Compare commits
179 Commits
Author | SHA1 | Date |
---|---|---|
Ophestra Umiker | 563c39c2d9 | |
Ophestra Umiker | aa1f96eeeb | |
Ophestra Umiker | 431dc095e5 | |
Ophestra Umiker | 60e91b9b0f | |
Ophestra Umiker | d9cb2a9f2b | |
Ophestra Umiker | 09feda3783 | |
Ophestra Umiker | 51e84ba8a5 | |
Ophestra Umiker | 7df9d8d01d | |
Ophestra Umiker | 6d8bcb63f2 | |
Ophestra Umiker | c7b77d6e5e | |
Ophestra Umiker | 2f34627d37 | |
Ophestra Umiker | 1d6ea81205 | |
Ophestra Umiker | ae1a102882 | |
Ophestra Umiker | 093e99d062 | |
Ophestra Umiker | ad7e389eee | |
Ophestra Umiker | 5b249e4a66 | |
Ophestra Umiker | 2a348c7f91 | |
Ophestra Umiker | eb767e7642 | |
Ophestra Umiker | 3bfe8dbf5d | |
Ophestra Umiker | 8fa791a2f8 | |
Ophestra Umiker | b932ac8260 | |
Ophestra Umiker | 050ffceb27 | |
Ophestra Umiker | 31350d74e5 | |
Ophestra Umiker | 3b82cc55de | |
Ophestra Umiker | 6bc5be7e5a | |
Ophestra Umiker | e35c5fe3ed | |
Ophestra Umiker | 20195ece47 | |
Ophestra Umiker | cafed5f234 | |
Ophestra Umiker | 42e0b168e3 | |
Ophestra Umiker | 380d1f4585 | |
Ophestra Umiker | 133f23e0de | |
Ophestra Umiker | 65af1684e3 | |
Ophestra Umiker | cdda33555c | |
Ophestra Umiker | ad0034b09a | |
Ophestra Umiker | 1da845d78b | |
Ophestra Umiker | 55bb348d5f | |
Ophestra Umiker | ecce832d93 | |
Ophestra Umiker | 65bd7d18db | |
Ophestra Umiker | 4ebb98649e | |
Ophestra Umiker | 919e5b5cd5 | |
Ophestra Umiker | 40161c5938 | |
Ophestra Umiker | 679e719f9e | |
Ophestra Umiker | 064db9f020 | |
Ophestra Umiker | 73a698c7cb | |
Ophestra Umiker | 57c1b3eda6 | |
Ophestra Umiker | 5401882ed0 | |
Ophestra Umiker | dd78728fb3 | |
Ophestra Umiker | 354c23dd28 | |
Ophestra Umiker | c21168a741 | |
Ophestra Umiker | 084cd84f36 | |
Ophestra Umiker | 430f1a5b4e | |
Ophestra Umiker | 0fd63e85e7 | |
Ophestra Umiker | 33cf0bed54 | |
Ophestra Umiker | 689f5bed57 | |
Ophestra Umiker | 184a5f29fa | |
Ophestra Umiker | 3015266e5a | |
Ophestra Umiker | aa5dd2313c | |
Ophestra Umiker | 2faf510146 | |
Ophestra Umiker | a0db19b9ad | |
Ophestra Umiker | aaed5080f4 | |
Ophestra Umiker | 41a7eb567e | |
Ophestra Umiker | 1302bcede0 | |
Ophestra Umiker | 315c9b8849 | |
Ophestra Umiker | 3739b56504 | |
Ophestra Umiker | 77f2c320a6 | |
Ophestra Umiker | b470941911 | |
Ophestra Umiker | e4536b87ad | |
Ophestra Umiker | 65a5f8fb08 | |
Ophestra Umiker | aee96b0fdf | |
Ophestra Umiker | 655020eb5d | |
Ophestra Umiker | f320dfc2ee | |
Ophestra Umiker | c818ea649a | |
Ophestra Umiker | b091260fd3 | |
Ophestra Umiker | b9d5fe49cb | |
Ophestra Umiker | d37dcff2fc | |
Ophestra Umiker | 805ef99f9b | |
Ophestra Umiker | 283bcba05b | |
Ophestra Umiker | 2e019e48c1 | |
Ophestra Umiker | d5c26ae593 | |
Ophestra Umiker | 61b473a06f | |
Ophestra Umiker | d2575b6708 | |
Ophestra Umiker | 8d82446d97 | |
Ophestra Umiker | 0f421644be | |
Ophestra Umiker | 662f2a9d2c | |
Ophestra Umiker | 3ddfd76cdf | |
Ophestra Umiker | 713872a5cd | |
Ophestra Umiker | 6220f7e197 | |
Ophestra Umiker | b86fa6b4c9 | |
Ophestra Umiker | 6eb712aec7 | |
Ophestra Umiker | 101e49a48b | |
Ophestra Umiker | a3aadd4146 | |
Ophestra Umiker | 86cb5ac1db | |
Ophestra Umiker | 2220055e26 | |
Ophestra Umiker | f4c44a9441 | |
Ophestra Umiker | 8f03ddc3fa | |
Ophestra Umiker | d41b9d2d9c | |
Ophestra Umiker | 22dfa73efe | |
Ophestra Umiker | 753c5191b1 | |
Ophestra Umiker | 6232291cae | |
Ophestra Umiker | b99ed94386 | |
Ophestra Umiker | c201c30c7f | |
Ophestra Umiker | 7c7999e9e5 | |
Ophestra Umiker | c6223771db | |
Ophestra Umiker | 3c5185d770 | |
Ophestra Umiker | 55a5b6f242 | |
Ophestra Umiker | 85407dd3c0 | |
Ophestra Umiker | 6a2802cf30 | |
Ophestra Umiker | 0fb9e40191 | |
Ophestra Umiker | 9647eb6a6b | |
Ophestra Umiker | 18d9ce733e | |
Ophestra Umiker | ba76e2919b | |
Ophestra Umiker | df29068d16 | |
Ophestra Umiker | d1415305ae | |
Ophestra Umiker | 98f9fdb7cc | |
Ophestra Umiker | dc59f20d7b | |
Ophestra Umiker | 7e7327ebf8 | |
Ophestra Umiker | 3bf456da65 | |
Ophestra Umiker | 61ba841c88 | |
Ophestra Umiker | d530a9e9f9 | |
Ophestra Umiker | 0e7849fac2 | |
Ophestra Umiker | 342c66aae8 | |
Ophestra Umiker | cf182d1fbe | |
Ophestra Umiker | 996bf67ac2 | |
Ophestra Umiker | 1038af98f0 | |
Ophestra Umiker | aa2be18f47 | |
Ophestra Umiker | 84d8c27b5f | |
Ophestra Umiker | ee2f5ed6ac | |
Ophestra Umiker | 8492239cba | |
Ophestra Umiker | a8b4b3634b | |
Ophestra Umiker | 97bab6c406 | |
Ophestra Umiker | 831b1aad6f | |
Ophestra Umiker | be83ad838c | |
Ophestra Umiker | b722adc4dd | |
Ophestra Umiker | 000607da5f | |
Ophestra Umiker | 1cb90c0840 | |
Ophestra Umiker | a75229991c | |
Ophestra Umiker | ced31a7257 | |
Ophestra Umiker | 61628dabb7 | |
Ophestra Umiker | 9a9fcdb9ec | |
Ophestra Umiker | 62cb8a91b6 | |
Ophestra Umiker | 11832a9379 | |
Ophestra Umiker | 2763ec730e | |
Ophestra Umiker | 3d963b9f67 | |
Ophestra Umiker | 4b7d616862 | |
Ophestra Umiker | 6a6f62efa6 | |
Ophestra Umiker | 03c24c5122 | |
Ophestra Umiker | 8bdae74ebe | |
Ophestra Umiker | d49b97b1d4 | |
Ophestra Umiker | 40d0550ad3 | |
Ophestra Umiker | da6d238d8a | |
Ophestra Umiker | b0aff89166 | |
Ophestra Umiker | 8223a9ee66 | |
Ophestra Umiker | 88ac05be6d | |
Ophestra Umiker | 0ef321ad6f | |
Ophestra Umiker | 52f986559c | |
Ophestra Umiker | 396066de7b | |
Ophestra Umiker | 44301cd979 | |
Ophestra Umiker | 20c0e66d8f | |
Ophestra Umiker | e5918ba3b3 | |
Ophestra Umiker | 35d040590b | |
Ophestra Umiker | c1bfe2cd74 | |
Ophestra Umiker | d813f8e44e | |
Ophestra Umiker | 0e5b85fd42 | |
Ophestra Umiker | cdc08817a7 | |
Ophestra Umiker | e5b3fa02f9 | |
Ophestra Umiker | 8e848366cd | |
Ophestra Umiker | 38ef2b4d0c | |
Ophestra Umiker | 357cc4ce4d | |
Ophestra Umiker | 3242ce3406 | |
Ophestra Umiker | 7450b0b0bb | |
Ophestra Umiker | 83af555c97 | |
Ophestra Umiker | 60e4846542 | |
Ophestra Umiker | 1906853382 | |
Ophestra Umiker | 58d3a1fbc7 | |
Ophestra Umiker | 1b5fce5ccb | |
Ophestra Umiker | 945cce2f5e | |
Ophestra Umiker | 5c3e7cf664 | |
Ophestra Umiker | 743b6afbbb | |
Ophestra Umiker | d8f76f3b25 |
|
@ -13,22 +13,26 @@ jobs:
|
|||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Set up go
|
||||
|
||||
- name: Setup go
|
||||
uses: https://github.com/actions/setup-go@v5
|
||||
with:
|
||||
go-version: '>=1.20.1'
|
||||
go-version: '>=1.23.0'
|
||||
|
||||
- name: Get dependencies
|
||||
run: >-
|
||||
sudo apt-get update &&
|
||||
sudo apt-get install -y
|
||||
apt-get update &&
|
||||
apt-get install -y
|
||||
gcc
|
||||
pkg-config
|
||||
libacl1-dev
|
||||
if: ${{ runner.os == 'Linux' }}
|
||||
|
||||
- name: Build for Linux
|
||||
run: >-
|
||||
sh -c "go build -v -ldflags '-s -w -X main.Version=${{ github.ref_name }}' -o bin/ego &&
|
||||
sha256sum --tag -b bin/ego > bin/ego.sha256"
|
||||
sh -c "go build -v -ldflags '-s -w -X main.Version=${{ github.ref_name }}' -o bin/fortify &&
|
||||
sha256sum --tag -b bin/fortify > bin/fortify.sha256"
|
||||
|
||||
- name: Release
|
||||
id: use-go-action
|
||||
uses: https://gitea.com/actions/release-action@main
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
name: test
|
||||
|
||||
on:
|
||||
- push
|
||||
- pull_request
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Setup go
|
||||
uses: https://github.com/actions/setup-go@v5
|
||||
with:
|
||||
go-version: '>=1.23.0'
|
||||
|
||||
- name: Get dependencies
|
||||
run: >-
|
||||
apt-get update &&
|
||||
apt-get install -y
|
||||
gcc
|
||||
pkg-config
|
||||
libacl1-dev
|
||||
if: ${{ runner.os == 'Linux' }}
|
||||
|
||||
- name: Run tests
|
||||
run: >-
|
||||
go test ./...
|
||||
|
||||
- name: Build for Linux
|
||||
run: >-
|
||||
sh -c "go build -v -ldflags '-s -w -X main.Version=${{ github.ref_name }}' -o bin/fortify &&
|
||||
sha256sum --tag -b bin/fortify > bin/fortify.sha256"
|
|
@ -4,7 +4,7 @@
|
|||
*.dll
|
||||
*.so
|
||||
*.dylib
|
||||
/ego
|
||||
/fortify
|
||||
|
||||
# Test binary, built with `go test -c`
|
||||
*.test
|
||||
|
|
230
README.md
230
README.md
|
@ -1,83 +1,179 @@
|
|||
ego (the Go side)
|
||||
=================
|
||||
Fortify
|
||||
=======
|
||||
|
||||
[![Go Reference](https://pkg.go.dev/badge/git.ophivana.moe/cat/ego.svg)](https://pkg.go.dev/git.ophivana.moe/cat/ego)
|
||||
[![Go Reference](https://pkg.go.dev/badge/git.ophivana.moe/security/fortify.svg)](https://pkg.go.dev/git.ophivana.moe/security/fortify)
|
||||
|
||||
> Do all your games need access to your documents, browser history, SSH private keys?
|
||||
>
|
||||
> ... No? Just run `ego steam`!
|
||||
Lets you run graphical applications as another user in a confined environment with a nice NixOS
|
||||
module to configure target users and provide launchers and desktop files for your privileged user.
|
||||
|
||||
**Ego** is a tool to run Linux desktop applications under a different local user. Currently
|
||||
integrates with Wayland, Xorg, PulseAudio and xdg-desktop-portal. You may think of it as `xhost`
|
||||
for Wayland and PulseAudio. This is done using filesystem ACLs and X11 host access control.
|
||||
Why would you want this?
|
||||
|
||||
Disclaimer: **DO NOT RUN UNTRUSTED PROGRAMS VIA EGO.** However, using ego is more secure than
|
||||
running applications directly under your primary user.
|
||||
- It protects the desktop environment from applications.
|
||||
|
||||
Differences
|
||||
-----------
|
||||
* Written in Go
|
||||
* Tracks process states
|
||||
* Cleans up after last process exits
|
||||
* Argv preservation in machinectl mode
|
||||
* Has no dependencies other than the two C libraries
|
||||
- It protects applications from each other.
|
||||
|
||||
Manual setup
|
||||
------------
|
||||
Ego aims to come with sane defaults and be easy to set up.
|
||||
- It provides UID isolation on top of the standard application sandbox.
|
||||
|
||||
**Requirements:**
|
||||
* Sudo
|
||||
* A C compiler
|
||||
* [Go](https://go.dev/doc/install)
|
||||
* `libacl.so` library (Debian/Ubuntu: libacl1-dev; Fedora: libacl-devel; Arch: acl)
|
||||
* `libxcb.so` library (Debian/Ubuntu: libxcb1-dev; Fedora: libxcb-devel; Arch: libxcb)
|
||||
There are a few different things to set up for this to work:
|
||||
|
||||
**Recommended:** (Not needed when using `--sudo` mode, but some desktop functionality may not work).
|
||||
* `machinectl` command (Debian/Ubuntu/Fedora: systemd-container; Arch: systemd)
|
||||
* `xdg-desktop-portal-gtk` (Debian/Ubuntu/Fedora/Arch: xdg-desktop-portal-gtk)
|
||||
- A set of users, each for a group of applications that should be allowed access to each other
|
||||
|
||||
**Installation:**
|
||||
- A tool to switch users, currently sudo and machinectl are supported.
|
||||
|
||||
1. Run in repository worktree:
|
||||
- If you are running NixOS, the module in this repository can take care of launchers and desktop files in the privileged
|
||||
user's environment, as well as packages and extra home-manager configuration for target users.
|
||||
|
||||
go build -v -ldflags '-s -w'
|
||||
sudo cp ego /usr/local/bin/
|
||||
If you have a flakes-enabled nix environment, you can try out the tool by running:
|
||||
|
||||
2. Create local user named "ego": <sup>[1]</sup>
|
||||
|
||||
sudo useradd ego --uid 155 --create-home
|
||||
|
||||
3. That's all, try it:
|
||||
|
||||
ego xdg-open .
|
||||
|
||||
[1] No extra groups are needed by the ego user.
|
||||
UID below 1000 hides this user on the login screen.
|
||||
|
||||
### Avoid password prompt
|
||||
If using "machinectl" mode (default if available), you need the rather new systemd version >=247
|
||||
and polkit >=0.106 to do this securely.
|
||||
|
||||
Create file `/etc/polkit-1/rules.d/50-ego-machinectl.rules`, polkit will automatically load it
|
||||
(replace `$USER` with your own username):
|
||||
|
||||
```js
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (action.id == "org.freedesktop.machine1.host-shell" &&
|
||||
action.lookup("user") == "ego" &&
|
||||
subject.user == "$USER") {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
```shell
|
||||
nix run git+https://git.ophivana.moe/security/fortify -- -h
|
||||
```
|
||||
|
||||
##### sudo mode
|
||||
For sudo, add the following to `/etc/sudoers` (replace `$USER` with your own username):
|
||||
## Module usage
|
||||
|
||||
$USER ALL=(ego) NOPASSWD:ALL
|
||||
The NixOS module currently requires home-manager and impermanence to function correctly.
|
||||
|
||||
Appendix
|
||||
--------
|
||||
Ego is licensed under the MIT License (see the `LICENSE` file).
|
||||
The original Ego was created by Marti Raudsepp under the repository https://github.com/intgr/ego
|
||||
To use the module, import it into your configuration with
|
||||
|
||||
```nix
|
||||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
|
||||
|
||||
fortify = {
|
||||
url = "git+https://git.ophivana.moe/security/fortify";
|
||||
|
||||
# Optional but recommended to limit the size of your system closure.
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, fortify, ... }:
|
||||
{
|
||||
nixosConfigurations.fortify = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
fortify.nixosModules.fortify
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
This adds the `environment.fortify` option:
|
||||
|
||||
```nix
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
environment.fortify = {
|
||||
enable = true;
|
||||
user = "nixos";
|
||||
stateDir = "/var/lib/persist/module";
|
||||
target = {
|
||||
chronos = {
|
||||
launchers = {
|
||||
weechat.method = "sudo";
|
||||
claws-mail.capability.pulse = false;
|
||||
|
||||
discord = {
|
||||
command = "vesktop --ozone-platform-hint=wayland";
|
||||
share = pkgs.vesktop;
|
||||
};
|
||||
|
||||
chromium.dbus = {
|
||||
configSystem = {
|
||||
filter = true;
|
||||
talk = [
|
||||
"org.bluez"
|
||||
"org.freedesktop.Avahi"
|
||||
"org.freedesktop.UPower"
|
||||
];
|
||||
};
|
||||
config = {
|
||||
filter = true;
|
||||
talk = [
|
||||
"org.freedesktop.DBus"
|
||||
"org.freedesktop.FileManager1"
|
||||
"org.freedesktop.Notifications"
|
||||
"org.freedesktop.ScreenSaver"
|
||||
"org.freedesktop.secrets"
|
||||
"org.kde.kwalletd5"
|
||||
"org.kde.kwalletd6"
|
||||
];
|
||||
own = [
|
||||
"org.chromium.Chromium.*"
|
||||
"org.mpris.MediaPlayer2.org.chromium.Chromium.*"
|
||||
"org.mpris.MediaPlayer2.chromium.*"
|
||||
];
|
||||
call = {
|
||||
"org.freedesktop.portal.*" = "*";
|
||||
};
|
||||
broadcast = {
|
||||
"org.freedesktop.portal.*" = "@/org/freedesktop/portal/*";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
packages = with pkgs; [
|
||||
weechat
|
||||
claws-mail
|
||||
vesktop
|
||||
chromium
|
||||
];
|
||||
persistence.directories = [
|
||||
".config/weechat"
|
||||
".claws-mail"
|
||||
".config/vesktop"
|
||||
];
|
||||
extraConfig = {
|
||||
programs.looking-glass-client.enable = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
* `enable` determines whether the module should be enabled or not. Useful when sharing configurations between graphical
|
||||
and headless systems. Defaults to `false`.
|
||||
|
||||
* `user` specifies the privileged user with access to fortified applications.
|
||||
|
||||
* `stateDir` is the path to your persistent storage location. It is directly passed through to the impermanence module.
|
||||
|
||||
* `target` is an attribute set of submodules, where the attribute name is the username of the unprivileged target user.
|
||||
|
||||
The available options are:
|
||||
|
||||
* `packages`, the list of packages to make available in the target user's environment.
|
||||
|
||||
* `persistence`, user persistence attribute set passed to impermanence.
|
||||
|
||||
* `extraConfig`, extra home-manager configuration for the target user.
|
||||
|
||||
* `launchers`, attribute set where the attribute name is the name of the launcher.
|
||||
|
||||
The available options are:
|
||||
|
||||
* `command`, the command to run as the target user. Defaults to launcher name.
|
||||
|
||||
* `dbus.config`, D-Bus proxy custom configuration.
|
||||
|
||||
* `dbus.configSystem`, D-Bus system bus custom configuration, null to disable.
|
||||
|
||||
* `dbus.id`, D-Bus application id, has no effect if `dbus.config` is set.
|
||||
|
||||
* `dbus.mpris`, whether to enable MPRIS defaults, has no effect if `dbus.config` is set.
|
||||
|
||||
* `capability.wayland`, whether to share the Wayland socket.
|
||||
|
||||
* `capability.x11`, whether to share the X11 socket and allow connection.
|
||||
|
||||
* `capability.dbus`, whether to proxy D-Bus.
|
||||
|
||||
* `capability.pulse`, whether to share the PulseAudio socket and cookie.
|
||||
|
||||
* `share`, package containing desktop/icon files. Defaults to launcher name.
|
||||
|
||||
* `method`, the launch method for the sandboxed program, can be `"fortify"`, `"fortify-sudo"`, `"sudo"`.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
package main
|
||||
package acl
|
||||
|
||||
import (
|
||||
"errors"
|
||||
|
@ -13,88 +13,11 @@ import (
|
|||
//#cgo linux LDFLAGS: -lacl
|
||||
import "C"
|
||||
|
||||
const (
|
||||
aclRead = C.ACL_READ
|
||||
aclWrite = C.ACL_WRITE
|
||||
aclExecute = C.ACL_EXECUTE
|
||||
|
||||
aclTypeDefault = C.ACL_TYPE_DEFAULT
|
||||
aclTypeAccess = C.ACL_TYPE_ACCESS
|
||||
|
||||
aclUndefinedTag = C.ACL_UNDEFINED_TAG
|
||||
aclUserObj = C.ACL_USER_OBJ
|
||||
aclUser = C.ACL_USER
|
||||
aclGroupObj = C.ACL_GROUP_OBJ
|
||||
aclGroup = C.ACL_GROUP
|
||||
aclMask = C.ACL_MASK
|
||||
aclOther = C.ACL_OTHER
|
||||
)
|
||||
|
||||
type acl struct {
|
||||
val C.acl_t
|
||||
freed bool
|
||||
}
|
||||
|
||||
func aclUpdatePerm(path string, uid int, perms ...C.acl_perm_t) error {
|
||||
// read acl from file
|
||||
a, err := aclGetFile(path, aclTypeAccess)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// free acl on return if get is successful
|
||||
defer a.free()
|
||||
|
||||
// remove existing entry
|
||||
if err = a.removeEntry(aclUser, uid); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// create new entry if perms are passed
|
||||
if len(perms) > 0 {
|
||||
// create new acl entry
|
||||
var e C.acl_entry_t
|
||||
if _, err = C.acl_create_entry(&a.val, &e); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// get perm set of new entry
|
||||
var p C.acl_permset_t
|
||||
if _, err = C.acl_get_permset(e, &p); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// add target perms
|
||||
for _, perm := range perms {
|
||||
if _, err = C.acl_add_perm(p, perm); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// set perm set to new entry
|
||||
if _, err = C.acl_set_permset(e, p); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// set user tag to new entry
|
||||
if _, err = C.acl_set_tag_type(e, aclUser); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// set qualifier (uid) to new entry
|
||||
if _, err = C.acl_set_qualifier(e, unsafe.Pointer(&uid)); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// calculate mask after update
|
||||
if _, err = C.acl_calc_mask(&a.val); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// write acl to file
|
||||
return a.setFile(path, aclTypeAccess)
|
||||
}
|
||||
|
||||
func aclGetFile(path string, t C.acl_type_t) (*acl, error) {
|
||||
p := C.CString(path)
|
||||
a, err := C.acl_get_file(p, t)
|
|
@ -0,0 +1,106 @@
|
|||
package acl
|
||||
|
||||
import "unsafe"
|
||||
|
||||
//#include <stdlib.h>
|
||||
//#include <sys/acl.h>
|
||||
//#include <acl/libacl.h>
|
||||
//#cgo linux LDFLAGS: -lacl
|
||||
import "C"
|
||||
|
||||
const (
|
||||
Read = C.ACL_READ
|
||||
Write = C.ACL_WRITE
|
||||
Execute = C.ACL_EXECUTE
|
||||
|
||||
TypeDefault = C.ACL_TYPE_DEFAULT
|
||||
TypeAccess = C.ACL_TYPE_ACCESS
|
||||
|
||||
UndefinedTag = C.ACL_UNDEFINED_TAG
|
||||
UserObj = C.ACL_USER_OBJ
|
||||
User = C.ACL_USER
|
||||
GroupObj = C.ACL_GROUP_OBJ
|
||||
Group = C.ACL_GROUP
|
||||
Mask = C.ACL_MASK
|
||||
Other = C.ACL_OTHER
|
||||
)
|
||||
|
||||
type (
|
||||
Perm C.acl_perm_t
|
||||
Perms []Perm
|
||||
)
|
||||
|
||||
func (ps Perms) String() string {
|
||||
var s = []byte("---")
|
||||
for _, p := range ps {
|
||||
switch p {
|
||||
case Read:
|
||||
s[0] = 'r'
|
||||
case Write:
|
||||
s[1] = 'w'
|
||||
case Execute:
|
||||
s[2] = 'x'
|
||||
}
|
||||
}
|
||||
return string(s)
|
||||
}
|
||||
|
||||
func UpdatePerm(path string, uid int, perms ...Perm) error {
|
||||
// read acl from file
|
||||
a, err := aclGetFile(path, TypeAccess)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// free acl on return if get is successful
|
||||
defer a.free()
|
||||
|
||||
// remove existing entry
|
||||
if err = a.removeEntry(User, uid); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// create new entry if perms are passed
|
||||
if len(perms) > 0 {
|
||||
// create new acl entry
|
||||
var e C.acl_entry_t
|
||||
if _, err = C.acl_create_entry(&a.val, &e); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// get perm set of new entry
|
||||
var p C.acl_permset_t
|
||||
if _, err = C.acl_get_permset(e, &p); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// add target perms
|
||||
for _, perm := range perms {
|
||||
if _, err = C.acl_add_perm(p, C.acl_perm_t(perm)); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// set perm set to new entry
|
||||
if _, err = C.acl_set_permset(e, p); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// set user tag to new entry
|
||||
if _, err = C.acl_set_tag_type(e, User); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// set qualifier (uid) to new entry
|
||||
if _, err = C.acl_set_qualifier(e, unsafe.Pointer(&uid)); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// calculate mask after update
|
||||
if _, err = C.acl_calc_mask(&a.val); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// write acl to file
|
||||
return a.setFile(path, TypeAccess)
|
||||
}
|
50
cli.go
50
cli.go
|
@ -1,50 +0,0 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"flag"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/user"
|
||||
)
|
||||
|
||||
var (
|
||||
userName string
|
||||
methodFlags [2]bool
|
||||
printVersion bool
|
||||
mustPulse bool
|
||||
)
|
||||
|
||||
func init() {
|
||||
flag.StringVar(&userName, "u", "ego", "Specify a username")
|
||||
flag.BoolVar(&methodFlags[0], "sudo", false, "Use 'sudo' to change user")
|
||||
flag.BoolVar(&methodFlags[1], "bare", false, "Use 'machinectl' but skip xdg-desktop-portal setup")
|
||||
flag.BoolVar(&mustPulse, "pulse", false, "Treat unavailable PulseAudio as fatal")
|
||||
flag.BoolVar(&verbose, "v", false, "Verbose output")
|
||||
flag.BoolVar(&printVersion, "V", false, "Print version")
|
||||
}
|
||||
|
||||
func copyArgs() {
|
||||
tryLauncher()
|
||||
tryVersion()
|
||||
tryLicense()
|
||||
|
||||
command = flag.Args()
|
||||
|
||||
if u, err := user.Lookup(userName); err != nil {
|
||||
if errors.As(err, new(user.UnknownUserError)) {
|
||||
fmt.Println("unknown user", userName)
|
||||
} else {
|
||||
// unreachable
|
||||
panic(err)
|
||||
}
|
||||
|
||||
os.Exit(1)
|
||||
} else {
|
||||
ego = u
|
||||
}
|
||||
|
||||
if verbose {
|
||||
fmt.Println("Running as user", ego.Username, "("+ego.Uid+"),", "command:", command)
|
||||
}
|
||||
}
|
|
@ -0,0 +1,140 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"log"
|
||||
"os"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
const (
|
||||
fsuConfFile = "/etc/fsurc"
|
||||
envShim = "FORTIFY_SHIM"
|
||||
envAID = "FORTIFY_APP_ID"
|
||||
|
||||
fpPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
|
||||
)
|
||||
|
||||
// FortifyPath is the path to fortify, set at compile time.
