBus) String() string {
|
||||||
return d.proxy.String()
|
return d.proxy.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
type scanToFmsg struct {
|
|
||||||
msg *strings.Builder
|
|
||||||
msgbuf []string
|
|
||||||
|
|
||||||
mu sync.RWMutex
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *scanToFmsg) Write(p []byte) (n int, err error) {
|
|
||||||
s.mu.Lock()
|
|
||||||
defer s.mu.Unlock()
|
|
||||||
return s.write(p, 0)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *scanToFmsg) write(p []byte, a int) (int, error) {
|
|
||||||
if i := bytes.IndexByte(p, '\n'); i == -1 {
|
|
||||||
n, _ := s.msg.Write(p)
|
|
||||||
return a + n, nil
|
|
||||||
} else {
|
|
||||||
n, _ := s.msg.Write(p[:i])
|
|
||||||
s.msgbuf = append(s.msgbuf, s.msg.String())
|
|
||||||
s.msg.Reset()
|
|
||||||
return s.write(p[i+1:], a+n+1)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *scanToFmsg) F(f func(msgbuf []string)) {
|
|
||||||
s.mu.RLock()
|
|
||||||
f(s.msgbuf)
|
|
||||||
s.mu.RUnlock()
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
// Package ldd retrieves linker information by invoking ldd from glibc or musl and parsing its output.
|
|
||||||
package ldd
|
package ldd
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
|
16
main.go
16
main.go
|
@ -2,11 +2,13 @@ package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"flag"
|
"flag"
|
||||||
|
"syscall"
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/internal"
|
"git.ophivana.moe/security/fortify/internal"
|
||||||
"git.ophivana.moe/security/fortify/internal/app"
|
"git.ophivana.moe/security/fortify/internal/app"
|
||||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||||
"git.ophivana.moe/security/fortify/internal/linux"
|
init0 "git.ophivana.moe/security/fortify/internal/init"
|
||||||
|
"git.ophivana.moe/security/fortify/internal/shim"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -17,12 +19,12 @@ func init() {
|
||||||
flag.BoolVar(&flagVerbose, "v", false, "Verbose output")
|
flag.BoolVar(&flagVerbose, "v", false, "Verbose output")
|
||||||
}
|
}
|
||||||
|
|
||||||
var os = new(linux.Std)
|
var os = new(internal.Std)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
|
// linux/sched/coredump.h
|
||||||
fmsg.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
|
if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, 0, 0); errno != 0 {
|
||||||
// not fatal: this program runs as the privileged user
|
fmsg.Printf("fortify: cannot set SUID_DUMP_DISABLE: %s", errno.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
@ -32,6 +34,10 @@ func main() {
|
||||||
fmsg.VPrintln("system booted with systemd as init system")
|
fmsg.VPrintln("system booted with systemd as init system")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// shim/init early exit
|
||||||
|
init0.Try()
|
||||||
|
shim.Try()
|
||||||
|
|
||||||
// root check
|
// root check
|
||||||
if os.Geteuid() == 0 {
|
if os.Geteuid() == 0 {
|
||||||
fmsg.Fatal("this program must not run as root")
|
fmsg.Fatal("this program must not run as root")
|
||||||
|
|
34
package.nix
34
package.nix
|
@ -10,33 +10,19 @@
|
||||||
|
|
||||||
buildGoModule rec {
|
buildGoModule rec {
|
||||||
pname = "fortify";
|
pname = "fortify";
|
||||||
version = "0.0.11";
|
version = "0.0.10";
|
||||||
|
|
||||||
src = ./.;
|
src = ./.;
|
||||||
vendorHash = null;
|
vendorHash = null;
|
||||||
|
|
||||||
ldflags =
|
ldflags = [
|
||||||
lib.attrsets.foldlAttrs
|
"-s"
|
||||||
(
|
"-w"
|
||||||
ldflags: name: value:
|
"-X"
|
||||||
ldflags
|
"main.Version=v${version}"
|
||||||
++ [
|
"-X"
|
||||||
"-X"
|
"main.FortifyPath=${placeholder "out"}/bin/.fortify-wrapped"
|
||||||
"git.ophivana.moe/security/fortify/internal.${name}=${value}"
|
];
|
||||||
]
|
|
||||||
)
|
|
||||||
[
|
|
||||||
"-s"
|
|
||||||
"-w"
|
|
||||||
"-X"
|
|
||||||
"main.Fmain=${placeholder "out"}/bin/.fortify-wrapped"
|
|
||||||
]
|
|
||||||
{
|
|
||||||
Version = "v${version}";
|
|
||||||
Fsu = "/run/wrappers/bin/fsu";
|
|
||||||
Fshim = "${placeholder "out"}/bin/.fshim";
|
|
||||||
Finit = "${placeholder "out"}/bin/.finit";
|
|
||||||
};
|
|
||||||
|
|
||||||
buildInputs = [
|
buildInputs = [
|
||||||
acl
|
acl
|
||||||
|
@ -54,7 +40,5 @@ buildGoModule rec {
|
||||||
}
|
}
|
||||||
|
|
||||||
mv $out/bin/fsu $out/bin/.fsu
|
mv $out/bin/fsu $out/bin/.fsu
|
||||||
mv $out/bin/fshim $out/bin/.fshim
|
|
||||||
mv $out/bin/finit $out/bin/.finit
|
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
10
version.go
10
version.go
|
@ -3,11 +3,11 @@ package main
|
||||||
import (
|
import (
|
||||||
"flag"
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"git.ophivana.moe/security/fortify/internal"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
Version = "impure"
|
||||||
|
|
||||||
printVersion bool
|
printVersion bool
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -17,11 +17,7 @@ func init() {
|
||||||
|
|
||||||
func tryVersion() {
|
func tryVersion() {
|
||||||
if printVersion {
|
if printVersion {
|
||||||
if v, ok := internal.Check(internal.Version); ok {
|
fmt.Println(Version)
|
||||||
fmt.Println(v)
|
|
||||||
} else {
|
|
||||||
fmt.Println("impure")
|
|
||||||
}
|
|
||||||
os.Exit(0)
|
os.Exit(0)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
// Package xcb implements X11 ChangeHosts via libxcb.
|
|
||||||
package xcb
|
package xcb
|
||||||
|
|
||||||
//#include <stdlib.h>
|
//#include <stdlib.h>
|
||||||
|
|
Loading…
Reference in New Issue