|
||||
var FortifyPath = fpPoison
|
||||
|
||||
func main() {
|
||||
log.SetFlags(0)
|
||||
log.SetPrefix("fsu: ")
|
||||
log.SetOutput(os.Stderr)
|
||||
|
||||
if os.Geteuid() != 0 {
|
||||
log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
|
||||
}
|
||||
|
||||
puid := os.Getuid()
|
||||
if puid == 0 {
|
||||
log.Fatal("this program must not be started by root")
|
||||
}
|
||||
|
||||
// validate compiled in fortify path
|
||||
if FortifyPath == fpPoison || !path.IsAbs(FortifyPath) {
|
||||
log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
|
||||
}
|
||||
|
||||
pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
|
||||
if p, err := os.Readlink(pexe); err != nil {
|
||||
log.Fatalf("cannot read parent executable path: %v", err)
|
||||
} else if strings.HasSuffix(p, " (deleted)") {
|
||||
log.Fatal("fortify executable has been deleted")
|
||||
} else if p != FortifyPath {
|
||||
log.Fatal("this program must be started by fortify")
|
||||
}
|
||||
|
||||
// uid = 1000000 +
|
||||
// fid * 10000 +
|
||||
// aid
|
||||
uid := 1000000
|
||||
|
||||
// authenticate before accepting user input
|
||||
if fid, ok := parseConfig(fsuConfFile, puid); !ok {
|
||||
log.Fatalf("uid %d is not in the fsurc file", puid)
|
||||
} else {
|
||||
uid += fid * 10000
|
||||
}
|
||||
|
||||
// pass through setup path to shim
|
||||
var shimSetupPath string
|
||||
if s, ok := os.LookupEnv(envShim); !ok {
|
||||
log.Fatal("FORTIFY_SHIM not set")
|
||||
} else if !path.IsAbs(s) {
|
||||
log.Fatal("FORTIFY_SHIM is not absolute")
|
||||
} else {
|
||||
shimSetupPath = s
|
||||
}
|
||||
|
||||
// allowed aid range 0 to 9999
|
||||
if as, ok := os.LookupEnv(envAID); !ok {
|
||||
log.Fatal("FORTIFY_APP_ID not set")
|
||||
} else if aid, err := strconv.Atoi(as); err != nil || aid < 0 || aid > 9999 {
|
||||
log.Fatal("invalid aid")
|
||||
} else {
|
||||
uid += aid
|
||||
}
|
||||
|
||||
if err := syscall.Setresgid(uid, uid, uid); err != nil {
|
||||
log.Fatalf("cannot set gid: %v", err)
|
||||
}
|
||||
if err := syscall.Setresuid(uid, uid, uid); err != nil {
|
||||
log.Fatalf("cannot set uid: %v", err)
|
||||
}
|
||||
if err := syscall.Exec(FortifyPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
|
||||
log.Fatalf("cannot start shim: %v", err)
|
||||
}
|
||||
|
||||
panic("unreachable")
|
||||
}
|
||||
|
||||
func parseConfig(p string, puid int) (fid int, ok bool) {
|
||||
// refuse to run if fsurc is not protected correctly
|
||||
if s, err := os.Stat(p); err != nil {
|
||||
log.Fatal(err)
|
||||
} else if s.Mode().Perm() != 0400 {
|
||||
log.Fatal("bad fsurc perm")
|
||||
} else if st := s.Sys().(*syscall.Stat_t); st.Uid != 0 || st.Gid != 0 {
|
||||
log.Fatal("fsurc must be owned by uid 0")
|
||||
}
|
||||
|
||||
if r, err := os.Open(p); err != nil {
|
||||
log.Fatal(err)
|
||||
return -1, false
|
||||
} else {
|
||||
s := bufio.NewScanner(r)
|
||||
var line int
|
||||
for s.Scan() {
|
||||
line++
|
||||
|
||||
// <puid> <fid>
|
||||
lf := strings.SplitN(s.Text(), " ", 2)
|
||||
if len(lf) != 2 {
|
||||
log.Fatalf("invalid entry on line %d", line)
|
||||
}
|
||||
|
||||
var puid0 int
|
||||
if puid0, err = strconv.Atoi(lf[0]); err != nil || puid0 < 1 {
|
||||
log.Fatalf("invalid parent uid on line %d", line)
|
||||
}
|
||||
|
||||
ok = puid0 == puid
|
||||
if ok {
|
||||
// allowed fid range 0 to 99
|
||||
if fid, err = strconv.Atoi(lf[1]); err != nil || fid < 0 || fid > 99 {
|
||||
log.Fatalf("invalid fortify uid on line %d", line)
|
||||
}
|
||||
return
|
||||
}
|
||||
}
|
||||
if err = s.Err(); err != nil {
|
||||
log.Fatalf("cannot read fsurc: %v", err)
|
||||
}
|
||||
return -1, false
|
||||
}
|
||||
}
|
|
@ -0,0 +1,135 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"flag"
|
||||
"fmt"
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/internal/app"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
var (
|
||||
printTemplate bool
|
||||
|
||||
confPath string
|
||||
|
||||
dbusConfigSession string
|
||||
dbusConfigSystem string
|
||||
dbusID string
|
||||
mpris bool
|
||||
dbusVerbose bool
|
||||
|
||||
userName string
|
||||
enablements [system.ELen]bool
|
||||
|
||||
launchMethodText string
|
||||
)
|
||||
|
||||
func init() {
|
||||
flag.BoolVar(&printTemplate, "template", false, "Print a full config template and exit")
|
||||
|
||||
// config file, disables every other flag here
|
||||
flag.StringVar(&confPath, "c", "nil", "Path to full app configuration, or \"nil\" to configure from flags")
|
||||
|
||||
flag.StringVar(&dbusConfigSession, "dbus-config", "builtin", "Path to D-Bus proxy config file, or \"builtin\" for defaults")
|
||||
flag.StringVar(&dbusConfigSystem, "dbus-system", "nil", "Path to system D-Bus proxy config file, or \"nil\" to disable")
|
||||
flag.StringVar(&dbusID, "dbus-id", "", "D-Bus ID of application, leave empty to disable own paths, has no effect if custom config is available")
|
||||
flag.BoolVar(&mpris, "mpris", false, "Allow owning MPRIS D-Bus path, has no effect if custom config is available")
|
||||
flag.BoolVar(&dbusVerbose, "dbus-log", false, "Force logging in the D-Bus proxy")
|
||||
|
||||
flag.StringVar(&userName, "u", "chronos", "Passwd name of user to run as")
|
||||
flag.BoolVar(&enablements[system.EWayland], "wayland", false, "Share Wayland socket")
|
||||
flag.BoolVar(&enablements[system.EX11], "X", false, "Share X11 socket and allow connection")
|
||||
flag.BoolVar(&enablements[system.EDBus], "dbus", false, "Proxy D-Bus connection")
|
||||
flag.BoolVar(&enablements[system.EPulse], "pulse", false, "Share PulseAudio socket and cookie")
|
||||
}
|
||||
|
||||
func init() {
|
||||
methodHelpString := "Method of launching the child process, can be one of \"sudo\""
|
||||
if os.SdBooted() {
|
||||
methodHelpString += ", \"systemd\""
|
||||
}
|
||||
|
||||
flag.StringVar(&launchMethodText, "method", "sudo", methodHelpString)
|
||||
}
|
||||
|
||||
func tryTemplate() {
|
||||
if printTemplate {
|
||||
if s, err := json.MarshalIndent(app.Template(), "", " "); err != nil {
|
||||
fmsg.Fatalf("cannot generate template: %v", err)
|
||||
panic("unreachable")
|
||||
} else {
|
||||
fmt.Println(string(s))
|
||||
}
|
||||
fmsg.Exit(0)
|
||||
}
|
||||
}
|
||||
|
||||
func loadConfig() *app.Config {
|
||||
if confPath == "nil" {
|
||||
// config from flags
|
||||
return configFromFlags()
|
||||
} else {
|
||||
// config from file
|
||||
c := new(app.Config)
|
||||
if f, err := os.Open(confPath); err != nil {
|
||||
fmsg.Fatalf("cannot access config file %q: %s", confPath, err)
|
||||
panic("unreachable")
|
||||
} else if err = json.NewDecoder(f).Decode(&c); err != nil {
|
||||
fmsg.Fatalf("cannot parse config file %q: %s", confPath, err)
|
||||
panic("unreachable")
|
||||
} else {
|
||||
return c
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func configFromFlags() (config *app.Config) {
|
||||
// initialise config from flags
|
||||
config = &app.Config{
|
||||
ID: dbusID,
|
||||
User: userName,
|
||||
Command: flag.Args(),
|
||||
Method: launchMethodText,
|
||||
}
|
||||
|
||||
// enablements from flags
|
||||
for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
|
||||
if enablements[i] {
|
||||
config.Confinement.Enablements.Set(i)
|
||||
}
|
||||
}
|
||||
|
||||
// parse D-Bus config file from flags if applicable
|
||||
if enablements[system.EDBus] {
|
||||
if dbusConfigSession == "builtin" {
|
||||
config.Confinement.SessionBus = dbus.NewConfig(dbusID, true, mpris)
|
||||
} else {
|
||||
if c, err := dbus.NewConfigFromFile(dbusConfigSession); err != nil {
|
||||
fmsg.Fatalf("cannot load session bus proxy config from %q: %s", dbusConfigSession, err)
|
||||
} else {
|
||||
config.Confinement.SessionBus = c
|
||||
}
|
||||
}
|
||||
|
||||
// system bus proxy is optional
|
||||
if dbusConfigSystem != "nil" {
|
||||
if c, err := dbus.NewConfigFromFile(dbusConfigSystem); err != nil {
|
||||
fmsg.Fatalf("cannot load system bus proxy config from %q: %s", dbusConfigSystem, err)
|
||||
} else {
|
||||
config.Confinement.SystemBus = c
|
||||
}
|
||||
}
|
||||
|
||||
// override log from configuration
|
||||
if dbusVerbose {
|
||||
config.Confinement.SessionBus.Log = true
|
||||
config.Confinement.SystemBus.Log = true
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
|
@ -0,0 +1,105 @@
|
|||
package dbus
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"io"
|
||||
"os"
|
||||
)
|
||||
|
||||
type Config struct {
|
||||
// See set 'see' policy for NAME (--see=NAME)
|
||||
See []string `json:"see"`
|
||||
// Talk set 'talk' policy for NAME (--talk=NAME)
|
||||
Talk []string `json:"talk"`
|
||||
// Own set 'own' policy for NAME (--own=NAME)
|
||||
Own []string `json:"own"`
|
||||
|
||||
// Call set RULE for calls on NAME (--call=NAME=RULE)
|
||||
Call map[string]string `json:"call"`
|
||||
// Broadcast set RULE for broadcasts from NAME (--broadcast=NAME=RULE)
|
||||
Broadcast map[string]string `json:"broadcast"`
|
||||
|
||||
Log bool `json:"log,omitempty"`
|
||||
Filter bool `json:"filter"`
|
||||
}
|
||||
|
||||
func (c *Config) Args(bus [2]string) (args []string) {
|
||||
argc := 2 + len(c.See) + len(c.Talk) + len(c.Own) + len(c.Call) + len(c.Broadcast)
|
||||
if c.Log {
|
||||
argc++
|
||||
}
|
||||
if c.Filter {
|
||||
argc++
|
||||
}
|
||||
|
||||
args = make([]string, 0, argc)
|
||||
args = append(args, bus[0], bus[1])
|
||||
if c.Filter {
|
||||
args = append(args, "--filter")
|
||||
}
|
||||
for _, name := range c.See {
|
||||
args = append(args, "--see="+name)
|
||||
}
|
||||
for _, name := range c.Talk {
|
||||
args = append(args, "--talk="+name)
|
||||
}
|
||||
for _, name := range c.Own {
|
||||
args = append(args, "--own="+name)
|
||||
}
|
||||
for name, rule := range c.Call {
|
||||
args = append(args, "--call="+name+"="+rule)
|
||||
}
|
||||
for name, rule := range c.Broadcast {
|
||||
args = append(args, "--broadcast="+name+"="+rule)
|
||||
}
|
||||
if c.Log {
|
||||
args = append(args, "--log")
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (c *Config) Load(r io.Reader) error {
|
||||
return json.NewDecoder(r).Decode(&c)
|
||||
}
|
||||
|
||||
// NewConfigFromFile opens the target config file at path and parses its contents into *Config.
|
||||
func NewConfigFromFile(path string) (*Config, error) {
|
||||
if f, err := os.Open(path); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
c := new(Config)
|
||||
err1 := c.Load(f)
|
||||
err = f.Close()
|
||||
|
||||
return c, errors.Join(err1, err)
|
||||
}
|
||||
}
|
||||
|
||||
// NewConfig returns a reference to a Config struct with optional defaults.
|
||||
// If id is an empty string own defaults are omitted.
|
||||
func NewConfig(id string, defaults, mpris bool) (c *Config) {
|
||||
c = &Config{
|
||||
Call: make(map[string]string),
|
||||
Broadcast: make(map[string]string),
|
||||
|
||||
Filter: true,
|
||||
}
|
||||
|
||||
if defaults {
|
||||
c.Talk = []string{"org.freedesktop.DBus", "org.freedesktop.Notifications"}
|
||||
|
||||
c.Call["org.freedesktop.portal.*"] = "*"
|
||||
c.Broadcast["org.freedesktop.portal.*"] = "@/org/freedesktop/portal/*"
|
||||
|
||||
if id != "" {
|
||||
c.Own = []string{id + ".*"}
|
||||
if mpris {
|
||||
c.Own = append(c.Own, "org.mpris.MediaPlayer2."+id+".*")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
|
@ -0,0 +1,159 @@
|
|||
package dbus_test
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"os"
|
||||
"path"
|
||||
"reflect"
|
||||
"slices"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
)
|
||||
|
||||
func TestConfig_Args(t *testing.T) {
|
||||
for _, tc := range testCases() {
|
||||
if tc.wantErr {
|
||||
// args does not check for nulls
|
||||
continue
|
||||
}
|
||||
|
||||
t.Run("build arguments for "+tc.id, func(t *testing.T) {
|
||||
if got := tc.c.Args(tc.bus); !slices.Equal(got, tc.want) {
|
||||
t.Errorf("Args(%q) = %v, want %v",
|
||||
tc.bus,
|
||||
got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewConfigFromFile(t *testing.T) {
|
||||
for _, tc := range testCases() {
|
||||
name := new(strings.Builder)
|
||||
name.WriteString("parse configuration file for application ")
|
||||
name.WriteString(tc.id)
|
||||
if tc.wantErr {
|
||||
name.WriteString(" with unexpected results")
|
||||
}
|
||||
|
||||
samplePath := path.Join("testdata", tc.id+".json")
|
||||
|
||||
t.Run(name.String(), func(t *testing.T) {
|
||||
got, err := dbus.NewConfigFromFile(samplePath)
|
||||
if errors.Is(err, os.ErrNotExist) != tc.wantErrF {
|
||||
t.Errorf("NewConfigFromFile(%q) error = %v, wantErrF %v",
|
||||
samplePath,
|
||||
err, tc.wantErrF)
|
||||
return
|
||||
}
|
||||
|
||||
if tc.wantErrF {
|
||||
return
|
||||
}
|
||||
|
||||
if !tc.wantErr && !reflect.DeepEqual(got, tc.c) {
|
||||
t.Errorf("NewConfigFromFile(%q) got = %v, want %v",
|
||||
samplePath,
|
||||
got, tc.c)
|
||||
}
|
||||
if tc.wantErr && reflect.DeepEqual(got, tc.c) {
|
||||
t.Errorf("NewConfigFromFile(%q) got = %v, wantErr %v",
|
||||
samplePath,
|
||||
got, tc.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewConfig(t *testing.T) {
|
||||
ids := [...]string{"org.chromium.Chromium", "dev.vencord.Vesktop"}
|
||||
|
||||
type newTestCase struct {
|
||||
id string
|
||||
args [2]bool
|
||||
want *dbus.Config
|
||||
}
|
||||
|
||||
// populate tests from IDs in generic tests
|
||||
tcs := make([]newTestCase, 0, (len(ids)+1)*4)
|
||||
// tests for defaults without id
|
||||
tcs = append(tcs,
|
||||
newTestCase{"", [2]bool{false, false}, &dbus.Config{
|
||||
Call: make(map[string]string),
|
||||
Broadcast: make(map[string]string),
|
||||
Filter: true,
|
||||
}},
|
||||
newTestCase{"", [2]bool{false, true}, &dbus.Config{
|
||||
Call: make(map[string]string),
|
||||
Broadcast: make(map[string]string),
|
||||
Filter: true,
|
||||
}},
|
||||
newTestCase{"", [2]bool{true, false}, &dbus.Config{
|
||||
Talk: []string{"org.freedesktop.DBus", "org.freedesktop.Notifications"},
|
||||
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
||||
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
||||
Filter: true,
|
||||
}},
|
||||
newTestCase{"", [2]bool{true, true}, &dbus.Config{
|
||||
Talk: []string{"org.freedesktop.DBus", "org.freedesktop.Notifications"},
|
||||
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
||||
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
||||
Filter: true,
|
||||
}},
|
||||
)
|
||||
for _, id := range ids {
|
||||
tcs = append(tcs,
|
||||
newTestCase{id, [2]bool{false, false}, &dbus.Config{
|
||||
Call: make(map[string]string),
|
||||
Broadcast: make(map[string]string),
|
||||
Filter: true,
|
||||
}},
|
||||
newTestCase{id, [2]bool{false, true}, &dbus.Config{
|
||||
Call: make(map[string]string),
|
||||
Broadcast: make(map[string]string),
|
||||
Filter: true,
|
||||
}},
|
||||
newTestCase{id, [2]bool{true, false}, &dbus.Config{
|
||||
Talk: []string{"org.freedesktop.DBus", "org.freedesktop.Notifications"},
|
||||
Own: []string{id + ".*"},
|
||||
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
||||
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
||||
Filter: true,
|
||||
}},
|
||||
newTestCase{id, [2]bool{true, true}, &dbus.Config{
|
||||
Talk: []string{"org.freedesktop.DBus", "org.freedesktop.Notifications"},
|
||||
Own: []string{id + ".*", "org.mpris.MediaPlayer2." + id + ".*"},
|
||||
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
||||
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
||||
Filter: true,
|
||||
}},
|
||||
)
|
||||
}
|
||||
|
||||
for _, tc := range tcs {
|
||||
name := new(strings.Builder)
|
||||
name.WriteString("create new configuration struct")
|
||||
|
||||
if tc.args[0] {
|
||||
name.WriteString(" with builtin defaults")
|
||||
if tc.args[1] {
|
||||
name.WriteString(" (mpris)")
|
||||
}
|
||||
}
|
||||
|
||||
if tc.id != "" {
|
||||
name.WriteString(" for application ID ")
|
||||
name.WriteString(tc.id)
|
||||
}
|
||||
|
||||
t.Run(name.String(), func(t *testing.T) {
|
||||
if gotC := dbus.NewConfig(tc.id, tc.args[0], tc.args[1]); !reflect.DeepEqual(gotC, tc.want) {
|
||||
t.Errorf("NewConfig(%q, %t, %t) = %v, want %v",
|
||||
tc.id, tc.args[0], tc.args[1],
|
||||
gotC, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
package dbus
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"sync"
|
||||
)
|
||||
|
||||
const (
|
||||
SessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
|
||||
SystemBusAddress = "DBUS_SYSTEM_BUS_ADDRESS"
|
||||
)
|
||||
|
||||
var (
|
||||
addresses [2]string
|
||||
addressOnce sync.Once
|
||||
)
|
||||
|
||||
func Address() (session, system string) {
|
||||
addressOnce.Do(func() {
|
||||
// resolve upstream session bus address
|
||||
if addr, ok := os.LookupEnv(SessionBusAddress); !ok {
|
||||
// fall back to default format
|
||||
addresses[0] = fmt.Sprintf("unix:path=/run/user/%d/bus", os.Getuid())
|
||||
} else {
|
||||
addresses[0] = addr
|
||||
}
|
||||
|
||||
// resolve upstream system bus address
|
||||
if addr, ok := os.LookupEnv(SystemBusAddress); !ok {
|
||||
// fall back to default hardcoded value
|
||||
addresses[1] = "unix:path=/run/dbus/system_bus_socket"
|
||||
} else {
|
||||
addresses[1] = addr
|
||||
}
|
||||
})
|
||||
|
||||
return addresses[0], addresses[1]
|
||||
}
|
|
@ -0,0 +1,215 @@
|
|||
package dbus_test
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
)
|
||||
|
||||
func TestNew(t *testing.T) {
|
||||
for _, tc := range [][2][2]string{
|
||||
{
|
||||
{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/1ca5d183ef4c99e74c3e544715f32702/bus"},
|
||||
{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/1ca5d183ef4c99e74c3e544715f32702/system_bus_socket"},
|
||||
},
|
||||
{
|
||||
{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/881ac3796ff3f3bf0a773824383187a0/bus"},
|
||||
{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/881ac3796ff3f3bf0a773824383187a0/system_bus_socket"},
|
||||
},
|
||||
{
|
||||
{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/3d1a5084520ef79c0c6a49a675bac701/bus"},
|
||||
{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/3d1a5084520ef79c0c6a49a675bac701/system_bus_socket"},
|
||||
},
|
||||
{
|
||||
{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/2a1639bab712799788ea0ff7aa280c35/bus"},
|
||||
{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/2a1639bab712799788ea0ff7aa280c35/system_bus_socket"},
|
||||
},
|
||||
} {
|
||||
t.Run("create instance for "+tc[0][0]+" and "+tc[1][0], func(t *testing.T) {
|
||||
if got := dbus.New(tc[0], tc[1]); !got.CompareTestNew(tc[0], tc[1]) {
|
||||
t.Errorf("New(%q, %q) = %v",
|
||||
tc[0], tc[1],
|
||||
got)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestProxy_Seal(t *testing.T) {
|
||||
t.Run("double seal panic", func(t *testing.T) {
|
||||
defer func() {
|
||||
want := "dbus proxy sealed twice"
|
||||
if r := recover(); r != want {
|
||||
t.Errorf("Seal: panic = %q, want %q",
|
||||
r, want)
|
||||
}
|
||||
}()
|
||||
|
||||
p := dbus.New([2]string{}, [2]string{})
|
||||
_ = p.Seal(dbus.NewConfig("", true, false), nil)
|
||||
_ = p.Seal(dbus.NewConfig("", true, false), nil)
|
||||
})
|
||||
|
||||
ep := dbus.New([2]string{}, [2]string{})
|
||||
if err := ep.Seal(nil, nil); !errors.Is(err, dbus.ErrConfig) {
|
||||
t.Errorf("Seal(nil, nil) error = %v, want %v",
|
||||
err, dbus.ErrConfig)
|
||||
}
|
||||
|
||||
for id, tc := range testCasePairs() {
|
||||
t.Run("create seal for "+id, func(t *testing.T) {
|
||||
p := dbus.New(tc[0].bus, tc[1].bus)
|
||||
if err := p.Seal(tc[0].c, tc[1].c); (errors.Is(err, helper.ErrContainsNull)) != tc[0].wantErr {
|
||||
t.Errorf("Seal(%p, %p) error = %v, wantErr %v",
|
||||
tc[0].c, tc[1].c,
|
||||
err, tc[0].wantErr)
|
||||
return
|
||||
}
|
||||
|
||||
// rest of the tests happen for sealed instances
|
||||
if tc[0].wantErr {
|
||||
return
|
||||
}
|
||||
|
||||
// build null-terminated string from wanted args
|
||||
want := new(strings.Builder)
|
||||
args := append(tc[0].want, tc[1].want...)
|
||||
for _, arg := range args {
|
||||
want.WriteString(arg)
|
||||
want.WriteByte('\x00')
|
||||
}
|
||||
|
||||
wt := p.AccessTestProxySeal()
|
||||
got := new(strings.Builder)
|
||||
if _, err := wt.WriteTo(got); err != nil {
|
||||
t.Errorf("p.seal.WriteTo(): %v", err)
|
||||
}
|
||||
|
||||
if want.String() != got.String() {
|
||||
t.Errorf("Seal(%p, %p) seal = %v, want %v",
|
||||
tc[0].c, tc[1].c,
|
||||
got.String(), want.String())
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestProxy_Start_Wait_Close_String(t *testing.T) {
|
||||
t.Run("sandboxed", func(t *testing.T) {
|
||||
testProxyStartWaitCloseString(t, true)
|
||||
})
|
||||
t.Run("direct", func(t *testing.T) {
|
||||
testProxyStartWaitCloseString(t, false)
|
||||
})
|
||||
}
|
||||
|
||||
func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
|
||||
for id, tc := range testCasePairs() {
|
||||
// this test does not test errors
|
||||
if tc[0].wantErr {
|
||||
continue
|
||||
}
|
||||
|
||||
t.Run("string for nil proxy", func(t *testing.T) {
|
||||
var p *dbus.Proxy
|
||||
want := "(invalid dbus proxy)"
|
||||
if got := p.String(); got != want {
|
||||
t.Errorf("String() = %v, want %v",
|
||||
got, want)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("proxy for "+id, func(t *testing.T) {
|
||||
helper.InternalReplaceExecCommand(t)
|
||||
p := dbus.New(tc[0].bus, tc[1].bus)
|
||||
output := new(strings.Builder)
|
||||
|
||||
t.Run("unsealed behaviour of "+id, func(t *testing.T) {
|
||||
t.Run("unsealed string of "+id, func(t *testing.T) {
|
||||
want := "(unsealed dbus proxy)"
|
||||
if got := p.String(); got != want {
|
||||
t.Errorf("String() = %v, want %v",
|
||||
got, want)
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("unsealed start of "+id, func(t *testing.T) {
|
||||
want := "proxy not sealed"
|
||||
if err := p.Start(nil, nil, sandbox); err == nil || err.Error() != want {
|
||||
t.Errorf("Start() error = %v, wantErr %q",
|
||||
err, errors.New(want))
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("unsealed wait of "+id, func(t *testing.T) {
|
||||
wantErr := "proxy not started"
|
||||
if err := p.Wait(); err == nil || err.Error() != wantErr {
|
||||
t.Errorf("Wait() error = %v, wantErr %v",
|
||||
err, wantErr)
|
||||
}
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("seal with "+id, func(t *testing.T) {
|
||||
if err := p.Seal(tc[0].c, tc[1].c); err != nil {
|
||||
t.Errorf("Seal(%p, %p) error = %v, wantErr %v",
|
||||
tc[0].c, tc[1].c,
|
||||
err, tc[0].wantErr)
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("sealed behaviour of "+id, func(t *testing.T) {
|
||||
want := strings.Join(append(tc[0].want, tc[1].want...), " ")
|
||||
if got := p.String(); got != want {
|
||||
t.Errorf("String() = %v, want %v",
|
||||
got, want)
|
||||
return
|
||||
}
|
||||
|
||||
t.Run("sealed start of "+id, func(t *testing.T) {
|
||||
if err := p.Start(nil, output, sandbox); err != nil {
|
||||
t.Errorf("Start(nil, nil) error = %v",
|
||||
err)
|
||||
}
|
||||
|
||||
t.Run("started string of "+id, func(t *testing.T) {
|
||||
wantSubstr := dbus.ProxyName + " --args="
|
||||
if got := p.String(); !strings.Contains(got, wantSubstr) {
|
||||
t.Errorf("String() = %v, want %v",
|
||||
p.String(), wantSubstr)
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("sealed closing of "+id+" without status", func(t *testing.T) {
|
||||
wantPanic := "attempted to close helper with no status pipe"
|
||||
defer func() {
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("Close() panic = %v, wantPanic %v",
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
|
||||
if err := p.Close(); err != nil {
|
||||
t.Errorf("Close() error = %v",
|
||||
err)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("started wait of "+id, func(t *testing.T) {
|
||||
if err := p.Wait(); err != nil {
|
||||
t.Errorf("Wait() error = %v\noutput: %s",
|
||||
err, output.String())
|
||||
}
|
||||
})
|
||||
})
|
||||
})
|
||||
})
|
||||
}
|
||||
}
|
|
@ -0,0 +1,13 @@
|
|||
package dbus
|
||||
|
||||
import "io"
|
||||
|
||||
// CompareTestNew provides TestNew with comparison access to unexported Proxy fields.
|
||||
func (p *Proxy) CompareTestNew(session, system [2]string) bool {
|
||||
return session == p.session && system == p.system
|
||||
}
|
||||
|
||||
// AccessTestProxySeal provides TestProxy_Seal with access to unexported Proxy seal field.
|
||||
func (p *Proxy) AccessTestProxySeal() io.WriterTo {
|
||||
return p.seal
|
||||
}
|
|
@ -0,0 +1,105 @@
|
|||
package dbus
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"sync"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
)
|
||||
|
||||
// ProxyName is the file name or path to the proxy program.
|
||||
// Overriding ProxyName will only affect Proxy instance created after the change.
|
||||
var ProxyName = "xdg-dbus-proxy"
|
||||
|
||||
// Proxy holds references to a xdg-dbus-proxy process, and should never be copied.
|
||||
// Once sealed, configuration changes will no longer be possible and attempting to do so will result in a panic.
|
||||
type Proxy struct {
|
||||
helper helper.Helper
|
||||
bwrap *bwrap.Config
|
||||
|
||||
name string
|
||||
session [2]string
|
||||
system [2]string
|
||||
|
||||
seal io.WriterTo
|
||||
lock sync.RWMutex
|
||||
}
|
||||
|
||||
func (p *Proxy) Session() [2]string {
|
||||
return p.session
|
||||
}
|
||||
|
||||
func (p *Proxy) System() [2]string {
|
||||
return p.system
|
||||
}
|
||||
|
||||
func (p *Proxy) Sealed() bool {
|
||||
p.lock.RLock()
|
||||
defer p.lock.RUnlock()
|
||||
|
||||
return p.seal != nil
|
||||
}
|
||||
|
||||
var (
|
||||
ErrConfig = errors.New("no configuration to seal")
|
||||
)
|
||||
|
||||
func (p *Proxy) String() string {
|
||||
if p == nil {
|
||||
return "(invalid dbus proxy)"
|
||||
}
|
||||
|
||||
p.lock.RLock()
|
||||
defer p.lock.RUnlock()
|
||||
|
||||
if p.helper != nil {
|
||||
return p.helper.Unwrap().String()
|
||||
}
|
||||
|
||||
if p.seal != nil {
|
||||
return p.seal.(fmt.Stringer).String()
|
||||
}
|
||||
|
||||
return "(unsealed dbus proxy)"
|
||||
}
|
||||
|
||||
func (p *Proxy) Bwrap() []string {
|
||||
return p.bwrap.Args()
|
||||
}
|
||||
|
||||
// Seal seals the Proxy instance.
|
||||
func (p *Proxy) Seal(session, system *Config) error {
|
||||
p.lock.Lock()
|
||||
defer p.lock.Unlock()
|
||||
|
||||
if p.seal != nil {
|
||||
panic("dbus proxy sealed twice")
|
||||
}
|
||||
|
||||
if session == nil && system == nil {
|
||||
return ErrConfig
|
||||
}
|
||||
|
||||
var args []string
|
||||
if session != nil {
|
||||
args = append(args, session.Args(p.session)...)
|
||||
}
|
||||
if system != nil {
|
||||
args = append(args, system.Args(p.system)...)
|
||||
}
|
||||
if seal, err := helper.NewCheckedArgs(args); err != nil {
|
||||
return err
|
||||
} else {
|
||||
p.seal = seal
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// New returns a reference to a new unsealed Proxy.
|
||||
func New(session, system [2]string) *Proxy {
|
||||
return &Proxy{name: ProxyName, session: session, system: system}
|
||||
}
|
|
@ -0,0 +1,140 @@
|
|||
package dbus
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io"
|
||||
"os/exec"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/ldd"
|
||||
)
|
||||
|
||||
// Start launches the D-Bus proxy and sets up the Wait method.
|
||||
// ready should be buffered and must only be received from once.
|
||||
func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
|
||||
p.lock.Lock()
|
||||
defer p.lock.Unlock()
|
||||
|
||||
if p.seal == nil {
|
||||
return errors.New("proxy not sealed")
|
||||
}
|
||||
|
||||
var (
|
||||
h helper.Helper
|
||||
cmd *exec.Cmd
|
||||
|
||||
argF = func(argsFD, statFD int) []string {
|
||||
if statFD == -1 {
|
||||
return []string{"--args=" + strconv.Itoa(argsFD)}
|
||||
} else {
|
||||
return []string{"--args=" + strconv.Itoa(argsFD), "--fd=" + strconv.Itoa(statFD)}
|
||||
}
|
||||
}
|
||||
)
|
||||
|
||||
if !sandbox {
|
||||
h = helper.New(p.seal, p.name, argF)
|
||||
cmd = h.Unwrap()
|
||||
// xdg-dbus-proxy does not need to inherit the environment
|
||||
cmd.Env = []string{}
|
||||
} else {
|
||||
// look up absolute path if name is just a file name
|
||||
toolPath := p.name
|
||||
if filepath.Base(p.name) == p.name {
|
||||
if s, err := exec.LookPath(p.name); err == nil {
|
||||
toolPath = s
|
||||
}
|
||||
}
|
||||
|
||||
// resolve libraries by parsing ldd output
|
||||
var proxyDeps []*ldd.Entry
|
||||
if path.IsAbs(toolPath) {
|
||||
if l, err := ldd.Exec(toolPath); err != nil {
|
||||
return err
|
||||
} else {
|
||||
proxyDeps = l
|
||||
}
|
||||
}
|
||||
|
||||
bc := &bwrap.Config{
|
||||
Unshare: nil,
|
||||
Hostname: "fortify-dbus",
|
||||
Chdir: "/",
|
||||
Clearenv: true,
|
||||
NewSession: true,
|
||||
DieWithParent: true,
|
||||
}
|
||||
|
||||
// resolve proxy socket directories
|
||||
bindTarget := make(map[string]struct{}, 2)
|
||||
for _, ps := range []string{p.session[1], p.system[1]} {
|
||||
if pd := path.Dir(ps); len(pd) > 0 {
|
||||
if pd[0] == '/' {
|
||||
bindTarget[pd] = struct{}{}
|
||||
}
|
||||
}
|
||||
}
|
||||
for k := range bindTarget {
|
||||
bc.Bind(k, k, false, true)
|
||||
}
|
||||
|
||||
roBindTarget := make(map[string]struct{}, 2+1+len(proxyDeps))
|
||||
|
||||
// xdb-dbus-proxy bin and dependencies
|
||||
roBindTarget[path.Dir(toolPath)] = struct{}{}
|
||||
for _, ent := range proxyDeps {
|
||||
if path.IsAbs(ent.Path) {
|
||||
roBindTarget[path.Dir(ent.Path)] = struct{}{}
|
||||
}
|
||||
}
|
||||
|
||||
// resolve upstream bus directories
|
||||
for _, as := range []string{p.session[0], p.system[0]} {
|
||||
if len(as) > 0 && strings.HasPrefix(as, "unix:path=/") {
|
||||
// leave / intact
|
||||
roBindTarget[path.Dir(as[10:])] = struct{}{}
|
||||
}
|
||||
}
|
||||
|
||||
for k := range roBindTarget {
|
||||
bc.Bind(k, k)
|
||||
}
|
||||
|
||||
h = helper.MustNewBwrap(bc, p.seal, toolPath, argF)
|
||||
cmd = h.Unwrap()
|
||||
p.bwrap = bc
|
||||
}
|
||||
|
||||
if output != nil {
|
||||
cmd.Stdout = output
|
||||
cmd.Stderr = output
|
||||
}
|
||||
if err := h.StartNotify(ready); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
p.helper = h
|
||||
return nil
|
||||
}
|
||||
|
||||
// Wait waits for xdg-dbus-proxy to exit or fault.
|
||||
func (p *Proxy) Wait() error {
|
||||
p.lock.RLock()
|
||||
defer p.lock.RUnlock()
|
||||
|
||||
if p.helper == nil {
|
||||
return errors.New("proxy not started")
|
||||
}
|
||||
|
||||
return p.helper.Wait()
|
||||
}
|
||||
|
||||
// Close closes the status file descriptor passed to xdg-dbus-proxy, causing it to stop.
|
||||
func (p *Proxy) Close() error {
|
||||
return p.helper.Close()
|
||||
}
|
|
@ -0,0 +1,221 @@
|
|||
package dbus_test
|
||||
|
||||
import (
|
||||
"sync"
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
)
|
||||
|
||||
var samples = []dbusTestCase{
|
||||
{
|
||||
"org.chromium.Chromium", &dbus.Config{
|
||||
See: nil,
|
||||
Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver",
|
||||
"org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"},
|
||||
Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.chromium.*"},
|
||||
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
||||
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
||||
Log: false,
|
||||
Filter: true,
|
||||
}, false, false,
|
||||
[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/bus"},
|
||||
[]string{
|
||||
"unix:path=/run/user/1971/bus",
|
||||
"/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/bus",
|
||||
"--filter",
|
||||
"--talk=org.freedesktop.Notifications",
|
||||
"--talk=org.freedesktop.FileManager1",
|
||||
"--talk=org.freedesktop.ScreenSaver",
|
||||
"--talk=org.freedesktop.secrets",
|
||||
"--talk=org.kde.kwalletd5",
|
||||
"--talk=org.kde.kwalletd6",
|
||||
"--talk=org.gnome.SessionManager",
|
||||
"--own=org.chromium.Chromium.*",
|
||||
"--own=org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
||||
"--own=org.mpris.MediaPlayer2.chromium.*",
|
||||
"--call=org.freedesktop.portal.*=*",
|
||||
"--broadcast=org.freedesktop.portal.*=@/org/freedesktop/portal/*",
|
||||
},
|
||||
},
|
||||
{
|
||||
"org.chromium.Chromium+", &dbus.Config{
|
||||
See: nil,
|
||||
Talk: []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
|
||||
Own: nil,
|
||||
Call: nil,
|
||||
Broadcast: nil,
|
||||
Log: false,
|
||||
Filter: true,
|
||||
}, false, false,
|
||||
[2]string{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/system_bus_socket"},
|
||||
[]string{"unix:path=/run/dbus/system_bus_socket",
|
||||
"/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/system_bus_socket",
|
||||
"--filter",
|
||||
"--talk=org.bluez",
|
||||
"--talk=org.freedesktop.Avahi",
|
||||
"--talk=org.freedesktop.UPower",
|
||||
},
|
||||
},
|
||||
|
||||
{
|
||||
"dev.vencord.Vesktop", &dbus.Config{
|
||||
See: nil,
|
||||
Talk: []string{"org.freedesktop.Notifications", "org.kde.StatusNotifierWatcher"},
|
||||
Own: []string{"dev.vencord.Vesktop.*", "org.mpris.MediaPlayer2.dev.vencord.Vesktop.*"},
|
||||
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
||||
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
||||
Log: false,
|
||||
Filter: true,
|
||||
}, false, false,
|
||||
[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/34c24f16a0d791d28835ededaf446033/bus"},
|
||||
[]string{
|
||||
"unix:path=/run/user/1971/bus",
|
||||
"/tmp/fortify.1971/34c24f16a0d791d28835ededaf446033/bus",
|
||||
"--filter",
|
||||
"--talk=org.freedesktop.Notifications",
|
||||
"--talk=org.kde.StatusNotifierWatcher",
|
||||
"--own=dev.vencord.Vesktop.*",
|
||||
"--own=org.mpris.MediaPlayer2.dev.vencord.Vesktop.*",
|
||||
"--call=org.freedesktop.portal.*=*",
|
||||
"--broadcast=org.freedesktop.portal.*=@/org/freedesktop/portal/*"},
|
||||
},
|
||||
|
||||
{
|
||||
"moe.ophivana.CrashTestDummy", &dbus.Config{
|
||||
See: []string{"moe.ophivana.CrashTestDummy1"},
|
||||
Talk: []string{"org.freedesktop.Notifications"},
|
||||
Own: []string{"moe.ophivana.CrashTestDummy.*", "org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy.*"},
|
||||
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
||||
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
||||
Log: true,
|
||||
Filter: true,
|
||||
}, false, false,
|
||||
[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus"},
|
||||
[]string{
|
||||
"unix:path=/run/user/1971/bus",
|
||||
"/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus",
|
||||
"--filter",
|
||||
"--see=moe.ophivana.CrashTestDummy1",
|
||||
"--talk=org.freedesktop.Notifications",
|
||||
"--own=moe.ophivana.CrashTestDummy.*",
|
||||
"--own=org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy.*",
|
||||
"--call=org.freedesktop.portal.*=*",
|
||||
"--broadcast=org.freedesktop.portal.*=@/org/freedesktop/portal/*",
|
||||
"--log"},
|
||||
},
|
||||
{
|
||||
"moe.ophivana.CrashTestDummy1", &dbus.Config{
|
||||
See: []string{"moe.ophivana.CrashTestDummy"},
|
||||
Talk: []string{"org.freedesktop.Notifications"},
|
||||
Own: []string{"moe.ophivana.CrashTestDummy1.*", "org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy1.*"},
|
||||
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
||||
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
||||
Log: true,
|
||||
Filter: true,
|
||||
}, false, true,
|
||||
[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus"},
|
||||
[]string{
|
||||
"unix:path=/run/user/1971/bus",
|
||||
"/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus",
|
||||
"--filter",
|
||||
"--see=moe.ophivana.CrashTestDummy",
|
||||
"--talk=org.freedesktop.Notifications",
|
||||
"--own=moe.ophivana.CrashTestDummy1.*",
|
||||
"--own=org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy1.*",
|
||||
"--call=org.freedesktop.portal.*=*",
|
||||
"--broadcast=org.freedesktop.portal.*=@/org/freedesktop/portal/*",
|
||||
"--log"},
|
||||
},
|
||||
}
|
||||
|
||||
type dbusTestCase struct {
|
||||
id string
|
||||
c *dbus.Config
|
||||
wantErr bool
|
||||
wantErrF bool
|
||||
bus [2]string
|
||||
want []string
|
||||
}
|
||||
|
||||
var (
|
||||
testCasesV []dbusTestCase
|
||||
testCasePairsV map[string][2]dbusTestCase
|
||||
|
||||
testCaseOnce sync.Once
|
||||
)
|
||||
|
||||
func testCases() []dbusTestCase {
|
||||
testCaseOnce.Do(testCaseGenerate)
|
||||
return testCasesV
|
||||
}
|
||||
|
||||
func testCasePairs() map[string][2]dbusTestCase {
|
||||
testCaseOnce.Do(testCaseGenerate)
|
||||
return testCasePairsV
|
||||
}
|
||||
|
||||
func injectNulls(t *[]string) {
|
||||
f := make([]string, len(*t))
|
||||
for i := range f {
|
||||
f[i] = "\x00" + (*t)[i] + "\x00"
|
||||
}
|
||||
*t = f
|
||||
}
|
||||
|
||||
func testCaseGenerate() {
|
||||
// create null-injected test cases
|
||||
testCasesV = make([]dbusTestCase, len(samples)*2)
|
||||
for i := range samples {
|
||||
testCasesV[i] = samples[i]
|
||||
testCasesV[len(samples)+i] = samples[i]
|
||||
testCasesV[len(samples)+i].c = new(dbus.Config)
|
||||
*testCasesV[len(samples)+i].c = *samples[i].c
|
||||
|
||||
// inject nulls
|
||||
fi := &testCasesV[len(samples)+i]
|
||||
fi.wantErr = true
|
||||
|
||||
injectNulls(&fi.c.See)
|
||||
injectNulls(&fi.c.Talk)
|
||||
injectNulls(&fi.c.Own)
|
||||
}
|
||||
|
||||
// enumerate test case pairs
|
||||
var pc int
|
||||
for _, tc := range samples {
|
||||
if tc.id != "" {
|
||||
pc++
|
||||
}
|
||||
}
|
||||
testCasePairsV = make(map[string][2]dbusTestCase, pc)
|
||||
for i, tc := range testCasesV {
|
||||
if tc.id == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
// skip already enumerated system bus test
|
||||
if tc.id[len(tc.id)-1] == '+' {
|
||||
continue
|
||||
}
|
||||
|
||||
ftp := [2]dbusTestCase{tc}
|
||||
|
||||
// system proxy tests always place directly after its user counterpart with id ending in +
|
||||
if i+1 < len(testCasesV) && testCasesV[i+1].id[len(testCasesV[i+1].id)-1] == '+' {
|
||||
// attach system bus config
|
||||
ftp[1] = testCasesV[i+1]
|
||||
|
||||
// check for misplaced/mismatching tests
|
||||
if ftp[0].wantErr != ftp[1].wantErr || ftp[0].id+"+" != ftp[1].id {
|
||||
panic("mismatching session/system pairing")
|
||||
}
|
||||
}
|
||||
|
||||
k := tc.id
|
||||
if tc.wantErr {
|
||||
k = "malformed_" + k
|
||||
}
|
||||
testCasePairsV[k] = ftp
|
||||
}
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
package dbus_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
)
|
||||
|
||||
func TestHelperChildStub(t *testing.T) {
|
||||
helper.InternalChildStub()
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
{
|
||||
"talk":[
|
||||
"org.freedesktop.Notifications",
|
||||
"org.kde.StatusNotifierWatcher"
|
||||
],
|
||||
"own":[
|
||||
"dev.vencord.Vesktop.*",
|
||||
"org.mpris.MediaPlayer2.dev.vencord.Vesktop.*"
|
||||
],
|
||||
"call":{
|
||||
"org.freedesktop.portal.*":"*"
|
||||
},
|
||||
"broadcast":{
|
||||
"org.freedesktop.portal.*":"@/org/freedesktop/portal/*"
|
||||
},
|
||||
|
||||
"filter":true
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
"see": [
|
||||
"moe.ophivana.CrashTestDummy1"
|
||||
],
|
||||
"talk":[
|
||||
"org.freedesktop.Notifications"
|
||||
],
|
||||
"own":[
|
||||
"moe.ophivana.CrashTestDummy.*",
|
||||
"org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy.*"
|
||||
],
|
||||
"call":{
|
||||
"org.freedesktop.portal.*":"*"
|
||||
},
|
||||
"broadcast":{
|
||||
"org.freedesktop.portal.*":"@/org/freedesktop/portal/*"
|
||||
},
|
||||
|
||||
"log": true,
|
||||
"filter":true
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
"talk":[
|
||||
"org.bluez",
|
||||
"org.freedesktop.Avahi",
|
||||
"org.freedesktop.UPower"
|
||||
],
|
||||
|
||||
"filter":true
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
{
|
||||
"talk":[
|
||||
"org.freedesktop.Notifications",
|
||||
"org.freedesktop.FileManager1",
|
||||
"org.freedesktop.ScreenSaver",
|
||||
"org.freedesktop.secrets",
|
||||
"org.kde.kwalletd5",
|
||||
"org.kde.kwalletd6",
|
||||
"org.gnome.SessionManager"
|
||||
],
|
||||
"own":[
|
||||
"org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.chromium.*"
|
||||
],
|
||||
"call":{
|
||||
"org.freedesktop.portal.*":"*"
|
||||
},
|
||||
"broadcast":{
|
||||
"org.freedesktop.portal.*":"@/org/freedesktop/portal/*"
|
||||
},
|
||||
|
||||
"filter":true
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"errors"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/app"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
func logWaitError(err error) {
|
||||
var e *fmsg.BaseError
|
||||
if !fmsg.AsBaseError(err, &e) {
|
||||
fmsg.Println("wait failed:", err)
|
||||
} else {
|
||||
// Wait only returns either *app.ProcessError or *app.StateStoreError wrapped in a *app.BaseError
|
||||
var se *app.StateStoreError
|
||||
if !errors.As(err, &se) {
|
||||
// does not need special handling
|
||||
fmsg.Print(e.Message())
|
||||
} else {
|
||||
// inner error are either unwrapped store errors
|
||||
// or joined errors returned by *appSealTx revert
|
||||
// wrapped in *app.BaseError
|
||||
var ej app.RevertCompoundError
|
||||
if !errors.As(se.InnerErr, &ej) {
|
||||
// does not require special handling
|
||||
fmsg.Print(e.Message())
|
||||
} else {
|
||||
errs := ej.Unwrap()
|
||||
|
||||
// every error here is wrapped in *app.BaseError
|
||||
for _, ei := range errs {
|
||||
var eb *fmsg.BaseError
|
||||
if !errors.As(ei, &eb) {
|
||||
// unreachable
|
||||
fmsg.Println("invalid error type returned by revert:", ei)
|
||||
} else {
|
||||
// print inner *app.BaseError message
|
||||
fmsg.Print(eb.Message())
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func logBaseError(err error, message string) {
|
||||
var e *fmsg.BaseError
|
||||
|
||||
if fmsg.AsBaseError(err, &e) {
|
||||
fmsg.Print(e.Message())
|
||||
} else {
|
||||
fmsg.Println(message, err)
|
||||
}
|
||||
}
|
|
@ -2,16 +2,16 @@
|
|||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1717179513,
|
||||
"narHash": "sha256-vboIEwIQojofItm2xGCdZCzW96U85l9nDW3ifMuAIdM=",
|
||||
"lastModified": 1725361206,
|
||||
"narHash": "sha256-/HTUg+kMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "63dacb46bf939521bdc93981b4cbb7ecb58427a0",
|
||||
"rev": "2830c7c930311397d94c0b86a359c865c081c875",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "24.05",
|
||||
"ref": "nixos-unstable-small",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
|
65
flake.nix
65
flake.nix
|
@ -1,56 +1,47 @@
|
|||
{
|
||||
description = "ego development environment";
|
||||
description = "fortify sandbox tool and nixos module";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/24.05";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
|
||||
};
|
||||
|
||||
outputs =
|
||||
{ self, nixpkgs }:
|
||||
let
|
||||
supportedSystems = [ "x86_64-linux" ];
|
||||
forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system);
|
||||
supportedSystems = [
|
||||
"aarch64-linux"
|
||||
"i686-linux"
|
||||
"x86_64-linux"
|
||||
];
|
||||
|
||||
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
|
||||
nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
|
||||
in
|
||||
{
|
||||
devShells = forAllSystems (
|
||||
nixosModules.fortify = import ./nixos.nix;
|
||||
|
||||
packages = forAllSystems (
|
||||
system:
|
||||
let
|
||||
pkgs = import nixpkgs { inherit system; };
|
||||
pkgs = nixpkgsFor.${system};
|
||||
in
|
||||
{
|
||||
default =
|
||||
let
|
||||
inherit (pkgs)
|
||||
mkShell
|
||||
buildGoModule
|
||||
acl
|
||||
xorg
|
||||
;
|
||||
in
|
||||
mkShell {
|
||||
packages = [
|
||||
(buildGoModule rec {
|
||||
pname = "ego";
|
||||
version = "0.0.0-flake";
|
||||
default = self.packages.${system}.fortify;
|
||||
|
||||
src = ./.;
|
||||
vendorHash = null; # we have no dependencies :3
|
||||
|
||||
ldflags = [
|
||||
"-s"
|
||||
"-w"
|
||||
"-X"
|
||||
"main.Version=v${version}"
|
||||
];
|
||||
|
||||
buildInputs = [
|
||||
acl
|
||||
xorg.libxcb
|
||||
];
|
||||
})
|
||||
];
|
||||
};
|
||||
fortify = pkgs.callPackage ./package.nix { };
|
||||
}
|
||||
);
|
||||
|
||||
devShells = forAllSystems (system: {
|
||||
default = nixpkgsFor.${system}.mkShell {
|
||||
buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
|
||||
};
|
||||
|
||||
withPackage = nixpkgsFor.${system}.mkShell {
|
||||
buildInputs =
|
||||
with nixpkgsFor.${system};
|
||||
self.packages.${system}.fortify.buildInputs ++ [ self.packages.${system}.fortify ];
|
||||
};
|
||||
});
|
||||
};
|
||||
}
|
||||
|
|
2
go.mod
2
go.mod
|
@ -1,3 +1,3 @@
|
|||
module git.ophivana.moe/cat/ego
|
||||
module git.ophivana.moe/security/fortify
|
||||
|
||||
go 1.22
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
package helper
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io"
|
||||
"strings"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrContainsNull = errors.New("argument contains null character")
|
||||
)
|
||||
|
||||
type argsWt []string
|
||||
|
||||
// checks whether any element contains the null character
|
||||
// must be called before args use and args must not be modified after call
|
||||
func (a argsWt) check() error {
|
||||
for _, arg := range a {
|
||||
for _, b := range arg {
|
||||
if b == '\x00' {
|
||||
return ErrContainsNull
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (a argsWt) WriteTo(w io.Writer) (int64, error) {
|
||||
// assuming already checked
|
||||
|
||||
nt := 0
|
||||
// write null terminated arguments
|
||||
for _, arg := range a {
|
||||
n, err := w.Write([]byte(arg + "\x00"))
|
||||
nt += n
|
||||
|
||||
if err != nil {
|
||||
return int64(nt), err
|
||||
}
|
||||
}
|
||||
|
||||
return int64(nt), nil
|
||||
}
|
||||
|
||||
func (a argsWt) String() string {
|
||||
return strings.Join(a, " ")
|
||||
}
|
||||
|
||||
// NewCheckedArgs returns a checked argument writer for args.
|
||||
// Callers must not retain any references to args.
|
||||
func NewCheckedArgs(args []string) (io.WriterTo, error) {
|
||||
a := argsWt(args)
|
||||
return a, a.check()
|
||||
}
|
||||
|
||||
// MustNewCheckedArgs returns a checked argument writer for args and panics if check fails.
|
||||
// Callers must not retain any references to args.
|
||||
func MustNewCheckedArgs(args []string) io.WriterTo {
|
||||
a, err := NewCheckedArgs(args)
|
||||
if err != nil {
|
||||
panic(err.Error())
|
||||
}
|
||||
|
||||
return a
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
package helper_test
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
)
|
||||
|
||||
func Test_argsFD_String(t *testing.T) {
|
||||
wantString := strings.Join(wantArgs, " ")
|
||||
if got := argsWt.(fmt.Stringer).String(); got != wantString {
|
||||
t.Errorf("String(): got %v; want %v",
|
||||
got, wantString)
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewCheckedArgs(t *testing.T) {
|
||||
args := []string{"\x00"}
|
||||
if _, err := helper.NewCheckedArgs(args); !errors.Is(err, helper.ErrContainsNull) {
|
||||
t.Errorf("NewCheckedArgs(%q) error = %v, wantErr %v",
|
||||
args,
|
||||
err, helper.ErrContainsNull)
|
||||
}
|
||||
|
||||
t.Run("must panic", func(t *testing.T) {
|
||||
badPayload := []string{"\x00"}
|
||||
defer func() {
|
||||
wantPanic := "argument contains null character"
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("MustNewCheckedArgs(%q) panic = %v, wantPanic %v",
|
||||
badPayload,
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
helper.MustNewCheckedArgs(badPayload)
|
||||
})
|
||||
}
|
|
@ -0,0 +1,142 @@
|
|||
package helper
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io"
|
||||
"os/exec"
|
||||
"strconv"
|
||||
"sync"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
)
|
||||
|
||||
// BubblewrapName is the file name or path to bubblewrap.
|
||||
var BubblewrapName = "bwrap"
|
||||
|
||||
type bubblewrap struct {
|
||||
// bwrap child file name
|
||||
name string
|
||||
|
||||
// bwrap pipes
|
||||
p *pipes
|
||||
// returns an array of arguments passed directly
|
||||
// to the child process spawned by bwrap
|
||||
argF func(argsFD, statFD int) []string
|
||||
|
||||
// pipes received by the child
|
||||
// nil if no pipes are required
|
||||
cp *pipes
|
||||
|
||||
lock sync.RWMutex
|
||||
*exec.Cmd
|
||||
}
|
||||
|
||||
func (b *bubblewrap) StartNotify(ready chan error) error {
|
||||
b.lock.Lock()
|
||||
defer b.lock.Unlock()
|
||||
|
||||
if ready != nil && b.cp == nil {
|
||||
panic("attempted to start with status monitoring on a bwrap child initialised without pipes")
|
||||
}
|
||||
|
||||
// Check for doubled Start calls before we defer failure cleanup. If the prior
|
||||
// call to Start succeeded, we don't want to spuriously close its pipes.
|
||||
if b.Cmd.Process != nil {
|
||||
return errors.New("exec: already started")
|
||||
}
|
||||
|
||||
// prepare bwrap pipe and args
|
||||
if argsFD, _, err := b.p.prepareCmd(b.Cmd); err != nil {
|
||||
return err
|
||||
} else {
|
||||
b.Cmd.Args = append(b.Cmd.Args, "--args", strconv.Itoa(argsFD), "--", b.name)
|
||||
}
|
||||
|
||||
// prepare child args and pipes if enabled
|
||||
if b.cp != nil {
|
||||
b.cp.ready = ready
|
||||
if argsFD, statFD, err := b.cp.prepareCmd(b.Cmd); err != nil {
|
||||
return err
|
||||
} else {
|
||||
b.Cmd.Args = append(b.Cmd.Args, b.argF(argsFD, statFD)...)
|
||||
}
|
||||
} else {
|
||||
b.Cmd.Args = append(b.Cmd.Args, b.argF(-1, -1)...)
|
||||
}
|
||||
|
||||
if ready != nil {
|
||||
b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=1")
|
||||
} else if b.cp != nil {
|
||||
b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=0")
|
||||
} else {
|
||||
b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=-1")
|
||||
}
|
||||
|
||||
if err := b.Cmd.Start(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// write bwrap args first
|
||||
if err := b.p.readyWriteArgs(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// write child args if enabled
|
||||
if b.cp != nil {
|
||||
if err := b.cp.readyWriteArgs(); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (b *bubblewrap) Close() error {
|
||||
if b.cp == nil {
|
||||
panic("attempted to close bwrap child initialised without pipes")
|
||||
}
|
||||
|
||||
return b.cp.closeStatus()
|
||||
}
|
||||
|
||||
func (b *bubblewrap) Start() error {
|
||||
return b.StartNotify(nil)
|
||||
}
|
||||
|
||||
func (b *bubblewrap) Unwrap() *exec.Cmd {
|
||||
return b.Cmd
|
||||
}
|
||||
|
||||
// MustNewBwrap initialises a new Bwrap instance with wt as the null-terminated argument writer.
|
||||
// If wt is nil, the child process spawned by bwrap will not get an argument pipe.
|
||||
// Function argF returns an array of arguments passed directly to the child process.
|
||||
func MustNewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD, statFD int) []string) Helper {
|
||||
b, err := NewBwrap(conf, wt, name, argF)
|
||||
if err != nil {
|
||||
panic(err.Error())
|
||||
} else {
|
||||
return b
|
||||
}
|
||||
}
|
||||
|
||||
// NewBwrap initialises a new Bwrap instance with wt as the null-terminated argument writer.
|
||||
// If wt is nil, the child process spawned by bwrap will not get an argument pipe.
|
||||
// Function argF returns an array of arguments passed directly to the child process.
|
||||
func NewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD, statFD int) []string) (Helper, error) {
|
||||
b := new(bubblewrap)
|
||||
|
||||
if args, err := NewCheckedArgs(conf.Args()); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
b.p = &pipes{args: args}
|
||||
}
|
||||
|
||||
b.argF = argF
|
||||
b.name = name
|
||||
if wt != nil {
|
||||
b.cp = &pipes{args: wt}
|
||||
}
|
||||
b.Cmd = execCommand(BubblewrapName)
|
||||
|
||||
return b, nil
|
||||
}
|
|
@ -0,0 +1,77 @@
|
|||
package bwrap
|
||||
|
||||
import "encoding/gob"
|
||||
|
||||
type Builder interface {
|
||||
Len() int
|
||||
Append(args *[]string)
|
||||
}
|
||||
|
||||
type FSBuilder interface {
|
||||
Path() string
|
||||
Builder
|
||||
}
|
||||
|
||||
func init() {
|
||||
gob.Register(new(pairF))
|
||||
gob.Register(new(stringF))
|
||||
}
|
||||
|
||||
type pairF [3]string
|
||||
|
||||
func (p *pairF) Path() string {
|
||||
return p[2]
|
||||
}
|
||||
|
||||
func (p *pairF) Len() int {
|
||||
return len(p) // compiler replaces this with 3
|
||||
}
|
||||
|
||||
func (p *pairF) Append(args *[]string) {
|
||||
*args = append(*args, p[0], p[1], p[2])
|
||||
}
|
||||
|
||||
type stringF [2]string
|
||||
|
||||
func (s stringF) Path() string {
|
||||
return s[1]
|
||||
}
|
||||
|
||||
func (s stringF) Len() int {
|
||||
return len(s) // compiler replaces this with 2
|
||||
}
|
||||
|
||||
func (s stringF) Append(args *[]string) {
|
||||
*args = append(*args, s[0], s[1])
|
||||
}
|
||||
|
||||
// Args returns a slice of bwrap args corresponding to c.
|
||||
func (c *Config) Args() (args []string) {
|
||||
builders := []Builder{
|
||||
c.boolArgs(),
|
||||
c.intArgs(),
|
||||
c.stringArgs(),
|
||||
c.pairArgs(),
|
||||
}
|
||||
|
||||
// copy FSBuilder slice to builder slice
|
||||
fb := make([]Builder, len(c.Filesystem)+1)
|
||||
for i, f := range c.Filesystem {
|
||||
fb[i] = f
|
||||
}
|
||||
fb[len(fb)-1] = c.Chmod
|
||||
builders = append(builders, fb...)
|
||||
|
||||
// accumulate arg count
|
||||
argc := 0
|
||||
for _, b := range builders {
|
||||
argc += b.Len()
|
||||
}
|
||||
|
||||
args = make([]string, 0, argc)
|
||||
for _, b := range builders {
|
||||
b.Append(&args)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
|
@ -0,0 +1,13 @@
|
|||
package bwrap
|
||||
|
||||
const (
|
||||
Tmpfs = iota
|
||||
Dir
|
||||
Symlink
|
||||
)
|
||||
|
||||
var awkwardArgs = [...]string{
|
||||
Tmpfs: "--tmpfs",
|
||||
Dir: "--dir",
|
||||
Symlink: "--symlink",
|
||||
}
|
|
@ -0,0 +1,81 @@
|
|||
package bwrap
|
||||
|
||||
const (
|
||||
UnshareAll = iota
|
||||
UnshareUser
|
||||
UnshareIPC
|
||||
UnsharePID
|
||||
UnshareNet
|
||||
UnshareUTS
|
||||
UnshareCGroup
|
||||
ShareNet
|
||||
|
||||
UserNS
|
||||
Clearenv
|
||||
|
||||
NewSession
|
||||
DieWithParent
|
||||
AsInit
|
||||
)
|
||||
|
||||
var boolArgs = [...][]string{
|
||||
UnshareAll: {"--unshare-all", "--unshare-user"},
|
||||
UnshareUser: {"--unshare-user"},
|
||||
UnshareIPC: {"--unshare-ipc"},
|
||||
UnsharePID: {"--unshare-pid"},
|
||||
UnshareNet: {"--unshare-net"},
|
||||
UnshareUTS: {"--unshare-uts"},
|
||||
UnshareCGroup: {"--unshare-cgroup"},
|
||||
ShareNet: {"--share-net"},
|
||||
|
||||
UserNS: {"--disable-userns", "--assert-userns-disabled"},
|
||||
Clearenv: {"--clearenv"},
|
||||
|
||||
NewSession: {"--new-session"},
|
||||
DieWithParent: {"--die-with-parent"},
|
||||
AsInit: {"--as-pid-1"},
|
||||
}
|
||||
|
||||
func (c *Config) boolArgs() Builder {
|
||||
b := boolArg{
|
||||
UserNS: !c.UserNS,
|
||||
Clearenv: c.Clearenv,
|
||||
|
||||
NewSession: c.NewSession,
|
||||
DieWithParent: c.DieWithParent,
|
||||
AsInit: c.AsInit,
|
||||
}
|
||||
|
||||
if c.Unshare == nil {
|
||||
b[UnshareAll] = true
|
||||
b[ShareNet] = c.Net
|
||||
} else {
|
||||
b[UnshareUser] = c.Unshare.User
|
||||
b[UnshareIPC] = c.Unshare.IPC
|
||||
b[UnsharePID] = c.Unshare.PID
|
||||
b[UnshareNet] = c.Unshare.Net
|
||||
b[UnshareUTS] = c.Unshare.UTS
|
||||
b[UnshareCGroup] = c.Unshare.CGroup
|
||||
}
|
||||
|
||||
return &b
|
||||
}
|
||||
|
||||
type boolArg [len(boolArgs)]bool
|
||||
|
||||
func (b *boolArg) Len() (l int) {
|
||||
for i, v := range b {
|
||||
if v {
|
||||
l += len(boolArgs[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (b *boolArg) Append(args *[]string) {
|
||||
for i, v := range b {
|
||||
if v {
|
||||
*args = append(*args, boolArgs[i]...)
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,47 @@
|
|||
package bwrap
|
||||
|
||||
import "strconv"
|
||||
|
||||
const (
|
||||
UID = iota
|
||||
GID
|
||||
Perms
|
||||
Size
|
||||
)
|
||||
|
||||
var intArgs = [...]string{
|
||||
UID: "--uid",
|
||||
GID: "--gid",
|
||||
Perms: "--perms",
|
||||
Size: "--size",
|
||||
}
|
||||
|
||||
func (c *Config) intArgs() Builder {
|
||||
// Arg types:
|
||||
// Perms
|
||||
// are handled by the sequential builder
|
||||
|
||||
return &intArg{
|
||||
UID: c.UID,
|
||||
GID: c.GID,
|
||||
}
|
||||
}
|
||||
|
||||
type intArg [len(intArgs)]*int
|
||||
|
||||
func (n *intArg) Len() (l int) {
|
||||
for _, v := range n {
|
||||
if v != nil {
|
||||
l += 2
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (n *intArg) Append(args *[]string) {
|
||||
for i, v := range n {
|
||||
if v != nil {
|
||||
*args = append(*args, intArgs[i], strconv.Itoa(*v))
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,73 @@
|
|||
package bwrap
|
||||
|
||||
import (
|
||||
"slices"
|
||||
)
|
||||
|
||||
const (
|
||||
SetEnv = iota
|
||||
|
||||
Bind
|
||||
BindTry
|
||||
DevBind
|
||||
DevBindTry
|
||||
ROBind
|
||||
ROBindTry
|
||||
|
||||
Chmod
|
||||
)
|
||||
|
||||
var pairArgs = [...]string{
|
||||
SetEnv: "--setenv",
|
||||
|
||||
Bind: "--bind",
|
||||
BindTry: "--bind-try",
|
||||
DevBind: "--dev-bind",
|
||||
DevBindTry: "--dev-bind-try",
|
||||
ROBind: "--ro-bind",
|
||||
ROBindTry: "--ro-bind-try",
|
||||
|
||||
Chmod: "--chmod",
|
||||
}
|
||||
|
||||
func (c *Config) pairArgs() Builder {
|
||||
var n pairArg
|
||||
n[SetEnv] = make([][2]string, len(c.SetEnv))
|
||||
keys := make([]string, 0, len(c.SetEnv))
|
||||
for k := range c.SetEnv {
|
||||
keys = append(keys, k)
|
||||
}
|
||||
slices.Sort(keys)
|
||||
for i, k := range keys {
|
||||
n[SetEnv][i] = [2]string{k, c.SetEnv[k]}
|
||||
}
|
||||
|
||||
// Arg types:
|
||||
// Bind
|
||||
// BindTry
|
||||
// DevBind
|
||||
// DevBindTry
|
||||
// ROBind
|
||||
// ROBindTry
|
||||
// Chmod
|
||||
// are handled by the sequential builder
|
||||
|
||||
return &n
|
||||
}
|
||||
|
||||
type pairArg [len(pairArgs)][][2]string
|
||||
|
||||
func (p *pairArg) Len() (l int) {
|
||||
for _, v := range p {
|
||||
l += len(v) * 3
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (p *pairArg) Append(args *[]string) {
|
||||
for i, arg := range p {
|
||||
for _, v := range arg {
|
||||
*args = append(*args, pairArgs[i], v[0], v[1])
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,65 @@
|
|||
package bwrap
|
||||
|
||||
const (
|
||||
Hostname = iota
|
||||
Chdir
|
||||
UnsetEnv
|
||||
LockFile
|
||||
|
||||
RemountRO
|
||||
Procfs
|
||||
DevTmpfs
|
||||
Mqueue
|
||||
)
|
||||
|
||||
var stringArgs = [...]string{
|
||||
Hostname: "--hostname",
|
||||
Chdir: "--chdir",
|
||||
UnsetEnv: "--unsetenv",
|
||||
LockFile: "--lock-file",
|
||||
|
||||
RemountRO: "--remount-ro",
|
||||
Procfs: "--proc",
|
||||
DevTmpfs: "--dev",
|
||||
Mqueue: "--mqueue",
|
||||
}
|
||||
|
||||
func (c *Config) stringArgs() Builder {
|
||||
n := stringArg{
|
||||
UnsetEnv: c.UnsetEnv,
|
||||
LockFile: c.LockFile,
|
||||
}
|
||||
|
||||
if c.Hostname != "" {
|
||||
n[Hostname] = []string{c.Hostname}
|
||||
}
|
||||
if c.Chdir != "" {
|
||||
n[Chdir] = []string{c.Chdir}
|
||||
}
|
||||
|
||||
// Arg types:
|
||||
// RemountRO
|
||||
// Procfs
|
||||
// DevTmpfs
|
||||
// Mqueue
|
||||
// are handled by the sequential builder
|
||||
|
||||
return &n
|
||||
}
|
||||
|
||||
type stringArg [len(stringArgs)][]string
|
||||
|
||||
func (s *stringArg) Len() (l int) {
|
||||
for _, arg := range s {
|
||||
l += len(arg) * 2
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (s *stringArg) Append(args *[]string) {
|
||||
for i, arg := range s {
|
||||
for _, v := range arg {
|
||||
*args = append(*args, stringArgs[i], v)
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,196 @@
|
|||
package bwrap
|
||||
|
||||
import (
|
||||
"encoding/gob"
|
||||
"os"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
func init() {
|
||||
gob.Register(new(PermConfig[SymlinkConfig]))
|
||||
gob.Register(new(PermConfig[*TmpfsConfig]))
|
||||
}
|
||||
|
||||
type Config struct {
|
||||
// unshare every namespace we support by default if nil
|
||||
// (--unshare-all)
|
||||
Unshare *UnshareConfig `json:"unshare,omitempty"`
|
||||
// retain the network namespace (can only combine with nil Unshare)
|
||||
// (--share-net)
|
||||
Net bool `json:"net"`
|
||||
|
||||
// disable further use of user namespaces inside sandbox and fail unless
|
||||
// further use of user namespace inside sandbox is disabled if false
|
||||
// (--disable-userns) (--assert-userns-disabled)
|
||||
UserNS bool `json:"userns"`
|
||||
|
||||
// custom uid in the sandbox, requires new user namespace
|
||||
// (--uid UID)
|
||||
UID *int `json:"uid,omitempty"`
|
||||
// custom gid in the sandbox, requires new user namespace
|
||||
// (--gid GID)
|
||||
GID *int `json:"gid,omitempty"`
|
||||
// custom hostname in the sandbox, requires new uts namespace
|
||||
// (--hostname NAME)
|
||||
Hostname string `json:"hostname,omitempty"`
|
||||
|
||||
// change directory
|
||||
// (--chdir DIR)
|
||||
Chdir string `json:"chdir,omitempty"`
|
||||
// unset all environment variables
|
||||
// (--clearenv)
|
||||
Clearenv bool `json:"clearenv"`
|
||||
// set environment variable
|
||||
// (--setenv VAR VALUE)
|
||||
SetEnv map[string]string `json:"setenv,omitempty"`
|
||||
// unset environment variables
|
||||
// (--unsetenv VAR)
|
||||
UnsetEnv []string `json:"unsetenv,omitempty"`
|
||||
|
||||
// take a lock on file while sandbox is running
|
||||
// (--lock-file DEST)
|
||||
LockFile []string `json:"lock_file,omitempty"`
|
||||
|
||||
// ordered filesystem args
|
||||
Filesystem []FSBuilder
|
||||
|
||||
// change permissions (must already exist)
|
||||
// (--chmod OCTAL PATH)
|
||||
Chmod ChmodConfig `json:"chmod,omitempty"`
|
||||
|
||||
// create a new terminal session
|
||||
// (--new-session)
|
||||
NewSession bool `json:"new_session"`
|
||||
// kills with SIGKILL child process (COMMAND) when bwrap or bwrap's parent dies.
|
||||
// (--die-with-parent)
|
||||
DieWithParent bool `json:"die_with_parent"`
|
||||
// do not install a reaper process with PID=1
|
||||
// (--as-pid-1)
|
||||
AsInit bool `json:"as_init"`
|
||||
|
||||
/* unmapped options include:
|
||||
--unshare-user-try Create new user namespace if possible else continue by skipping it
|
||||
--unshare-cgroup-try Create new cgroup namespace if possible else continue by skipping it
|
||||
--userns FD Use this user namespace (cannot combine with --unshare-user)
|
||||
--userns2 FD After setup switch to this user namespace, only useful with --userns
|
||||
--pidns FD Use this pid namespace (as parent namespace if using --unshare-pid)
|
||||
--sync-fd FD Keep this fd open while sandbox is running
|
||||
--exec-label LABEL Exec label for the sandbox
|
||||
--file-label LABEL File label for temporary sandbox content
|
||||
--file FD DEST Copy from FD to destination DEST
|
||||
--bind-data FD DEST Copy from FD to file which is bind-mounted on DEST
|
||||
--ro-bind-data FD DEST Copy from FD to file which is readonly bind-mounted on DEST
|
||||
--seccomp FD Load and use seccomp rules from FD (not repeatable)
|
||||
--add-seccomp-fd FD Load and use seccomp rules from FD (repeatable)
|
||||
--block-fd FD Block on FD until some data to read is available
|
||||
--userns-block-fd FD Block on FD until the user namespace is ready
|
||||
--info-fd FD Write information about the running container to FD
|
||||
--json-status-fd FD Write container status to FD as multiple JSON documents
|
||||
--cap-add CAP Add cap CAP when running as privileged user
|
||||
--cap-drop CAP Drop cap CAP when running as privileged user
|
||||
|
||||
among which --args is used internally for passing arguments */
|
||||
}
|
||||
|
||||
type UnshareConfig struct {
|
||||
// (--unshare-user)
|
||||
// create new user namespace
|
||||
User bool `json:"user"`
|
||||
// (--unshare-ipc)
|
||||
// create new ipc namespace
|
||||
IPC bool `json:"ipc"`
|
||||
// (--unshare-pid)
|
||||
// create new pid namespace
|
||||
PID bool `json:"pid"`
|
||||
// (--unshare-net)
|
||||
// create new network namespace
|
||||
Net bool `json:"net"`
|
||||
// (--unshare-uts)
|
||||
// create new uts namespace
|
||||
UTS bool `json:"uts"`
|
||||
// (--unshare-cgroup)
|
||||
// create new cgroup namespace
|
||||
CGroup bool `json:"cgroup"`
|
||||
}
|
||||
|
||||
type PermConfig[T FSBuilder] struct {
|
||||
// set permissions of next argument
|
||||
// (--perms OCTAL)
|
||||
Mode *os.FileMode `json:"mode,omitempty"`
|
||||
// path to get the new permission
|
||||
// (--bind-data, --file, etc.)
|
||||
Inner T `json:"path"`
|
||||
}
|
||||
|
||||
func (p *PermConfig[T]) Path() string {
|
||||
return p.Inner.Path()
|
||||
}
|
||||
|
||||
func (p *PermConfig[T]) Len() int {
|
||||
if p.Mode != nil {
|
||||
return p.Inner.Len() + 2
|
||||
} else {
|
||||
return p.Inner.Len()
|
||||
}
|
||||
}
|
||||
|
||||
func (p *PermConfig[T]) Append(args *[]string) {
|
||||
if p.Mode != nil {
|
||||
*args = append(*args, intArgs[Perms], strconv.FormatInt(int64(*p.Mode), 8))
|
||||
}
|
||||
p.Inner.Append(args)
|
||||
}
|
||||
|
||||
type TmpfsConfig struct {
|
||||
// set size of tmpfs
|
||||
// (--size BYTES)
|
||||
Size int `json:"size,omitempty"`
|
||||
// mount point of new tmpfs
|
||||
// (--tmpfs DEST)
|
||||
Dir string `json:"dir"`
|
||||
}
|
||||
|
||||
func (t *TmpfsConfig) Path() string {
|
||||
return t.Dir
|
||||
}
|
||||
|
||||
func (t *TmpfsConfig) Len() int {
|
||||
if t.Size > 0 {
|
||||
return 4
|
||||
} else {
|
||||
return 2
|
||||
}
|
||||
}
|
||||
|
||||
func (t *TmpfsConfig) Append(args *[]string) {
|
||||
if t.Size > 0 {
|
||||
*args = append(*args, intArgs[Size], strconv.Itoa(t.Size))
|
||||
}
|
||||
*args = append(*args, awkwardArgs[Tmpfs], t.Dir)
|
||||
}
|
||||
|
||||
type SymlinkConfig [2]string
|
||||
|
||||
func (s SymlinkConfig) Path() string {
|
||||
return s[1]
|
||||
}
|
||||
|
||||
func (s SymlinkConfig) Len() int {
|
||||
return 3
|
||||
}
|
||||
|
||||
func (s SymlinkConfig) Append(args *[]string) {
|
||||
*args = append(*args, awkwardArgs[Symlink], s[0], s[1])
|
||||
}
|
||||
|
||||
type ChmodConfig map[string]os.FileMode
|
||||
|
||||
func (c ChmodConfig) Len() int {
|
||||
return len(c)
|
||||
}
|
||||
|
||||
func (c ChmodConfig) Append(args *[]string) {
|
||||
for path, mode := range c {
|
||||
*args = append(*args, pairArgs[Chmod], strconv.FormatInt(int64(mode), 8), path)
|
||||
}
|
||||
}
|
|
@ -0,0 +1,138 @@
|
|||
package bwrap
|
||||
|
||||
import "os"
|
||||
|
||||
/*
|
||||
Bind binds mount src on host to dest in sandbox.
|
||||
|
||||
Bind(src, dest) bind mount host path readonly on sandbox
|
||||
(--ro-bind SRC DEST).
|
||||
Bind(src, dest, true) equal to ROBind but ignores non-existent host path
|
||||
(--ro-bind-try SRC DEST).
|
||||
|
||||
Bind(src, dest, false, true) bind mount host path on sandbox.
|
||||
(--bind SRC DEST).
|
||||
Bind(src, dest, true, true) equal to Bind but ignores non-existent host path
|
||||
(--bind-try SRC DEST).
|
||||
|
||||
Bind(src, dest, false, true, true) bind mount host path on sandbox, allowing device access
|
||||
(--dev-bind SRC DEST).
|
||||
Bind(src, dest, true, true, true) equal to DevBind but ignores non-existent host path
|
||||
(--dev-bind-try SRC DEST).
|
||||
*/
|
||||
func (c *Config) Bind(src, dest string, opts ...bool) *Config {
|
||||
var (
|
||||
try bool
|
||||
write bool
|
||||
dev bool
|
||||
)
|
||||
|
||||
if len(opts) > 0 {
|
||||
try = opts[0]
|
||||
}
|
||||
if len(opts) > 1 {
|
||||
write = opts[1]
|
||||
}
|
||||
if len(opts) > 2 {
|
||||
dev = opts[2]
|
||||
}
|
||||
|
||||
if dev {
|
||||
if try {
|
||||
c.Filesystem = append(c.Filesystem, &pairF{pairArgs[DevBindTry], src, dest})
|
||||
} else {
|
||||
c.Filesystem = append(c.Filesystem, &pairF{pairArgs[DevBind], src, dest})
|
||||
}
|
||||
return c
|
||||
} else if write {
|
||||
if try {
|
||||
c.Filesystem = append(c.Filesystem, &pairF{pairArgs[BindTry], src, dest})
|
||||
} else {
|
||||
c.Filesystem = append(c.Filesystem, &pairF{pairArgs[Bind], src, dest})
|
||||
}
|
||||
return c
|
||||
} else {
|
||||
if try {
|
||||
c.Filesystem = append(c.Filesystem, &pairF{pairArgs[ROBindTry], src, dest})
|
||||
} else {
|
||||
c.Filesystem = append(c.Filesystem, &pairF{pairArgs[ROBind], src, dest})
|
||||
}
|
||||
return c
|
||||
}
|
||||
}
|
||||
|
||||
// RemountRO remount path as readonly; does not recursively remount
|
||||
// (--remount-ro DEST)
|
||||
func (c *Config) RemountRO(dest string) *Config {
|
||||
c.Filesystem = append(c.Filesystem, &stringF{stringArgs[RemountRO], dest})
|
||||
return c
|
||||
}
|
||||
|
||||
// Procfs mount new procfs in sandbox
|
||||
// (--proc DEST)
|
||||
func (c *Config) Procfs(dest string) *Config {
|
||||
c.Filesystem = append(c.Filesystem, &stringF{stringArgs[Procfs], dest})
|
||||
return c
|
||||
}
|
||||
|
||||
// DevTmpfs mount new dev in sandbox
|
||||
// (--dev DEST)
|
||||
func (c *Config) DevTmpfs(dest string) *Config {
|
||||
c.Filesystem = append(c.Filesystem, &stringF{stringArgs[DevTmpfs], dest})
|
||||
return c
|
||||
}
|
||||
|
||||
// Tmpfs mount new tmpfs in sandbox
|
||||
// (--tmpfs DEST)
|
||||
func (c *Config) Tmpfs(dest string, size int, perm ...os.FileMode) *Config {
|
||||
tmpfs := &PermConfig[*TmpfsConfig]{Inner: &TmpfsConfig{Dir: dest}}
|
||||
if size >= 0 {
|
||||
tmpfs.Inner.Size = size
|
||||
}
|
||||
if len(perm) == 1 {
|
||||
tmpfs.Mode = &perm[0]
|
||||
}
|
||||
c.Filesystem = append(c.Filesystem, tmpfs)
|
||||
return c
|
||||
}
|
||||
|
||||
// Mqueue mount new mqueue in sandbox
|
||||
// (--mqueue DEST)
|
||||
func (c *Config) Mqueue(dest string) *Config {
|
||||
c.Filesystem = append(c.Filesystem, &stringF{stringArgs[Mqueue], dest})
|
||||
return c
|
||||
}
|
||||
|
||||
// Dir create dir in sandbox
|
||||
// (--dir DEST)
|
||||
func (c *Config) Dir(dest string) *Config {
|
||||
c.Filesystem = append(c.Filesystem, &stringF{stringArgs[Dir], dest})
|
||||
return c
|
||||
}
|
||||
|
||||
// Symlink create symlink within sandbox
|
||||
// (--symlink SRC DEST)
|
||||
func (c *Config) Symlink(src, dest string, perm ...os.FileMode) *Config {
|
||||
symlink := &PermConfig[SymlinkConfig]{Inner: SymlinkConfig{src, dest}}
|
||||
if len(perm) == 1 {
|
||||
symlink.Mode = &perm[0]
|
||||
}
|
||||
c.Filesystem = append(c.Filesystem, symlink)
|
||||
return c
|
||||
}
|
||||
|
||||
// SetUID sets custom uid in the sandbox, requires new user namespace (--uid UID).
|
||||
func (c *Config) SetUID(uid int) *Config {
|
||||
if uid >= 0 {
|
||||
c.UID = &uid
|
||||
}
|
||||
return c
|
||||
}
|
||||
|
||||
// SetGID sets custom gid in the sandbox, requires new user namespace (--gid GID).
|
||||
func (c *Config) SetGID(gid int) *Config {
|
||||
if gid >= 0 {
|
||||
c.GID = &gid
|
||||
}
|
||||
return c
|
||||
}
|
|
@ -0,0 +1,223 @@
|
|||
package bwrap
|
||||
|
||||
import (
|
||||
"slices"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestConfig_Args(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
conf *Config
|
||||
want []string
|
||||
}{
|
||||
{
|
||||
name: "xdg-dbus-proxy constraint sample",
|
||||
conf: (&Config{
|
||||
Unshare: nil,
|
||||
UserNS: false,
|
||||
Clearenv: true,
|
||||
DieWithParent: true,
|
||||
}).
|
||||
Symlink("usr/bin", "/bin").
|
||||
Symlink("var/home", "/home").
|
||||
Symlink("usr/lib", "/lib").
|
||||
Symlink("usr/lib64", "/lib64").
|
||||
Symlink("run/media", "/media").
|
||||
Symlink("var/mnt", "/mnt").
|
||||
Symlink("var/opt", "/opt").
|
||||
Symlink("sysroot/ostree", "/ostree").
|
||||
Symlink("var/roothome", "/root").
|
||||
Symlink("usr/sbin", "/sbin").
|
||||
Symlink("var/srv", "/srv").
|
||||
Bind("/run", "/run", false, true).
|
||||
Bind("/tmp", "/tmp", false, true).
|
||||
Bind("/var", "/var", false, true).
|
||||
Bind("/run/user/1971/.dbus-proxy/", "/run/user/1971/.dbus-proxy/", false, true).
|
||||
Bind("/boot", "/boot").
|
||||
Bind("/dev", "/dev").
|
||||
Bind("/proc", "/proc").
|
||||
Bind("/sys", "/sys").
|
||||
Bind("/sysroot", "/sysroot").
|
||||
Bind("/usr", "/usr").
|
||||
Bind("/etc", "/etc"),
|
||||
want: []string{
|
||||
"--unshare-all", "--unshare-user",
|
||||
"--disable-userns", "--assert-userns-disabled",
|
||||
"--clearenv", "--die-with-parent",
|
||||
"--symlink", "usr/bin", "/bin",
|
||||
"--symlink", "var/home", "/home",
|
||||
"--symlink", "usr/lib", "/lib",
|
||||
"--symlink", "usr/lib64", "/lib64",
|
||||
"--symlink", "run/media", "/media",
|
||||
"--symlink", "var/mnt", "/mnt",
|
||||
"--symlink", "var/opt", "/opt",
|
||||
"--symlink", "sysroot/ostree", "/ostree",
|
||||
"--symlink", "var/roothome", "/root",
|
||||
"--symlink", "usr/sbin", "/sbin",
|
||||
"--symlink", "var/srv", "/srv",
|
||||
"--bind", "/run", "/run",
|
||||
"--bind", "/tmp", "/tmp",
|
||||
"--bind", "/var", "/var",
|
||||
"--bind", "/run/user/1971/.dbus-proxy/", "/run/user/1971/.dbus-proxy/",
|
||||
"--ro-bind", "/boot", "/boot",
|
||||
"--ro-bind", "/dev", "/dev",
|
||||
"--ro-bind", "/proc", "/proc",
|
||||
"--ro-bind", "/sys", "/sys",
|
||||
"--ro-bind", "/sysroot", "/sysroot",
|
||||
"--ro-bind", "/usr", "/usr",
|
||||
"--ro-bind", "/etc", "/etc",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "fortify permissive default nixos",
|
||||
conf: (&Config{
|
||||
Unshare: nil,
|
||||
Net: true,
|
||||
UserNS: true,
|
||||
Clearenv: true,
|
||||
SetEnv: map[string]string{
|
||||
"HOME": "/home/chronos",
|
||||
"TERM": "xterm-256color",
|
||||
"FORTIFY_INIT": "3",
|
||||
"XDG_RUNTIME_DIR": "/run/user/150",
|
||||
"XDG_SESSION_CLASS": "user",
|
||||
"XDG_SESSION_TYPE": "tty",
|
||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||
"USER": "chronos",
|
||||
},
|
||||
DieWithParent: true,
|
||||
AsInit: true,
|
||||
}).SetUID(65534).SetGID(65534).
|
||||
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||
Bind("/bin", "/bin", false, true).
|
||||
Bind("/boot", "/boot", false, true).
|
||||
Bind("/etc", "/etc", false, true).
|
||||
Bind("/home", "/home", false, true).
|
||||
Bind("/lib", "/lib", false, true).
|
||||
Bind("/lib64", "/lib64", false, true).
|
||||
Bind("/nix", "/nix", false, true).
|
||||
Bind("/root", "/root", false, true).
|
||||
Bind("/srv", "/srv", false, true).
|
||||
Bind("/sys", "/sys", false, true).
|
||||
Bind("/usr", "/usr", false, true).
|
||||
Bind("/var", "/var", false, true).
|
||||
Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
|
||||
Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
|
||||
Bind("/run/binfmt", "/run/binfmt", false, true).
|
||||
Bind("/run/booted-system", "/run/booted-system", false, true).
|
||||
Bind("/run/credentials", "/run/credentials", false, true).
|
||||
Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
|
||||
Bind("/run/current-system", "/run/current-system", false, true).
|
||||
Bind("/run/host", "/run/host", false, true).
|
||||
Bind("/run/keys", "/run/keys", false, true).
|
||||
Bind("/run/libvirt", "/run/libvirt", false, true).
|
||||
Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
|
||||
Bind("/run/lock", "/run/lock", false, true).
|
||||
Bind("/run/log", "/run/log", false, true).
|
||||
Bind("/run/lvm", "/run/lvm", false, true).
|
||||
Bind("/run/mount", "/run/mount", false, true).
|
||||
Bind("/run/nginx", "/run/nginx", false, true).
|
||||
Bind("/run/nscd", "/run/nscd", false, true).
|
||||
Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
|
||||
Bind("/run/pppd", "/run/pppd", false, true).
|
||||
Bind("/run/resolvconf", "/run/resolvconf", false, true).
|
||||
Bind("/run/sddm", "/run/sddm", false, true).
|
||||
Bind("/run/syncoid", "/run/syncoid", false, true).
|
||||
Bind("/run/systemd", "/run/systemd", false, true).
|
||||
Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
|
||||
Bind("/run/udev", "/run/udev", false, true).
|
||||
Bind("/run/udisks2", "/run/udisks2", false, true).
|
||||
Bind("/run/utmp", "/run/utmp", false, true).
|
||||
Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
|
||||
Bind("/run/wrappers", "/run/wrappers", false, true).
|
||||
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
||||
Bind("/run/zed.state", "/run/zed.state", false, true).
|
||||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||
Tmpfs("/run/user", 1048576).
|
||||
Tmpfs("/run/user/150", 8388608).
|
||||
Bind("/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd").
|
||||
Bind("/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group").
|
||||
Bind("/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd", "/etc/passwd").
|
||||
Bind("/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group", "/etc/group").
|
||||
Tmpfs("/var/run/nscd", 8192),
|
||||
want: []string{
|
||||
"--unshare-all", "--unshare-user", "--share-net",
|
||||
"--clearenv", "--die-with-parent", "--as-pid-1",
|
||||
"--uid", "65534",
|
||||
"--gid", "65534",
|
||||
"--setenv", "FORTIFY_INIT", "3",
|
||||
"--setenv", "HOME", "/home/chronos",
|
||||
"--setenv", "SHELL", "/run/current-system/sw/bin/zsh",
|
||||
"--setenv", "TERM", "xterm-256color",
|
||||
"--setenv", "USER", "chronos",
|
||||
"--setenv", "XDG_RUNTIME_DIR", "/run/user/150",
|
||||
"--setenv", "XDG_SESSION_CLASS", "user",
|
||||
"--setenv", "XDG_SESSION_TYPE", "tty",
|
||||
"--proc", "/proc", "--dev", "/dev",
|
||||
"--mqueue", "/dev/mqueue",
|
||||
"--bind", "/bin", "/bin",
|
||||
"--bind", "/boot", "/boot",
|
||||
"--bind", "/etc", "/etc",
|
||||
"--bind", "/home", "/home",
|
||||
"--bind", "/lib", "/lib",
|
||||
"--bind", "/lib64", "/lib64",
|
||||
"--bind", "/nix", "/nix",
|
||||
"--bind", "/root", "/root",
|
||||
"--bind", "/srv", "/srv",
|
||||
"--bind", "/sys", "/sys",
|
||||
"--bind", "/usr", "/usr",
|
||||
"--bind", "/var", "/var",
|
||||
"--bind", "/run/NetworkManager", "/run/NetworkManager",
|
||||
"--bind", "/run/agetty.reload", "/run/agetty.reload",
|
||||
"--bind", "/run/binfmt", "/run/binfmt",
|
||||
"--bind", "/run/booted-system", "/run/booted-system",
|
||||
"--bind", "/run/credentials", "/run/credentials",
|
||||
"--bind", "/run/cryptsetup", "/run/cryptsetup",
|
||||
"--bind", "/run/current-system", "/run/current-system",
|
||||
"--bind", "/run/host", "/run/host",
|
||||
"--bind", "/run/keys", "/run/keys",
|
||||
"--bind", "/run/libvirt", "/run/libvirt",
|
||||
"--bind", "/run/libvirtd.pid", "/run/libvirtd.pid",
|
||||
"--bind", "/run/lock", "/run/lock",
|
||||
"--bind", "/run/log", "/run/log",
|
||||
"--bind", "/run/lvm", "/run/lvm",
|
||||
"--bind", "/run/mount", "/run/mount",
|
||||
"--bind", "/run/nginx", "/run/nginx",
|
||||
"--bind", "/run/nscd", "/run/nscd",
|
||||
"--bind", "/run/opengl-driver", "/run/opengl-driver",
|
||||
"--bind", "/run/pppd", "/run/pppd",
|
||||
"--bind", "/run/resolvconf", "/run/resolvconf",
|
||||
"--bind", "/run/sddm", "/run/sddm",
|
||||
"--bind", "/run/syncoid", "/run/syncoid",
|
||||
"--bind", "/run/systemd", "/run/systemd",
|
||||
"--bind", "/run/tmpfiles.d", "/run/tmpfiles.d",
|
||||
"--bind", "/run/udev", "/run/udev",
|
||||
"--bind", "/run/udisks2", "/run/udisks2",
|
||||
"--bind", "/run/utmp", "/run/utmp",
|
||||
"--bind", "/run/virtlogd.pid", "/run/virtlogd.pid",
|
||||
"--bind", "/run/wrappers", "/run/wrappers",
|
||||
"--bind", "/run/zed.pid", "/run/zed.pid",
|
||||
"--bind", "/run/zed.state", "/run/zed.state",
|
||||
"--bind", "/tmp/fortify.1971/tmpdir/150", "/tmp",
|
||||
"--size", "1048576", "--tmpfs", "/tmp/fortify.1971",
|
||||
"--size", "1048576", "--tmpfs", "/run/user",
|
||||
"--size", "8388608", "--tmpfs", "/run/user/150",
|
||||
"--ro-bind", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd",
|
||||
"--ro-bind", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group",
|
||||
"--ro-bind", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd", "/etc/passwd",
|
||||
"--ro-bind", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group", "/etc/group",
|
||||
"--size", "8192", "--tmpfs", "/var/run/nscd",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if got := tc.conf.Args(); !slices.Equal(got, tc.want) {
|
||||
t.Errorf("Args() = %#v, want %#v", got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -0,0 +1,112 @@
|
|||
package helper_test
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
)
|
||||
|
||||
func TestBwrap(t *testing.T) {
|
||||
sc := &bwrap.Config{
|
||||
Unshare: nil,
|
||||
Net: true,
|
||||
UserNS: false,
|
||||
Hostname: "localhost",
|
||||
Chdir: "/nonexistent",
|
||||
Clearenv: true,
|
||||
NewSession: true,
|
||||
DieWithParent: true,
|
||||
AsInit: true,
|
||||
}
|
||||
|
||||
t.Run("nonexistent bwrap name", func(t *testing.T) {
|
||||
bubblewrapName := helper.BubblewrapName
|
||||
helper.BubblewrapName = "/nonexistent"
|
||||
t.Cleanup(func() {
|
||||
helper.BubblewrapName = bubblewrapName
|
||||
})
|
||||
|
||||
h := helper.MustNewBwrap(sc, argsWt, "fortify", argF)
|
||||
|
||||
if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
|
||||
t.Errorf("Start() error = %v, wantErr %v",
|
||||
err, os.ErrNotExist)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("valid new helper nil check", func(t *testing.T) {
|
||||
if got := helper.MustNewBwrap(sc, argsWt, "fortify", argF); got == nil {
|
||||
t.Errorf("MustNewBwrap(%#v, %#v, %#v) got nil",
|
||||
sc, argsWt, "fortify")
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("invalid bwrap config new helper panic", func(t *testing.T) {
|
||||
defer func() {
|
||||
wantPanic := "argument contains null character"
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("MustNewBwrap: panic = %q, want %q",
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
|
||||
helper.MustNewBwrap(&bwrap.Config{Hostname: "\x00"}, nil, "fortify", argF)
|
||||
})
|
||||
|
||||
t.Run("start notify without pipes panic", func(t *testing.T) {
|
||||
defer func() {
|
||||
wantPanic := "attempted to start with status monitoring on a bwrap child initialised without pipes"
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("StartNotify: panic = %q, want %q",
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
|
||||
panic(fmt.Sprintf("unreachable: %v",
|
||||
helper.MustNewBwrap(sc, nil, "fortify", argF).StartNotify(make(chan error))))
|
||||
})
|
||||
|
||||
t.Run("start without pipes", func(t *testing.T) {
|
||||
helper.InternalReplaceExecCommand(t)
|
||||
|
||||
h := helper.MustNewBwrap(sc, nil, "crash-test-dummy", argFChecked)
|
||||
cmd := h.Unwrap()
|
||||
|
||||
stdout, stderr := new(strings.Builder), new(strings.Builder)
|
||||
cmd.Stdout, cmd.Stderr = stdout, stderr
|
||||
|
||||
t.Run("close without pipes panic", func(t *testing.T) {
|
||||
defer func() {
|
||||
wantPanic := "attempted to close bwrap child initialised without pipes"
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("Close: panic = %q, want %q",
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
|
||||
panic(fmt.Sprintf("unreachable: %v",
|
||||
h.Close()))
|
||||
})
|
||||
|
||||
if err := h.Start(); err != nil {
|
||||
t.Errorf("Start() error = %v",
|
||||
err)
|
||||
return
|
||||
}
|
||||
|
||||
if err := h.Wait(); err != nil {
|
||||
t.Errorf("Wait() err = %v stderr = %s",
|
||||
err, stderr)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("implementation compliance", func(t *testing.T) {
|
||||
testHelper(t, func() helper.Helper { return helper.MustNewBwrap(sc, argsWt, "crash-test-dummy", argF) })
|
||||
})
|
||||
}
|
|
@ -0,0 +1,93 @@
|
|||
package helper
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io"
|
||||
"os/exec"
|
||||
"sync"
|
||||
)
|
||||
|
||||
// direct wraps *exec.Cmd and manages status and args fd.
|
||||
// Args is always 3 and status if set is always 4.
|
||||
type direct struct {
|
||||
// helper pipes
|
||||
// cannot be nil
|
||||
p *pipes
|
||||
|
||||
// returns an array of arguments passed directly
|
||||
// to the helper process
|
||||
argF func(argsFD, statFD int) []string
|
||||
|
||||
lock sync.RWMutex
|
||||
*exec.Cmd
|
||||
}
|
||||
|
||||
func (h *direct) StartNotify(ready chan error) error {
|
||||
h.lock.Lock()
|
||||
defer h.lock.Unlock()
|
||||
|
||||
// Check for doubled Start calls before we defer failure cleanup. If the prior
|
||||
// call to Start succeeded, we don't want to spuriously close its pipes.
|
||||
if h.Cmd.Process != nil {
|
||||
return errors.New("exec: already started")
|
||||
}
|
||||
|
||||
h.p.ready = ready
|
||||
if argsFD, statFD, err := h.p.prepareCmd(h.Cmd); err != nil {
|
||||
return err
|
||||
} else {
|
||||
h.Cmd.Args = append(h.Cmd.Args, h.argF(argsFD, statFD)...)
|
||||
}
|
||||
|
||||
if ready != nil {
|
||||
h.Cmd.Env = append(h.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=1")
|
||||
} else {
|
||||
h.Cmd.Env = append(h.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=0")
|
||||
}
|
||||
|
||||
if err := h.Cmd.Start(); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := h.p.readyWriteArgs(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (h *direct) Wait() error {
|
||||
h.lock.RLock()
|
||||
defer h.lock.RUnlock()
|
||||
|
||||
if h.Cmd.Process == nil {
|
||||
return errors.New("exec: not started")
|
||||
}
|
||||
defer h.p.mustClosePipes()
|
||||
if h.Cmd.ProcessState != nil {
|
||||
return errors.New("exec: Wait was already called")
|
||||
}
|
||||
|
||||
return h.Cmd.Wait()
|
||||
}
|
||||
|
||||
func (h *direct) Close() error {
|
||||
return h.p.closeStatus()
|
||||
}
|
||||
|
||||
func (h *direct) Start() error {
|
||||
return h.StartNotify(nil)
|
||||
}
|
||||
|
||||
func (h *direct) Unwrap() *exec.Cmd {
|
||||
return h.Cmd
|
||||
}
|
||||
|
||||
// New initialises a new direct Helper instance with wt as the null-terminated argument writer.
|
||||
// Function argF returns an array of arguments passed directly to the child process.
|
||||
func New(wt io.WriterTo, name string, argF func(argsFD, statFD int) []string) Helper {
|
||||
if wt == nil {
|
||||
panic("attempted to create helper with invalid argument writer")
|
||||
}
|
||||
|
||||
return &direct{p: &pipes{args: wt}, argF: argF, Cmd: execCommand(name)}
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
package helper_test
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
)
|
||||
|
||||
func TestDirect(t *testing.T) {
|
||||
t.Run("start non-existent helper path", func(t *testing.T) {
|
||||
h := helper.New(argsWt, "/nonexistent", argF)
|
||||
|
||||
if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
|
||||
t.Errorf("Start() error = %v, wantErr %v",
|
||||
err, os.ErrNotExist)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("valid new helper nil check", func(t *testing.T) {
|
||||
if got := helper.New(argsWt, "fortify", argF); got == nil {
|
||||
t.Errorf("New(%q, %q) got nil",
|
||||
argsWt, "fortify")
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("invalid new helper panic", func(t *testing.T) {
|
||||
defer func() {
|
||||
wantPanic := "attempted to create helper with invalid argument writer"
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("New: panic = %q, want %q",
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
|
||||
helper.New(nil, "fortify", argF)
|
||||
})
|
||||
|
||||
t.Run("implementation compliance", func(t *testing.T) {
|
||||
testHelper(t, func() helper.Helper { return helper.New(argsWt, "crash-test-dummy", argF) })
|
||||
})
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
/*
|
||||
Package helper runs external helpers and manages their status and args FDs.
|
||||
*/
|
||||
package helper
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"os/exec"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrStatusFault = errors.New("generic status pipe fault")
|
||||
ErrStatusRead = errors.New("unexpected status response")
|
||||
)
|
||||
|
||||
const (
|
||||
// FortifyHelper is set for the process launched by Helper.
|
||||
FortifyHelper = "FORTIFY_HELPER"
|
||||
// FortifyStatus is 1 when sync fd is enabled and 0 otherwise.
|
||||
FortifyStatus = "FORTIFY_STATUS"
|
||||
)
|
||||
|
||||
type Helper interface {
|
||||
// StartNotify starts the helper process.
|
||||
// A status pipe is passed to the helper if ready is not nil.
|
||||
StartNotify(ready chan error) error
|
||||
// Start starts the helper process.
|
||||
Start() error
|
||||
// Close closes the status pipe.
|
||||
// If helper is started without the status pipe, Close panics.
|
||||
Close() error
|
||||
// Wait calls wait on the child process and cleans up pipes.
|
||||
Wait() error
|
||||
// Unwrap returns the underlying exec.Cmd instance.
|
||||
Unwrap() *exec.Cmd
|
||||
}
|
||||
|
||||
var execCommand = exec.Command
|
|
@ -0,0 +1,167 @@
|
|||
package helper_test
|
||||
|
||||
import (
|
||||
"strconv"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
)
|
||||
|
||||
var (
|
||||
wantArgs = []string{
|
||||
"unix:path=/run/dbus/system_bus_socket",
|
||||
"/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/system_bus_socket",
|
||||
"--filter",
|
||||
"--talk=org.bluez",
|
||||
"--talk=org.freedesktop.Avahi",
|
||||
"--talk=org.freedesktop.UPower",
|
||||
}
|
||||
|
||||
wantPayload = strings.Join(wantArgs, "\x00") + "\x00"
|
||||
argsWt = helper.MustNewCheckedArgs(wantArgs)
|
||||
)
|
||||
|
||||
func argF(argsFD, statFD int) []string {
|
||||
if argsFD == -1 {
|
||||
panic("invalid args fd")
|
||||
}
|
||||
|
||||
return argFChecked(argsFD, statFD)
|
||||
}
|
||||
|
||||
func argFChecked(argsFD, statFD int) []string {
|
||||
if statFD == -1 {
|
||||
return []string{"--args", strconv.Itoa(argsFD)}
|
||||
} else {
|
||||
return []string{"--args", strconv.Itoa(argsFD), "--fd", strconv.Itoa(statFD)}
|
||||
}
|
||||
}
|
||||
|
||||
// this function tests an implementation of the helper.Helper interface
|
||||
func testHelper(t *testing.T, createHelper func() helper.Helper) {
|
||||
helper.InternalReplaceExecCommand(t)
|
||||
|
||||
t.Run("start helper with status channel and wait", func(t *testing.T) {
|
||||
h := createHelper()
|
||||
ready := make(chan error, 1)
|
||||
cmd := h.Unwrap()
|
||||
|
||||
stdout, stderr := new(strings.Builder), new(strings.Builder)
|
||||
cmd.Stdout, cmd.Stderr = stdout, stderr
|
||||
|
||||
t.Run("wait not yet started helper", func(t *testing.T) {
|
||||
wantErr := "exec: not started"
|
||||
if err := h.Wait(); err != nil && err.Error() != wantErr {
|
||||
t.Errorf("Wait(%v) error = %v, wantErr %v",
|
||||
ready,
|
||||
err, wantErr)
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Log("starting helper stub")
|
||||
if err := h.StartNotify(ready); err != nil {
|
||||
t.Errorf("StartNotify(%v) error = %v",
|
||||
ready,
|
||||
err)
|
||||
return
|
||||
}
|
||||
|
||||
t.Run("start already started helper", func(t *testing.T) {
|
||||
wantErr := "exec: already started"
|
||||
if err := h.StartNotify(ready); err != nil && err.Error() != wantErr {
|
||||
t.Errorf("StartNotify(%v) error = %v, wantErr %v",
|
||||
ready,
|
||||
err, wantErr)
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Log("waiting on status channel with timeout")
|
||||
select {
|
||||
case <-time.NewTimer(5 * time.Second).C:
|
||||
t.Errorf("never got a ready response")
|
||||
t.Errorf("stdout:\n%s", stdout.String())
|
||||
t.Errorf("stderr:\n%s", stderr.String())
|
||||
if err := cmd.Process.Kill(); err != nil {
|
||||
panic(err.Error())
|
||||
}
|
||||
return
|
||||
case err := <-ready:
|
||||
if err != nil {
|
||||
t.Errorf("StartNotify(%v) latent error = %v",
|
||||
ready,
|
||||
err)
|
||||
}
|
||||
}
|
||||
|
||||
t.Log("closing status pipe")
|
||||
if err := h.Close(); err != nil {
|
||||
t.Errorf("Close() error = %v",
|
||||
err)
|
||||
}
|
||||
|
||||
t.Log("waiting on helper")
|
||||
if err := h.Wait(); err != nil {
|
||||
t.Errorf("Wait() err = %v stderr = %s",
|
||||
err, stderr)
|
||||
}
|
||||
|
||||
t.Run("wait already finalised helper", func(t *testing.T) {
|
||||
wantErr := "exec: Wait was already called"
|
||||
if err := h.Wait(); err != nil && err.Error() != wantErr {
|
||||
t.Errorf("Wait(%v) error = %v, wantErr %v",
|
||||
ready,
|
||||
err, wantErr)
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
if got := stdout.String(); !strings.HasPrefix(got, wantPayload) {
|
||||
t.Errorf("StartNotify(%v) stdout = %v, want %v",
|
||||
ready,
|
||||
got, wantPayload)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("start helper and wait", func(t *testing.T) {
|
||||
h := createHelper()
|
||||
cmd := h.Unwrap()
|
||||
|
||||
stdout, stderr := new(strings.Builder), new(strings.Builder)
|
||||
cmd.Stdout, cmd.Stderr = stdout, stderr
|
||||
|
||||
if err := h.Start(); err != nil {
|
||||
t.Errorf("Start() error = %v",
|
||||
err)
|
||||
return
|
||||
}
|
||||
|
||||
t.Run("close helper without status pipe", func(t *testing.T) {
|
||||
defer func() {
|
||||
wantPanic := "attempted to close helper with no status pipe"
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("Close() panic = %v, wantPanic %v",
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
if err := h.Close(); err != nil {
|
||||
t.Errorf("Close() error = %v",
|
||||
err)
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
if err := h.Wait(); err != nil {
|
||||
t.Errorf("Wait() err = %v stderr = %s",
|
||||
err, stderr)
|
||||
}
|
||||
|
||||
if got := stdout.String(); !strings.HasPrefix(got, wantPayload) {
|
||||
t.Errorf("Start() stdout = %v, want %v",
|
||||
got, wantPayload)
|
||||
}
|
||||
})
|
||||
}
|
|
@ -0,0 +1,150 @@
|
|||
package helper
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io"
|
||||
"os"
|
||||
"os/exec"
|
||||
)
|
||||
|
||||
type pipes struct {
|
||||
args io.WriterTo
|
||||
|
||||
statP [2]*os.File
|
||||
argsP [2]*os.File
|
||||
|
||||
ready chan error
|
||||
|
||||
cmd *exec.Cmd
|
||||
}
|
||||
|
||||
func (p *pipes) pipe() error {
|
||||
if p.statP[0] != nil || p.statP[1] != nil ||
|
||||
p.argsP[0] != nil || p.argsP[1] != nil {
|
||||
panic("attempted to pipe twice")
|
||||
}
|
||||
if p.args == nil {
|
||||
panic("attempted to pipe without args")
|
||||
}
|
||||
|
||||
// create pipes
|
||||
if pr, pw, err := os.Pipe(); err != nil {
|
||||
return err
|
||||
} else {
|
||||
p.argsP[0], p.argsP[1] = pr, pw
|
||||
}
|
||||
|
||||
// create status pipes if ready signal is requested
|
||||
if p.ready != nil {
|
||||
if pr, pw, err := os.Pipe(); err != nil {
|
||||
return err
|
||||
} else {
|
||||
p.statP[0], p.statP[1] = pr, pw
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// calls pipe to create pipes and sets them up as ExtraFiles, returning their fd
|
||||
func (p *pipes) prepareCmd(cmd *exec.Cmd) (int, int, error) {
|
||||
if err := p.pipe(); err != nil {
|
||||
return -1, -1, err
|
||||
}
|
||||
|
||||
// save a reference of cmd for future use
|
||||
p.cmd = cmd
|
||||
|
||||
// ExtraFiles: If non-nil, entry i becomes file descriptor 3+i.
|
||||
argsFd := 3 + len(cmd.ExtraFiles)
|
||||
cmd.ExtraFiles = append(cmd.ExtraFiles, p.argsP[0])
|
||||
|
||||
if p.ready != nil {
|
||||
cmd.ExtraFiles = append(cmd.ExtraFiles, p.statP[1])
|
||||
return argsFd, argsFd + 1, nil
|
||||
} else {
|
||||
return argsFd, -1, nil
|
||||
}
|
||||
}
|
||||
|
||||
func (p *pipes) readyWriteArgs() error {
|
||||
statsP, argsP := p.statP[0], p.argsP[1]
|
||||
|
||||
// write arguments and close args pipe
|
||||
if _, err := p.args.WriteTo(argsP); err != nil {
|
||||
if err1 := p.cmd.Process.Kill(); err1 != nil {
|
||||
// should be unreachable
|
||||
panic(err1.Error())
|
||||
}
|
||||
return err
|
||||
} else {
|
||||
if err = argsP.Close(); err != nil {
|
||||
if err1 := p.cmd.Process.Kill(); err1 != nil {
|
||||
// should be unreachable
|
||||
panic(err1.Error())
|
||||
}
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
if p.ready != nil {
|
||||
// monitor stat pipe
|
||||
go func() {
|
||||
n, err := statsP.Read(make([]byte, 1))
|
||||
switch n {
|
||||
case -1:
|
||||
if err1 := p.cmd.Process.Kill(); err1 != nil {
|
||||
// should be unreachable
|
||||
panic(err1.Error())
|
||||
}
|
||||
// ensure error is not nil
|
||||
if err == nil {
|
||||
err = ErrStatusFault
|
||||
}
|
||||
p.ready <- err
|
||||
case 0:
|
||||
// ensure error is not nil
|
||||
if err == nil {
|
||||
err = ErrStatusRead
|
||||
}
|
||||
p.ready <- err
|
||||
case 1:
|
||||
p.ready <- nil
|
||||
default:
|
||||
panic("unreachable") // unexpected read count
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p *pipes) mustClosePipes() {
|
||||
if err := p.argsP[0].Close(); err != nil && !errors.Is(err, os.ErrClosed) {
|
||||
// unreachable
|
||||
panic(err.Error())
|
||||
}
|
||||
if err := p.argsP[1].Close(); err != nil && !errors.Is(err, os.ErrClosed) {
|
||||
// unreachable
|
||||
panic(err.Error())
|
||||
}
|
||||
|
||||
if p.ready != nil {
|
||||
if err := p.statP[0].Close(); err != nil && !errors.Is(err, os.ErrClosed) {
|
||||
// unreachable
|
||||
panic(err.Error())
|
||||
}
|
||||
if err := p.statP[1].Close(); err != nil && !errors.Is(err, os.ErrClosed) {
|
||||
// unreachable
|
||||
panic(err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (p *pipes) closeStatus() error {
|
||||
if p.ready == nil {
|
||||
panic("attempted to close helper with no status pipe")
|
||||
}
|
||||
|
||||
return p.statP[0].Close()
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
package helper
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func Test_pipes_pipe_mustClosePipes(t *testing.T) {
|
||||
p := new(pipes)
|
||||
|
||||
t.Run("pipe without args", func(t *testing.T) {
|
||||
defer func() {
|
||||
wantPanic := "attempted to pipe without args"
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("pipe() panic = %v, wantPanic %v",
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
_ = p.pipe()
|
||||
})
|
||||
|
||||
p.args = MustNewCheckedArgs(make([]string, 0))
|
||||
t.Run("obtain pipes", func(t *testing.T) {
|
||||
if err := p.pipe(); err != nil {
|
||||
t.Errorf("pipe() error = %v",
|
||||
err)
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("pipe twice", func(t *testing.T) {
|
||||
defer func() {
|
||||
wantPanic := "attempted to pipe twice"
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("pipe() panic = %v, wantPanic %v",
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
_ = p.pipe()
|
||||
})
|
||||
|
||||
p.mustClosePipes()
|
||||
}
|
|
@ -0,0 +1,175 @@
|
|||
package helper
|
||||
|
||||
import (
|
||||
"flag"
|
||||
"io"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
// InternalChildStub is an internal function but exported because it is cross-package;
|
||||
// it is part of the implementation of the helper stub.
|
||||
func InternalChildStub() {
|
||||
// this test mocks the helper process
|
||||
if os.Getenv(FortifyHelper) != "1" ||
|
||||
os.Getenv(FortifyStatus) == "-1" { // this indicates the stub is being invoked as a bwrap child without pipes
|
||||
return
|
||||
}
|
||||
|
||||
argsFD := flag.Int("args", -1, "")
|
||||
statFD := flag.Int("fd", -1, "")
|
||||
_ = flag.CommandLine.Parse(os.Args[4:])
|
||||
|
||||
switch os.Args[3] {
|
||||
case "bwrap":
|
||||
bwrapStub(argsFD, statFD)
|
||||
default:
|
||||
genericStub(argsFD, statFD)
|
||||
}
|
||||
|
||||
fmsg.Exit(0)
|
||||
}
|
||||
|
||||
// InternalReplaceExecCommand is an internal function but exported because it is cross-package;
|
||||
// it is part of the implementation of the helper stub.
|
||||
func InternalReplaceExecCommand(t *testing.T) {
|
||||
t.Cleanup(func() {
|
||||
execCommand = exec.Command
|
||||
})
|
||||
|
||||
// replace execCommand to have the resulting *exec.Cmd launch TestHelperChildStub
|
||||
execCommand = func(name string, arg ...string) *exec.Cmd {
|
||||
// pass through nonexistent path
|
||||
if name == "/nonexistent" && len(arg) == 0 {
|
||||
return exec.Command(name)
|
||||
}
|
||||
|
||||
return exec.Command(os.Args[0], append([]string{"-test.run=TestHelperChildStub", "--", name}, arg...)...)
|
||||
}
|
||||
}
|
||||
|
||||
func genericStub(argsFD, statFD *int) {
|
||||
// simulate args pipe behaviour
|
||||
func() {
|
||||
if *argsFD == -1 {
|
||||
panic("attempted to start helper without passing args pipe fd")
|
||||
}
|
||||
|
||||
f := os.NewFile(uintptr(*argsFD), "|0")
|
||||
if f == nil {
|
||||
panic("attempted to start helper without args pipe")
|
||||
}
|
||||
|
||||
if _, err := io.Copy(os.Stdout, f); err != nil {
|
||||
panic("cannot read args: " + err.Error())
|
||||
}
|
||||
}()
|
||||
|
||||
var wait chan struct{}
|
||||
|
||||
// simulate status pipe behaviour
|
||||
if os.Getenv(FortifyStatus) == "1" {
|
||||
if *statFD == -1 {
|
||||
panic("attempted to start helper with status reporting without passing status pipe fd")
|
||||
}
|
||||
|
||||
wait = make(chan struct{})
|
||||
go func() {
|
||||
f := os.NewFile(uintptr(*statFD), "|1")
|
||||
if f == nil {
|
||||
panic("attempted to start with status reporting without status pipe")
|
||||
}
|
||||
|
||||
if _, err := f.Write([]byte{'x'}); err != nil {
|
||||
panic("cannot write to status pipe: " + err.Error())
|
||||
}
|
||||
|
||||
// wait for status pipe close
|
||||
var epoll int
|
||||
if fd, err := syscall.EpollCreate1(0); err != nil {
|
||||
panic("cannot open epoll fd: " + err.Error())
|
||||
} else {
|
||||
defer func() {
|
||||
if err = syscall.Close(fd); err != nil {
|
||||
panic("cannot close epoll fd: " + err.Error())
|
||||
}
|
||||
}()
|
||||
epoll = fd
|
||||
}
|
||||
if err := syscall.EpollCtl(epoll, syscall.EPOLL_CTL_ADD, int(f.Fd()), &syscall.EpollEvent{}); err != nil {
|
||||
panic("cannot add status pipe to epoll: " + err.Error())
|
||||
}
|
||||
events := make([]syscall.EpollEvent, 1)
|
||||
if _, err := syscall.EpollWait(epoll, events, -1); err != nil {
|
||||
panic("cannot poll status pipe: " + err.Error())
|
||||
}
|
||||
if events[0].Events != syscall.EPOLLERR {
|
||||
panic(strconv.Itoa(int(events[0].Events)))
|
||||
|
||||
}
|
||||
close(wait)
|
||||
}()
|
||||
}
|
||||
|
||||
if wait != nil {
|
||||
<-wait
|
||||
}
|
||||
}
|
||||
|
||||
func bwrapStub(argsFD, statFD *int) {
|
||||
// the bwrap launcher does not ever launch with sync fd
|
||||
if *statFD != -1 {
|
||||
panic("attempted to launch bwrap with status monitoring")
|
||||
}
|
||||
|
||||
// test args pipe behaviour
|
||||
func() {
|
||||
if *argsFD == -1 {
|
||||
panic("attempted to start bwrap without passing args pipe fd")
|
||||
}
|
||||
|
||||
f := os.NewFile(uintptr(*argsFD), "|0")
|
||||
if f == nil {
|
||||
panic("attempted to start helper without args pipe")
|
||||
}
|
||||
|
||||
got, want := new(strings.Builder), new(strings.Builder)
|
||||
|
||||
if _, err := io.Copy(got, f); err != nil {
|
||||
panic("cannot read args: " + err.Error())
|
||||
}
|
||||
|
||||
// hardcoded bwrap configuration used by test
|
||||
if _, err := MustNewCheckedArgs((&bwrap.Config{
|
||||
Unshare: nil,
|
||||
Net: true,
|
||||
UserNS: false,
|
||||
Hostname: "localhost",
|
||||
Chdir: "/nonexistent",
|
||||
Clearenv: true,
|
||||
NewSession: true,
|
||||
DieWithParent: true,
|
||||
AsInit: true,
|
||||
}).Args()).WriteTo(want); err != nil {
|
||||
panic("cannot read want: " + err.Error())
|
||||
}
|
||||
|
||||
if len(flag.CommandLine.Args()) > 0 && flag.CommandLine.Args()[0] == "crash-test-dummy" && got.String() != want.String() {
|
||||
panic("bad bwrap args\ngot: " + got.String() + "\nwant: " + want.String())
|
||||
}
|
||||
}()
|
||||
|
||||
if err := syscall.Exec(
|
||||
os.Args[0],
|
||||
append([]string{os.Args[0], "-test.run=TestHelperChildStub", "--"}, flag.CommandLine.Args()...),
|
||||
os.Environ()); err != nil {
|
||||
panic("cannot start general stub: " + err.Error())
|
||||
}
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
package helper_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
)
|
||||
|
||||
func TestHelperChildStub(t *testing.T) {
|
||||
helper.InternalChildStub()
|
||||
}
|
|
@ -0,0 +1,71 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"sync"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/shim"
|
||||
)
|
||||
|
||||
type App interface {
|
||||
// ID returns a copy of App's unique ID.
|
||||
ID() ID
|
||||
// Start sets up the system and starts the App.
|
||||
Start() error
|
||||
// Wait waits for App's process to exit and reverts system setup.
|
||||
Wait() (int, error)
|
||||
// WaitErr returns error returned by the underlying wait syscall.
|
||||
WaitErr() error
|
||||
|
||||
Seal(config *Config) error
|
||||
String() string
|
||||
}
|
||||
|
||||
type app struct {
|
||||
// application unique identifier
|
||||
id *ID
|
||||
// operating system interface
|
||||
os internal.System
|
||||
// shim process manager
|
||||
shim *shim.Shim
|
||||
// child process related information
|
||||
seal *appSeal
|
||||
// error returned waiting for process
|
||||
waitErr error
|
||||
|
||||
lock sync.RWMutex
|
||||
}
|
||||
|
||||
func (a *app) ID() ID {
|
||||
return *a.id
|
||||
}
|
||||
|
||||
func (a *app) String() string {
|
||||
if a == nil {
|
||||
return "(invalid fortified app)"
|
||||
}
|
||||
|
||||
a.lock.RLock()
|
||||
defer a.lock.RUnlock()
|
||||
|
||||
if a.shim != nil {
|
||||
return a.shim.String()
|
||||
}
|
||||
|
||||
if a.seal != nil {
|
||||
return "(sealed fortified app as uid " + a.seal.sys.user.Uid + ")"
|
||||
}
|
||||
|
||||
return "(unsealed fortified app)"
|
||||
}
|
||||
|
||||
func (a *app) WaitErr() error {
|
||||
return a.waitErr
|
||||
}
|
||||
|
||||
func New(os internal.System) (App, error) {
|
||||
a := new(app)
|
||||
a.id = new(ID)
|
||||
a.os = os
|
||||
return a, newAppID(a.id)
|
||||
}
|
|
@ -0,0 +1,592 @@
|
|||
package app_test
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"os/user"
|
||||
"strconv"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/app"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
var testCasesNixos = []sealTestCase{
|
||||
{
|
||||
"nixos permissive defaults no enablements", new(stubNixOS),
|
||||
&app.Config{
|
||||
User: "chronos",
|
||||
Command: make([]string, 0),
|
||||
Method: "sudo",
|
||||
},
|
||||
app.ID{
|
||||
0x4a, 0x45, 0x0b, 0x65,
|
||||
0x96, 0xd7, 0xbc, 0x15,
|
||||
0xbd, 0x01, 0x78, 0x0e,
|
||||
0xb9, 0xa6, 0x07, 0xac,
|
||||
},
|
||||
system.New(150).
|
||||
Ensure("/tmp/fortify.1971", 0701).
|
||||
Ephemeral(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac", 0701).
|
||||
Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
|
||||
Ensure("/tmp/fortify.1971/tmpdir/150", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/150", acl.Read, acl.Write, acl.Execute).
|
||||
Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
|
||||
Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
|
||||
Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute).
|
||||
WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
|
||||
WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "fortify:x:65534:\n"),
|
||||
(&bwrap.Config{
|
||||
Net: true,
|
||||
UserNS: true,
|
||||
Clearenv: true,
|
||||
SetEnv: map[string]string{
|
||||
"HOME": "/home/chronos",
|
||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||
"TERM": "xterm-256color",
|
||||
"USER": "chronos",
|
||||
"XDG_RUNTIME_DIR": "/run/user/150",
|
||||
"XDG_SESSION_CLASS": "user",
|
||||
"XDG_SESSION_TYPE": "tty"},
|
||||
Chmod: make(bwrap.ChmodConfig),
|
||||
DieWithParent: true,
|
||||
AsInit: true,
|
||||
}).SetUID(65534).SetGID(65534).
|
||||
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||
Tmpfs("/dev/fortify", 4096).
|
||||
Bind("/bin", "/bin", false, true).
|
||||
Bind("/boot", "/boot", false, true).
|
||||
Bind("/etc", "/dev/fortify/etc").
|
||||
Bind("/home", "/home", false, true).
|
||||
Bind("/lib", "/lib", false, true).
|
||||
Bind("/lib64", "/lib64", false, true).
|
||||
Bind("/nix", "/nix", false, true).
|
||||
Bind("/root", "/root", false, true).
|
||||
Bind("/srv", "/srv", false, true).
|
||||
Bind("/sys", "/sys", false, true).
|
||||
Bind("/usr", "/usr", false, true).
|
||||
Bind("/var", "/var", false, true).
|
||||
Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
|
||||
Bind("/run/binfmt", "/run/binfmt", false, true).
|
||||
Bind("/run/booted-system", "/run/booted-system", false, true).
|
||||
Bind("/run/credentials", "/run/credentials", false, true).
|
||||
Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
|
||||
Bind("/run/current-system", "/run/current-system", false, true).
|
||||
Bind("/run/host", "/run/host", false, true).
|
||||
Bind("/run/keys", "/run/keys", false, true).
|
||||
Bind("/run/libvirt", "/run/libvirt", false, true).
|
||||
Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
|
||||
Bind("/run/lock", "/run/lock", false, true).
|
||||
Bind("/run/log", "/run/log", false, true).
|
||||
Bind("/run/lvm", "/run/lvm", false, true).
|
||||
Bind("/run/mount", "/run/mount", false, true).
|
||||
Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
|
||||
Bind("/run/nginx", "/run/nginx", false, true).
|
||||
Bind("/run/nixos", "/run/nixos", false, true).
|
||||
Bind("/run/nscd", "/run/nscd", false, true).
|
||||
Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
|
||||
Bind("/run/pppd", "/run/pppd", false, true).
|
||||
Bind("/run/resolvconf", "/run/resolvconf", false, true).
|
||||
Bind("/run/sddm", "/run/sddm", false, true).
|
||||
Bind("/run/store", "/run/store", false, true).
|
||||
Bind("/run/syncoid", "/run/syncoid", false, true).
|
||||
Bind("/run/system", "/run/system", false, true).
|
||||
Bind("/run/systemd", "/run/systemd", false, true).
|
||||
Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
|
||||
Bind("/run/udev", "/run/udev", false, true).
|
||||
Bind("/run/udisks2", "/run/udisks2", false, true).
|
||||
Bind("/run/utmp", "/run/utmp", false, true).
|
||||
Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
|
||||
Bind("/run/wrappers", "/run/wrappers", false, true).
|
||||
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
||||
Bind("/run/zed.state", "/run/zed.state", false, true).
|
||||
Symlink("/dev/fortify/etc/alsa", "/etc/alsa").
|
||||
Symlink("/dev/fortify/etc/bashrc", "/etc/bashrc").
|
||||
Symlink("/dev/fortify/etc/binfmt.d", "/etc/binfmt.d").
|
||||
Symlink("/dev/fortify/etc/dbus-1", "/etc/dbus-1").
|
||||
Symlink("/dev/fortify/etc/default", "/etc/default").
|
||||
Symlink("/dev/fortify/etc/ethertypes", "/etc/ethertypes").
|
||||
Symlink("/dev/fortify/etc/fonts", "/etc/fonts").
|
||||
Symlink("/dev/fortify/etc/fstab", "/etc/fstab").
|
||||
Symlink("/dev/fortify/etc/fuse.conf", "/etc/fuse.conf").
|
||||
Symlink("/dev/fortify/etc/host.conf", "/etc/host.conf").
|
||||
Symlink("/dev/fortify/etc/hostid", "/etc/hostid").
|
||||
Symlink("/dev/fortify/etc/hostname", "/etc/hostname").
|
||||
Symlink("/dev/fortify/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
|
||||
Symlink("/dev/fortify/etc/hosts", "/etc/hosts").
|
||||
Symlink("/dev/fortify/etc/inputrc", "/etc/inputrc").
|
||||
Symlink("/dev/fortify/etc/ipsec.d", "/etc/ipsec.d").
|
||||
Symlink("/dev/fortify/etc/issue", "/etc/issue").
|
||||
Symlink("/dev/fortify/etc/kbd", "/etc/kbd").
|
||||
Symlink("/dev/fortify/etc/libblockdev", "/etc/libblockdev").
|
||||
Symlink("/dev/fortify/etc/locale.conf", "/etc/locale.conf").
|
||||
Symlink("/dev/fortify/etc/localtime", "/etc/localtime").
|
||||
Symlink("/dev/fortify/etc/login.defs", "/etc/login.defs").
|
||||
Symlink("/dev/fortify/etc/lsb-release", "/etc/lsb-release").
|
||||
Symlink("/dev/fortify/etc/lvm", "/etc/lvm").
|
||||
Symlink("/dev/fortify/etc/machine-id", "/etc/machine-id").
|
||||
Symlink("/dev/fortify/etc/man_db.conf", "/etc/man_db.conf").
|
||||
Symlink("/dev/fortify/etc/modprobe.d", "/etc/modprobe.d").
|
||||
Symlink("/dev/fortify/etc/modules-load.d", "/etc/modules-load.d").
|
||||
Symlink("/proc/mounts", "/etc/mtab").
|
||||
Symlink("/dev/fortify/etc/nanorc", "/etc/nanorc").
|
||||
Symlink("/dev/fortify/etc/netgroup", "/etc/netgroup").
|
||||
Symlink("/dev/fortify/etc/NetworkManager", "/etc/NetworkManager").
|
||||
Symlink("/dev/fortify/etc/nix", "/etc/nix").
|
||||
Symlink("/dev/fortify/etc/nixos", "/etc/nixos").
|
||||
Symlink("/dev/fortify/etc/NIXOS", "/etc/NIXOS").
|
||||
Symlink("/dev/fortify/etc/nscd.conf", "/etc/nscd.conf").
|
||||
Symlink("/dev/fortify/etc/nsswitch.conf", "/etc/nsswitch.conf").
|
||||
Symlink("/dev/fortify/etc/opensnitchd", "/etc/opensnitchd").
|
||||
Symlink("/dev/fortify/etc/os-release", "/etc/os-release").
|
||||
Symlink("/dev/fortify/etc/pam", "/etc/pam").
|
||||
Symlink("/dev/fortify/etc/pam.d", "/etc/pam.d").
|
||||
Symlink("/dev/fortify/etc/pipewire", "/etc/pipewire").
|
||||
Symlink("/dev/fortify/etc/pki", "/etc/pki").
|
||||
Symlink("/dev/fortify/etc/polkit-1", "/etc/polkit-1").
|
||||
Symlink("/dev/fortify/etc/profile", "/etc/profile").
|
||||
Symlink("/dev/fortify/etc/protocols", "/etc/protocols").
|
||||
Symlink("/dev/fortify/etc/qemu", "/etc/qemu").
|
||||
Symlink("/dev/fortify/etc/resolv.conf", "/etc/resolv.conf").
|
||||
Symlink("/dev/fortify/etc/resolvconf.conf", "/etc/resolvconf.conf").
|
||||
Symlink("/dev/fortify/etc/rpc", "/etc/rpc").
|
||||
Symlink("/dev/fortify/etc/samba", "/etc/samba").
|
||||
Symlink("/dev/fortify/etc/sddm.conf", "/etc/sddm.conf").
|
||||
Symlink("/dev/fortify/etc/secureboot", "/etc/secureboot").
|
||||
Symlink("/dev/fortify/etc/services", "/etc/services").
|
||||
Symlink("/dev/fortify/etc/set-environment", "/etc/set-environment").
|
||||
Symlink("/dev/fortify/etc/shadow", "/etc/shadow").
|
||||
Symlink("/dev/fortify/etc/shells", "/etc/shells").
|
||||
Symlink("/dev/fortify/etc/ssh", "/etc/ssh").
|
||||
Symlink("/dev/fortify/etc/ssl", "/etc/ssl").
|
||||
Symlink("/dev/fortify/etc/static", "/etc/static").
|
||||
Symlink("/dev/fortify/etc/subgid", "/etc/subgid").
|
||||
Symlink("/dev/fortify/etc/subuid", "/etc/subuid").
|
||||
Symlink("/dev/fortify/etc/sudoers", "/etc/sudoers").
|
||||
Symlink("/dev/fortify/etc/sysctl.d", "/etc/sysctl.d").
|
||||
Symlink("/dev/fortify/etc/systemd", "/etc/systemd").
|
||||
Symlink("/dev/fortify/etc/terminfo", "/etc/terminfo").
|
||||
Symlink("/dev/fortify/etc/tmpfiles.d", "/etc/tmpfiles.d").
|
||||
Symlink("/dev/fortify/etc/udev", "/etc/udev").
|
||||
Symlink("/dev/fortify/etc/udisks2", "/etc/udisks2").
|
||||
Symlink("/dev/fortify/etc/UPower", "/etc/UPower").
|
||||
Symlink("/dev/fortify/etc/vconsole.conf", "/etc/vconsole.conf").
|
||||
Symlink("/dev/fortify/etc/X11", "/etc/X11").
|
||||
Symlink("/dev/fortify/etc/zfs", "/etc/zfs").
|
||||
Symlink("/dev/fortify/etc/zinputrc", "/etc/zinputrc").
|
||||
Symlink("/dev/fortify/etc/zoneinfo", "/etc/zoneinfo").
|
||||
Symlink("/dev/fortify/etc/zprofile", "/etc/zprofile").
|
||||
Symlink("/dev/fortify/etc/zshenv", "/etc/zshenv").
|
||||
Symlink("/dev/fortify/etc/zshrc", "/etc/zshrc").
|
||||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||
Tmpfs("/run/user", 1048576).
|
||||
Tmpfs("/run/user/150", 8388608).
|
||||
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
|
||||
Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
|
||||
Tmpfs("/var/run/nscd", 8192),
|
||||
},
|
||||
{
|
||||
"nixos permissive defaults chromium", new(stubNixOS),
|
||||
&app.Config{
|
||||
ID: "org.chromium.Chromium",
|
||||
User: "chronos",
|
||||
Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "},
|
||||
Confinement: app.ConfinementConfig{
|
||||
SessionBus: &dbus.Config{
|
||||
Talk: []string{
|
||||
"org.freedesktop.Notifications",
|
||||
"org.freedesktop.FileManager1",
|
||||
"org.freedesktop.ScreenSaver",
|
||||
"org.freedesktop.secrets",
|
||||
"org.kde.kwalletd5",
|
||||
"org.kde.kwalletd6",
|
||||
"org.gnome.SessionManager",
|
||||
},
|
||||
Own: []string{
|
||||
"org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.chromium.*",
|
||||
},
|
||||
Call: map[string]string{
|
||||
"org.freedesktop.portal.*": "*",
|
||||
},
|
||||
Broadcast: map[string]string{
|
||||
"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
|
||||
},
|
||||
Filter: true,
|
||||
},
|
||||
SystemBus: &dbus.Config{
|
||||
Talk: []string{
|
||||
"org.bluez",
|
||||
"org.freedesktop.Avahi",
|
||||
"org.freedesktop.UPower",
|
||||
},
|
||||
Filter: true,
|
||||
},
|
||||
Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
|
||||
},
|
||||
Method: "systemd",
|
||||
},
|
||||
app.ID{
|
||||
0xeb, 0xf0, 0x83, 0xd1,
|
||||
0xb1, 0x75, 0x91, 0x17,
|
||||
0x82, 0xd4, 0x13, 0x36,
|
||||
0x9b, 0x64, 0xce, 0x7c,
|
||||
},
|
||||
system.New(150).
|
||||
Ensure("/tmp/fortify.1971", 0701).
|
||||
Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0701).
|
||||
Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
|
||||
Ensure("/tmp/fortify.1971/tmpdir/150", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/150", acl.Read, acl.Write, acl.Execute).
|
||||
Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
|
||||
Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
|
||||
Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
|
||||
WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
|
||||
WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "fortify:x:65534:\n").
|
||||
Link("/run/user/1971/wayland-0", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland").
|
||||
UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
|
||||
Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
|
||||
CopyFile("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie").
|
||||
MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
|
||||
Talk: []string{
|
||||
"org.freedesktop.Notifications",
|
||||
"org.freedesktop.FileManager1",
|
||||
"org.freedesktop.ScreenSaver",
|
||||
"org.freedesktop.secrets",
|
||||
"org.kde.kwalletd5",
|
||||
"org.kde.kwalletd6",
|
||||
"org.gnome.SessionManager",
|
||||
},
|
||||
Own: []string{
|
||||
"org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.chromium.*",
|
||||
},
|
||||
Call: map[string]string{
|
||||
"org.freedesktop.portal.*": "*",
|
||||
},
|
||||
Broadcast: map[string]string{
|
||||
"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
|
||||
},
|
||||
Filter: true,
|
||||
}, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", &dbus.Config{
|
||||
Talk: []string{
|
||||
"org.bluez",
|
||||
"org.freedesktop.Avahi",
|
||||
"org.freedesktop.UPower",
|
||||
},
|
||||
Filter: true,
|
||||
}).
|
||||
UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
|
||||
UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
|
||||
(&bwrap.Config{
|
||||
Net: true,
|
||||
UserNS: true,
|
||||
Clearenv: true,
|
||||
SetEnv: map[string]string{
|
||||
"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/150/bus",
|
||||
"DBUS_SYSTEM_BUS_ADDRESS": "unix:path=/run/dbus/system_bus_socket",
|
||||
"HOME": "/home/chronos",
|
||||
"PULSE_COOKIE": "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie",
|
||||
"PULSE_SERVER": "unix:/run/user/150/pulse/native",
|
||||
"SHELL": "/run/current-system/sw/bin/zsh",
|
||||
"TERM": "xterm-256color",
|
||||
"USER": "chronos",
|
||||
"WAYLAND_DISPLAY": "/run/user/150/wayland-0",
|
||||
"XDG_RUNTIME_DIR": "/run/user/150",
|
||||
"XDG_SESSION_CLASS": "user",
|
||||
"XDG_SESSION_TYPE": "tty",
|
||||
},
|
||||
Chmod: make(bwrap.ChmodConfig),
|
||||
DieWithParent: true,
|
||||
AsInit: true,
|
||||
}).SetUID(65534).SetGID(65534).
|
||||
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||
Tmpfs("/dev/fortify", 4096).
|
||||
Bind("/bin", "/bin", false, true).
|
||||
Bind("/boot", "/boot", false, true).
|
||||
Bind("/etc", "/dev/fortify/etc").
|
||||
Bind("/home", "/home", false, true).
|
||||
Bind("/lib", "/lib", false, true).
|
||||
Bind("/lib64", "/lib64", false, true).
|
||||
Bind("/nix", "/nix", false, true).
|
||||
Bind("/root", "/root", false, true).
|
||||
Bind("/srv", "/srv", false, true).
|
||||
Bind("/sys", "/sys", false, true).
|
||||
Bind("/usr", "/usr", false, true).
|
||||
Bind("/var", "/var", false, true).
|
||||
Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
|
||||
Bind("/run/binfmt", "/run/binfmt", false, true).
|
||||
Bind("/run/booted-system", "/run/booted-system", false, true).
|
||||
Bind("/run/credentials", "/run/credentials", false, true).
|
||||
Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
|
||||
Bind("/run/current-system", "/run/current-system", false, true).
|
||||
Bind("/run/host", "/run/host", false, true).
|
||||
Bind("/run/keys", "/run/keys", false, true).
|
||||
Bind("/run/libvirt", "/run/libvirt", false, true).
|
||||
Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
|
||||
Bind("/run/lock", "/run/lock", false, true).
|
||||
Bind("/run/log", "/run/log", false, true).
|
||||
Bind("/run/lvm", "/run/lvm", false, true).
|
||||
Bind("/run/mount", "/run/mount", false, true).
|
||||
Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
|
||||
Bind("/run/nginx", "/run/nginx", false, true).
|
||||
Bind("/run/nixos", "/run/nixos", false, true).
|
||||
Bind("/run/nscd", "/run/nscd", false, true).
|
||||
Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
|
||||
Bind("/run/pppd", "/run/pppd", false, true).
|
||||
Bind("/run/resolvconf", "/run/resolvconf", false, true).
|
||||
Bind("/run/sddm", "/run/sddm", false, true).
|
||||
Bind("/run/store", "/run/store", false, true).
|
||||
Bind("/run/syncoid", "/run/syncoid", false, true).
|
||||
Bind("/run/system", "/run/system", false, true).
|
||||
Bind("/run/systemd", "/run/systemd", false, true).
|
||||
Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
|
||||
Bind("/run/udev", "/run/udev", false, true).
|
||||
Bind("/run/udisks2", "/run/udisks2", false, true).
|
||||
Bind("/run/utmp", "/run/utmp", false, true).
|
||||
Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
|
||||
Bind("/run/wrappers", "/run/wrappers", false, true).
|
||||
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
||||
Bind("/run/zed.state", "/run/zed.state", false, true).
|
||||
Bind("/dev/dri", "/dev/dri", true, true, true).
|
||||
Symlink("/dev/fortify/etc/alsa", "/etc/alsa").
|
||||
Symlink("/dev/fortify/etc/bashrc", "/etc/bashrc").
|
||||
Symlink("/dev/fortify/etc/binfmt.d", "/etc/binfmt.d").
|
||||
Symlink("/dev/fortify/etc/dbus-1", "/etc/dbus-1").
|
||||
Symlink("/dev/fortify/etc/default", "/etc/default").
|
||||
Symlink("/dev/fortify/etc/ethertypes", "/etc/ethertypes").
|
||||
Symlink("/dev/fortify/etc/fonts", "/etc/fonts").
|
||||
Symlink("/dev/fortify/etc/fstab", "/etc/fstab").
|
||||
Symlink("/dev/fortify/etc/fuse.conf", "/etc/fuse.conf").
|
||||
Symlink("/dev/fortify/etc/host.conf", "/etc/host.conf").
|
||||
Symlink("/dev/fortify/etc/hostid", "/etc/hostid").
|
||||
Symlink("/dev/fortify/etc/hostname", "/etc/hostname").
|
||||
Symlink("/dev/fortify/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
|
||||
Symlink("/dev/fortify/etc/hosts", "/etc/hosts").
|
||||
Symlink("/dev/fortify/etc/inputrc", "/etc/inputrc").
|
||||
Symlink("/dev/fortify/etc/ipsec.d", "/etc/ipsec.d").
|
||||
Symlink("/dev/fortify/etc/issue", "/etc/issue").
|
||||
Symlink("/dev/fortify/etc/kbd", "/etc/kbd").
|
||||
Symlink("/dev/fortify/etc/libblockdev", "/etc/libblockdev").
|
||||
Symlink("/dev/fortify/etc/locale.conf", "/etc/locale.conf").
|
||||
Symlink("/dev/fortify/etc/localtime", "/etc/localtime").
|
||||
Symlink("/dev/fortify/etc/login.defs", "/etc/login.defs").
|
||||
Symlink("/dev/fortify/etc/lsb-release", "/etc/lsb-release").
|
||||
Symlink("/dev/fortify/etc/lvm", "/etc/lvm").
|
||||
Symlink("/dev/fortify/etc/machine-id", "/etc/machine-id").
|
||||
Symlink("/dev/fortify/etc/man_db.conf", "/etc/man_db.conf").
|
||||
Symlink("/dev/fortify/etc/modprobe.d", "/etc/modprobe.d").
|
||||
Symlink("/dev/fortify/etc/modules-load.d", "/etc/modules-load.d").
|
||||
Symlink("/proc/mounts", "/etc/mtab").
|
||||
Symlink("/dev/fortify/etc/nanorc", "/etc/nanorc").
|
||||
Symlink("/dev/fortify/etc/netgroup", "/etc/netgroup").
|
||||
Symlink("/dev/fortify/etc/NetworkManager", "/etc/NetworkManager").
|
||||
Symlink("/dev/fortify/etc/nix", "/etc/nix").
|
||||
Symlink("/dev/fortify/etc/nixos", "/etc/nixos").
|
||||
Symlink("/dev/fortify/etc/NIXOS", "/etc/NIXOS").
|
||||
Symlink("/dev/fortify/etc/nscd.conf", "/etc/nscd.conf").
|
||||
Symlink("/dev/fortify/etc/nsswitch.conf", "/etc/nsswitch.conf").
|
||||
Symlink("/dev/fortify/etc/opensnitchd", "/etc/opensnitchd").
|
||||
Symlink("/dev/fortify/etc/os-release", "/etc/os-release").
|
||||
Symlink("/dev/fortify/etc/pam", "/etc/pam").
|
||||
Symlink("/dev/fortify/etc/pam.d", "/etc/pam.d").
|
||||
Symlink("/dev/fortify/etc/pipewire", "/etc/pipewire").
|
||||
Symlink("/dev/fortify/etc/pki", "/etc/pki").
|
||||
Symlink("/dev/fortify/etc/polkit-1", "/etc/polkit-1").
|
||||
Symlink("/dev/fortify/etc/profile", "/etc/profile").
|
||||
Symlink("/dev/fortify/etc/protocols", "/etc/protocols").
|
||||
Symlink("/dev/fortify/etc/qemu", "/etc/qemu").
|
||||
Symlink("/dev/fortify/etc/resolv.conf", "/etc/resolv.conf").
|
||||
Symlink("/dev/fortify/etc/resolvconf.conf", "/etc/resolvconf.conf").
|
||||
Symlink("/dev/fortify/etc/rpc", "/etc/rpc").
|
||||
Symlink("/dev/fortify/etc/samba", "/etc/samba").
|
||||
Symlink("/dev/fortify/etc/sddm.conf", "/etc/sddm.conf").
|
||||
Symlink("/dev/fortify/etc/secureboot", "/etc/secureboot").
|
||||
Symlink("/dev/fortify/etc/services", "/etc/services").
|
||||
Symlink("/dev/fortify/etc/set-environment", "/etc/set-environment").
|
||||
Symlink("/dev/fortify/etc/shadow", "/etc/shadow").
|
||||
Symlink("/dev/fortify/etc/shells", "/etc/shells").
|
||||
Symlink("/dev/fortify/etc/ssh", "/etc/ssh").
|
||||
Symlink("/dev/fortify/etc/ssl", "/etc/ssl").
|
||||
Symlink("/dev/fortify/etc/static", "/etc/static").
|
||||
Symlink("/dev/fortify/etc/subgid", "/etc/subgid").
|
||||
Symlink("/dev/fortify/etc/subuid", "/etc/subuid").
|
||||
Symlink("/dev/fortify/etc/sudoers", "/etc/sudoers").
|
||||
Symlink("/dev/fortify/etc/sysctl.d", "/etc/sysctl.d").
|
||||
Symlink("/dev/fortify/etc/systemd", "/etc/systemd").
|
||||
Symlink("/dev/fortify/etc/terminfo", "/etc/terminfo").
|
||||
Symlink("/dev/fortify/etc/tmpfiles.d", "/etc/tmpfiles.d").
|
||||
Symlink("/dev/fortify/etc/udev", "/etc/udev").
|
||||
Symlink("/dev/fortify/etc/udisks2", "/etc/udisks2").
|
||||
Symlink("/dev/fortify/etc/UPower", "/etc/UPower").
|
||||
Symlink("/dev/fortify/etc/vconsole.conf", "/etc/vconsole.conf").
|
||||
Symlink("/dev/fortify/etc/X11", "/etc/X11").
|
||||
Symlink("/dev/fortify/etc/zfs", "/etc/zfs").
|
||||
Symlink("/dev/fortify/etc/zinputrc", "/etc/zinputrc").
|
||||
Symlink("/dev/fortify/etc/zoneinfo", "/etc/zoneinfo").
|
||||
Symlink("/dev/fortify/etc/zprofile", "/etc/zprofile").
|
||||
Symlink("/dev/fortify/etc/zshenv", "/etc/zshenv").
|
||||
Symlink("/dev/fortify/etc/zshrc", "/etc/zshrc").
|
||||
Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
|
||||
Tmpfs("/tmp/fortify.1971", 1048576).
|
||||
Tmpfs("/run/user", 1048576).
|
||||
Tmpfs("/run/user/150", 8388608).
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
|
||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/150/wayland-0").
|
||||
Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/150/pulse/native").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/150/bus").
|
||||
Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
|
||||
Tmpfs("/var/run/nscd", 8192),
|
||||
},
|
||||
}
|
||||
|
||||
// fs methods are not implemented using a real FS
|
||||
// to help better understand filesystem access behaviour
|
||||
type stubNixOS struct {
|
||||
lookPathErr map[string]error
|
||||
usernameErr map[string]error
|
||||
}
|
||||
|
||||
func (s *stubNixOS) Geteuid() int {
|
||||
return 1971
|
||||
}
|
||||
|
||||
func (s *stubNixOS) LookupEnv(key string) (string, bool) {
|
||||
switch key {
|
||||
case "SHELL":
|
||||
return "/run/current-system/sw/bin/zsh", true
|
||||
case "TERM":
|
||||
return "xterm-256color", true
|
||||
case "WAYLAND_DISPLAY":
|
||||
return "wayland-0", true
|
||||
case "PULSE_COOKIE":
|
||||
return "", false
|
||||
case "HOME":
|
||||
return "/home/ophestra", true
|
||||
case "XDG_CONFIG_HOME":
|
||||
return "/home/ophestra/xdg/config", true
|
||||
default:
|
||||
panic(fmt.Sprintf("attempted to access unexpected environment variable %q", key))
|
||||
}
|
||||
}
|
||||
|
||||
func (s *stubNixOS) TempDir() string {
|
||||
return "/tmp"
|
||||
}
|
||||
|
||||
func (s *stubNixOS) LookPath(file string) (string, error) {
|
||||
if s.lookPathErr != nil {
|
||||
if err, ok := s.lookPathErr[file]; ok {
|
||||
return "", err
|
||||
}
|
||||
}
|
||||
|
||||
switch file {
|
||||
case "sudo":
|
||||
return "/run/wrappers/bin/sudo", nil
|
||||
case "machinectl":
|
||||
return "/home/ophestra/.nix-profile/bin/machinectl", nil
|
||||
default:
|
||||
panic(fmt.Sprintf("attempted to look up unexpected executable %q", file))
|
||||
}
|
||||
}
|
||||
|
||||
func (s *stubNixOS) Executable() (string, error) {
|
||||
return "/home/ophestra/.nix-profile/bin/fortify", nil
|
||||
}
|
||||
|
||||
func (s *stubNixOS) Lookup(username string) (*user.User, error) {
|
||||
if s.usernameErr != nil {
|
||||
if err, ok := s.usernameErr[username]; ok {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
switch username {
|
||||
case "chronos":
|
||||
return &user.User{
|
||||
Uid: "150",
|
||||
Gid: "101",
|
||||
Username: "chronos",
|
||||
HomeDir: "/home/chronos",
|
||||
}, nil
|
||||
default:
|
||||
return nil, user.UnknownUserError(username)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *stubNixOS) ReadDir(name string) ([]fs.DirEntry, error) {
|
||||
switch name {
|
||||
case "/":
|
||||
return stubDirEntries("bin", "boot", "dev", "etc", "home", "lib",
|
||||
"lib64", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var")
|
||||
case "/run":
|
||||
return stubDirEntries("agetty.reload", "binfmt", "booted-system",
|
||||
"credentials", "cryptsetup", "current-system", "dbus", "host", "keys",
|
||||
"libvirt", "libvirtd.pid", "lock", "log", "lvm", "mount", "NetworkManager",
|
||||
"nginx", "nixos", "nscd", "opengl-driver", "pppd", "resolvconf", "sddm",
|
||||
"store", "syncoid", "system", "systemd", "tmpfiles.d", "udev", "udisks2",
|
||||
"user", "utmp", "virtlogd.pid", "wrappers", "zed.pid", "zed.state")
|
||||
case "/etc":
|
||||
return stubDirEntries("alsa", "bashrc", "binfmt.d", "dbus-1", "default",
|
||||
"ethertypes", "fonts", "fstab", "fuse.conf", "group", "host.conf", "hostid",
|
||||
"hostname", "hostname.CHECKSUM", "hosts", "inputrc", "ipsec.d", "issue", "kbd",
|
||||
"libblockdev", "locale.conf", "localtime", "login.defs", "lsb-release", "lvm",
|
||||
"machine-id", "man_db.conf", "modprobe.d", "modules-load.d", "mtab", "nanorc",
|
||||
"netgroup", "NetworkManager", "nix", "nixos", "NIXOS", "nscd.conf", "nsswitch.conf",
|
||||
"opensnitchd", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1",
|
||||
"profile", "protocols", "qemu", "resolv.conf", "resolvconf.conf", "rpc", "samba",
|
||||
"sddm.conf", "secureboot", "services", "set-environment", "shadow", "shells", "ssh",
|
||||
"ssl", "static", "subgid", "subuid", "sudoers", "sysctl.d", "systemd", "terminfo",
|
||||
"tmpfiles.d", "udev", "udisks2", "UPower", "vconsole.conf", "X11", "zfs", "zinputrc",
|
||||
"zoneinfo", "zprofile", "zshenv", "zshrc")
|
||||
default:
|
||||
panic(fmt.Sprintf("attempted to read unexpected directory %q", name))
|
||||
}
|
||||
}
|
||||
|
||||
func (s *stubNixOS) Stat(name string) (fs.FileInfo, error) {
|
||||
switch name {
|
||||
case "/var/run/nscd":
|
||||
return nil, nil
|
||||
case "/run/user/1971/pulse":
|
||||
return nil, nil
|
||||
case "/run/user/1971/pulse/native":
|
||||
return stubFileInfoMode(0666), nil
|
||||
case "/home/ophestra/.pulse-cookie":
|
||||
return stubFileInfoIsDir(true), nil
|
||||
case "/home/ophestra/xdg/config/pulse/cookie":
|
||||
return stubFileInfoIsDir(false), nil
|
||||
default:
|
||||
panic(fmt.Sprintf("attempted to stat unexpected path %q", name))
|
||||
}
|
||||
}
|
||||
|
||||
func (s *stubNixOS) Open(name string) (fs.File, error) {
|
||||
switch name {
|
||||
default:
|
||||
panic(fmt.Sprintf("attempted to open unexpected file %q", name))
|
||||
}
|
||||
}
|
||||
|
||||
func (s *stubNixOS) Exit(code int) {
|
||||
panic("called exit on stub with code " + strconv.Itoa(code))
|
||||
}
|
||||
|
||||
func (s *stubNixOS) Paths() internal.Paths {
|
||||
return internal.Paths{
|
||||
SharePath: "/tmp/fortify.1971",
|
||||
RuntimePath: "/run/user/1971",
|
||||
RunDirPath: "/run/user/1971/fortify",
|
||||
}
|
||||
}
|
||||
|
||||
func (s *stubNixOS) SdBooted() bool {
|
||||
return true
|
||||
}
|
|
@ -0,0 +1,134 @@
|
|||
package app_test
|
||||
|
||||
import (
|
||||
"io/fs"
|
||||
"reflect"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/app"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
type sealTestCase struct {
|
||||
name string
|
||||
os internal.System
|
||||
config *app.Config
|
||||
id app.ID
|
||||
wantSys *system.I
|
||||
wantBwrap *bwrap.Config
|
||||
}
|
||||
|
||||
func TestApp(t *testing.T) {
|
||||
testCases := append(testCasesNixos)
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
a := app.NewWithID(tc.id, tc.os)
|
||||
|
||||
if !t.Run("seal", func(t *testing.T) {
|
||||
if err := a.Seal(tc.config); err != nil {
|
||||
t.Errorf("Seal: error = %v", err)
|
||||
}
|
||||
}) {
|
||||
return
|
||||
}
|
||||
|
||||
gotSys, gotBwrap := app.AppSystemBwrap(a)
|
||||
|
||||
t.Run("compare sys", func(t *testing.T) {
|
||||
if !gotSys.Equal(tc.wantSys) {
|
||||
t.Errorf("Seal: sys = %#v, want %#v",
|
||||
gotSys, tc.wantSys)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("compare bwrap", func(t *testing.T) {
|
||||
if !reflect.DeepEqual(gotBwrap, tc.wantBwrap) {
|
||||
t.Errorf("seal: bwrap = %#v, want %#v",
|
||||
gotBwrap, tc.wantBwrap)
|
||||
}
|
||||
})
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func stubDirEntries(names ...string) (e []fs.DirEntry, err error) {
|
||||
e = make([]fs.DirEntry, len(names))
|
||||
for i, name := range names {
|
||||
e[i] = stubDirEntryPath(name)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
type stubDirEntryPath string
|
||||
|
||||
func (p stubDirEntryPath) Name() string {
|
||||
return string(p)
|
||||
}
|
||||
|
||||
func (p stubDirEntryPath) IsDir() bool {
|
||||
panic("attempted to call IsDir")
|
||||
}
|
||||
|
||||
func (p stubDirEntryPath) Type() fs.FileMode {
|
||||
panic("attempted to call Type")
|
||||
}
|
||||
|
||||
func (p stubDirEntryPath) Info() (fs.FileInfo, error) {
|
||||
panic("attempted to call Info")
|
||||
}
|
||||
|
||||
type stubFileInfoMode fs.FileMode
|
||||
|
||||
func (s stubFileInfoMode) Name() string {
|
||||
panic("attempted to call Name")
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) Size() int64 {
|
||||
panic("attempted to call Size")
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) Mode() fs.FileMode {
|
||||
return fs.FileMode(s)
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) ModTime() time.Time {
|
||||
panic("attempted to call ModTime")
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) IsDir() bool {
|
||||
panic("attempted to call IsDir")
|
||||
}
|
||||
|
||||
func (s stubFileInfoMode) Sys() any {
|
||||
panic("attempted to call Sys")
|
||||
}
|
||||
|
||||
type stubFileInfoIsDir bool
|
||||
|
||||
func (s stubFileInfoIsDir) Name() string {
|
||||
panic("attempted to call Name")
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) Size() int64 {
|
||||
panic("attempted to call Size")
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) Mode() fs.FileMode {
|
||||
panic("attempted to call Mode")
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) ModTime() time.Time {
|
||||
panic("attempted to call ModTime")
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) IsDir() bool {
|
||||
return bool(s)
|
||||
}
|
||||
|
||||
func (s stubFileInfoIsDir) Sys() any {
|
||||
panic("attempted to call Sys")
|
||||
}
|
|
@ -0,0 +1,180 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"os"
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
// Config is used to seal an *App
|
||||
type Config struct {
|
||||
// D-Bus application ID
|
||||
ID string `json:"id"`
|
||||
// username of the target user to switch to
|
||||
User string `json:"user"`
|
||||
// value passed through to the child process as its argv
|
||||
Command []string `json:"command"`
|
||||
// string representation of the child's launch method
|
||||
Method string `json:"method"`
|
||||
|
||||
// child confinement configuration
|
||||
Confinement ConfinementConfig `json:"confinement"`
|
||||
}
|
||||
|
||||
// ConfinementConfig defines fortified child's confinement
|
||||
type ConfinementConfig struct {
|
||||
// bwrap sandbox confinement configuration
|
||||
Sandbox *SandboxConfig `json:"sandbox"`
|
||||
|
||||
// reference to a system D-Bus proxy configuration,
|
||||
// nil value disables system bus proxy
|
||||
SystemBus *dbus.Config `json:"system_bus,omitempty"`
|
||||
// reference to a session D-Bus proxy configuration,
|
||||
// nil value makes session bus proxy assume built-in defaults
|
||||
SessionBus *dbus.Config `json:"session_bus,omitempty"`
|
||||
|
||||
// child capability enablements
|
||||
Enablements system.Enablements `json:"enablements"`
|
||||
}
|
||||
|
||||
// SandboxConfig describes resources made available to the sandbox.
|
||||
type SandboxConfig struct {
|
||||
// unix hostname within sandbox
|
||||
Hostname string `json:"hostname,omitempty"`
|
||||
// userns availability within sandbox
|
||||
UserNS bool `json:"userns,omitempty"`
|
||||
// share net namespace
|
||||
Net bool `json:"net,omitempty"`
|
||||
// do not run in new session
|
||||
NoNewSession bool `json:"no_new_session,omitempty"`
|
||||
// mediated access to wayland socket
|
||||
Wayland bool `json:"wayland,omitempty"`
|
||||
|
||||
// final environment variables
|
||||
Env map[string]string `json:"env"`
|
||||
// sandbox host filesystem access
|
||||
Filesystem []*FilesystemConfig `json:"filesystem"`
|
||||
// symlinks created inside the sandbox
|
||||
Link [][2]string `json:"symlink"`
|
||||
// paths to override by mounting tmpfs over them
|
||||
Override []string `json:"override"`
|
||||
}
|
||||
|
||||
type FilesystemConfig struct {
|
||||
// mount point in sandbox, same as src if empty
|
||||
Dst string `json:"dst,omitempty"`
|
||||
// host filesystem path to make available to sandbox
|
||||
Src string `json:"src"`
|
||||
// write access
|
||||
Write bool `json:"write,omitempty"`
|
||||
// device access
|
||||
Device bool `json:"dev,omitempty"`
|
||||
// exit if unable to share
|
||||
Must bool `json:"require,omitempty"`
|
||||
}
|
||||
|
||||
// Bwrap returns the address of the corresponding bwrap.Config to s.
|
||||
// Note that remaining tmpfs entries must be queued by the caller prior to launch.
|
||||
func (s *SandboxConfig) Bwrap() *bwrap.Config {
|
||||
if s == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
conf := (&bwrap.Config{
|
||||
Net: s.Net,
|
||||
UserNS: s.UserNS,
|
||||
Hostname: s.Hostname,
|
||||
Clearenv: true,
|
||||
SetEnv: s.Env,
|
||||
NewSession: !s.NoNewSession,
|
||||
DieWithParent: true,
|
||||
AsInit: true,
|
||||
|
||||
// initialise map
|
||||
Chmod: make(map[string]os.FileMode),
|
||||
}).
|
||||
SetUID(65534).SetGID(65534).
|
||||
Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
|
||||
Tmpfs("/dev/fortify", 4*1024)
|
||||
|
||||
for _, c := range s.Filesystem {
|
||||
if c == nil {
|
||||
continue
|
||||
}
|
||||
src := c.Src
|
||||
dest := c.Dst
|
||||
if c.Dst == "" {
|
||||
dest = c.Src
|
||||
}
|
||||
conf.Bind(src, dest, !c.Must, c.Write, c.Device)
|
||||
}
|
||||
|
||||
for _, l := range s.Link {
|
||||
conf.Symlink(l[0], l[1])
|
||||
}
|
||||
|
||||
return conf
|
||||
}
|
||||
|
||||
// Template returns a fully populated instance of Config.
|
||||
func Template() *Config {
|
||||
return &Config{
|
||||
ID: "org.chromium.Chromium",
|
||||
User: "chronos",
|
||||
Command: []string{
|
||||
"chromium",
|
||||
"--ignore-gpu-blocklist",
|
||||
"--disable-smooth-scrolling",
|
||||
"--enable-features=UseOzonePlatform",
|
||||
"--ozone-platform=wayland",
|
||||
},
|
||||
Method: "sudo",
|
||||
Confinement: ConfinementConfig{
|
||||
Sandbox: &SandboxConfig{
|
||||
Hostname: "localhost",
|
||||
UserNS: true,
|
||||
Net: true,
|
||||
NoNewSession: true,
|
||||
Wayland: false,
|
||||
// example API credentials pulled from Google Chrome
|
||||
// DO NOT USE THESE IN A REAL BROWSER
|
||||
Env: map[string]string{
|
||||
"GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
|
||||
"GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
|
||||
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
|
||||
},
|
||||
Filesystem: []*FilesystemConfig{
|
||||
{Src: "/nix"},
|
||||
{Src: "/storage/emulated/0", Write: true, Must: true},
|
||||
{Src: "/data/user/0", Dst: "/data/data", Write: true, Must: true},
|
||||
{Src: "/var/tmp", Write: true},
|
||||
},
|
||||
Link: [][2]string{{"/dev/fortify/etc", "/etc"}},
|
||||
Override: []string{"/var/run/nscd"},
|
||||
},
|
||||
SystemBus: &dbus.Config{
|
||||
See: nil,
|
||||
Talk: []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
|
||||
Own: nil,
|
||||
Call: nil,
|
||||
Broadcast: nil,
|
||||
Log: false,
|
||||
Filter: true,
|
||||
},
|
||||
SessionBus: &dbus.Config{
|
||||
See: nil,
|
||||
Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver",
|
||||
"org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"},
|
||||
Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
|
||||
"org.mpris.MediaPlayer2.chromium.*"},
|
||||
Call: map[string]string{"org.freedesktop.portal.*": "*"},
|
||||
Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
|
||||
Log: false,
|
||||
Filter: true,
|
||||
},
|
||||
Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
|
||||
},
|
||||
}
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
func NewWithID(id ID, os internal.System) App {
|
||||
a := new(app)
|
||||
a.id = &id
|
||||
a.os = os
|
||||
return a
|
||||
}
|
||||
|
||||
func AppSystemBwrap(a App) (*system.I, *bwrap.Config) {
|
||||
v := a.(*app)
|
||||
return v.seal.sys.I, v.seal.sys.bwrap
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/hex"
|
||||
)
|
||||
|
||||
type ID [16]byte
|
||||
|
||||
func (a *ID) String() string {
|
||||
return hex.EncodeToString(a[:])
|
||||
}
|
||||
|
||||
func newAppID(id *ID) error {
|
||||
_, err := rand.Read(id[:])
|
||||
return err
|
||||
}
|
|
@ -0,0 +1,57 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"strings"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
func (a *app) commandBuilderMachineCtl(shimEnv string) (args []string) {
|
||||
args = make([]string, 0, 9+len(a.seal.sys.bwrap.SetEnv))
|
||||
|
||||
// shell --uid=$USER
|
||||
args = append(args, "shell", "--uid="+a.seal.sys.user.Username)
|
||||
|
||||
// --quiet
|
||||
if !fmsg.Verbose() {
|
||||
args = append(args, "--quiet")
|
||||
}
|
||||
|
||||
// environ
|
||||
envQ := make([]string, 0, len(a.seal.sys.bwrap.SetEnv)+1)
|
||||
for k, v := range a.seal.sys.bwrap.SetEnv {
|
||||
envQ = append(envQ, "-E"+k+"="+v)
|
||||
}
|
||||
// add shim payload to environment for shim path
|
||||
envQ = append(envQ, "-E"+shimEnv)
|
||||
args = append(args, envQ...)
|
||||
|
||||
// -- .host
|
||||
args = append(args, "--", ".host")
|
||||
|
||||
// /bin/sh -c
|
||||
if sh, err := a.os.LookPath("sh"); err != nil {
|
||||
// hardcode /bin/sh path since it exists more often than not
|
||||
args = append(args, "/bin/sh", "-c")
|
||||
} else {
|
||||
args = append(args, sh, "-c")
|
||||
}
|
||||
|
||||
// build inner command expression ran as target user
|
||||
innerCommand := strings.Builder{}
|
||||
|
||||
// apply custom environment variables to activation environment
|
||||
innerCommand.WriteString("dbus-update-activation-environment --systemd")
|
||||
for k := range a.seal.sys.bwrap.SetEnv {
|
||||
innerCommand.WriteString(" " + k)
|
||||
}
|
||||
innerCommand.WriteString("; ")
|
||||
|
||||
// launch fortify as shim
|
||||
innerCommand.WriteString("exec " + a.seal.sys.executable + " shim")
|
||||
|
||||
// append inner command
|
||||
args = append(args, innerCommand.String())
|
||||
|
||||
return
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
const (
|
||||
sudoAskPass = "SUDO_ASKPASS"
|
||||
)
|
||||
|
||||
func (a *app) commandBuilderSudo(shimEnv string) (args []string) {
|
||||
args = make([]string, 0, 8)
|
||||
|
||||
// -Hiu $USER
|
||||
args = append(args, "-Hiu", a.seal.sys.user.Username)
|
||||
|
||||
// -A?
|
||||
if _, ok := a.os.LookupEnv(sudoAskPass); ok {
|
||||
fmsg.VPrintln(sudoAskPass, "set, adding askpass flag")
|
||||
args = append(args, "-A")
|
||||
}
|
||||
|
||||
// shim payload
|
||||
args = append(args, shimEnv)
|
||||
|
||||
// -- $@
|
||||
args = append(args, "--", a.seal.sys.executable, "shim")
|
||||
|
||||
return
|
||||
}
|
|
@ -0,0 +1,279 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io/fs"
|
||||
"os/user"
|
||||
"path"
|
||||
"strconv"
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/shim"
|
||||
"git.ophivana.moe/security/fortify/internal/state"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
LaunchMethodSudo uint8 = iota
|
||||
LaunchMethodMachineCtl
|
||||
)
|
||||
|
||||
var method = [...]string{
|
||||
LaunchMethodSudo: "sudo",
|
||||
LaunchMethodMachineCtl: "systemd",
|
||||
}
|
||||
|
||||
var (
|
||||
ErrConfig = errors.New("no configuration to seal")
|
||||
ErrUser = errors.New("unknown user")
|
||||
ErrLaunch = errors.New("invalid launch method")
|
||||
|
||||
ErrSudo = errors.New("sudo not available")
|
||||
ErrSystemd = errors.New("systemd not available")
|
||||
ErrMachineCtl = errors.New("machinectl not available")
|
||||
)
|
||||
|
||||
// appSeal seals the application with child-related information
|
||||
type appSeal struct {
|
||||
// app unique ID string representation
|
||||
id string
|
||||
// wayland mediation, disabled if nil
|
||||
wl *shim.Wayland
|
||||
|
||||
// freedesktop application ID
|
||||
fid string
|
||||
// argv to start process with in the final confined environment
|
||||
command []string
|
||||
// persistent process state store
|
||||
store state.Store
|
||||
|
||||
// uint8 representation of launch method sealed from config
|
||||
launchOption uint8
|
||||
// process-specific share directory path
|
||||
share string
|
||||
// process-specific share directory path local to XDG_RUNTIME_DIR
|
||||
shareLocal string
|
||||
|
||||
// path to launcher program
|
||||
toolPath string
|
||||
// pass-through enablement tracking from config
|
||||
et system.Enablements
|
||||
|
||||
// prevents sharing from happening twice
|
||||
shared bool
|
||||
// seal system-level component
|
||||
sys *appSealSys
|
||||
|
||||
internal.Paths
|
||||
|
||||
// protected by upstream mutex
|
||||
}
|
||||
|
||||
// Seal seals the app launch context
|
||||
func (a *app) Seal(config *Config) error {
|
||||
a.lock.Lock()
|
||||
defer a.lock.Unlock()
|
||||
|
||||
if a.seal != nil {
|
||||
panic("app sealed twice")
|
||||
}
|
||||
|
||||
if config == nil {
|
||||
return fmsg.WrapError(ErrConfig,
|
||||
"attempted to seal app with nil config")
|
||||
}
|
||||
|
||||
// create seal
|
||||
seal := new(appSeal)
|
||||
|
||||
// fetch system constants
|
||||
seal.Paths = a.os.Paths()
|
||||
|
||||
// pass through config values
|
||||
seal.id = a.id.String()
|
||||
seal.fid = config.ID
|
||||
seal.command = config.Command
|
||||
|
||||
// parses launch method text and looks up tool path
|
||||
switch config.Method {
|
||||
case method[LaunchMethodSudo]:
|
||||
seal.launchOption = LaunchMethodSudo
|
||||
if sudoPath, err := a.os.LookPath("sudo"); err != nil {
|
||||
return fmsg.WrapError(ErrSudo,
|
||||
"sudo not found")
|
||||
} else {
|
||||
seal.toolPath = sudoPath
|
||||
}
|
||||
case method[LaunchMethodMachineCtl]:
|
||||
seal.launchOption = LaunchMethodMachineCtl
|
||||
if !a.os.SdBooted() {
|
||||
return fmsg.WrapError(ErrSystemd,
|
||||
"system has not been booted with systemd as init system")
|
||||
}
|
||||
|
||||
if machineCtlPath, err := a.os.LookPath("machinectl"); err != nil {
|
||||
return fmsg.WrapError(ErrMachineCtl,
|
||||
"machinectl not found")
|
||||
} else {
|
||||
seal.toolPath = machineCtlPath
|
||||
}
|
||||
default:
|
||||
return fmsg.WrapError(ErrLaunch,
|
||||
"invalid launch method")
|
||||
}
|
||||
|
||||
// create seal system component
|
||||
seal.sys = new(appSealSys)
|
||||
|
||||
// look up fortify executable path
|
||||
if p, err := a.os.Executable(); err != nil {
|
||||
return fmsg.WrapErrorSuffix(err, "cannot look up fortify executable path:")
|
||||
} else {
|
||||
seal.sys.executable = p
|
||||
}
|
||||
|
||||
// look up user from system
|
||||
if u, err := a.os.Lookup(config.User); err != nil {
|
||||
if errors.As(err, new(user.UnknownUserError)) {
|
||||
return fmsg.WrapError(ErrUser, "unknown user", config.User)
|
||||
} else {
|
||||
// unreachable
|
||||
panic(err)
|
||||
}
|
||||
} else {
|
||||
seal.sys.user = u
|
||||
seal.sys.runtime = path.Join("/run/user", u.Uid)
|
||||
}
|
||||
|
||||
// map sandbox config to bwrap
|
||||
if config.Confinement.Sandbox == nil {
|
||||
fmsg.VPrintln("sandbox configuration not supplied, PROCEED WITH CAUTION")
|
||||
|
||||
// permissive defaults
|
||||
conf := &SandboxConfig{
|
||||
UserNS: true,
|
||||
Net: true,
|
||||
NoNewSession: true,
|
||||
}
|
||||
// bind entries in /
|
||||
if d, err := a.os.ReadDir("/"); err != nil {
|
||||
return err
|
||||
} else {
|
||||
b := make([]*FilesystemConfig, 0, len(d))
|
||||
for _, ent := range d {
|
||||
p := "/" + ent.Name()
|
||||
switch p {
|
||||
case "/proc":
|
||||
case "/dev":
|
||||
case "/run":
|
||||
case "/tmp":
|
||||
case "/mnt":
|
||||
|
||||
case "/etc":
|
||||
b = append(b, &FilesystemConfig{Src: p, Dst: "/dev/fortify/etc", Write: false, Must: true})
|
||||
default:
|
||||
b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
|
||||
}
|
||||
}
|
||||
conf.Filesystem = append(conf.Filesystem, b...)
|
||||
}
|
||||
// bind entries in /run
|
||||
if d, err := a.os.ReadDir("/run"); err != nil {
|
||||
return err
|
||||
} else {
|
||||
b := make([]*FilesystemConfig, 0, len(d))
|
||||
for _, ent := range d {
|
||||
name := ent.Name()
|
||||
switch name {
|
||||
case "user":
|
||||
case "dbus":
|
||||
default:
|
||||
p := "/run/" + name
|
||||
b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
|
||||
}
|
||||
}
|
||||
conf.Filesystem = append(conf.Filesystem, b...)
|
||||
}
|
||||
// hide nscd from sandbox if present
|
||||
nscd := "/var/run/nscd"
|
||||
if _, err := a.os.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
|
||||
conf.Override = append(conf.Override, nscd)
|
||||
}
|
||||
// bind GPU stuff
|
||||
if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
|
||||
conf.Filesystem = append(conf.Filesystem, &FilesystemConfig{Src: "/dev/dri", Device: true})
|
||||
}
|
||||
// link host /etc to prevent passwd/group from being overwritten
|
||||
if d, err := a.os.ReadDir("/etc"); err != nil {
|
||||
return err
|
||||
} else {
|
||||
b := make([][2]string, 0, len(d))
|
||||
for _, ent := range d {
|
||||
name := ent.Name()
|
||||
switch name {
|
||||
case "passwd":
|
||||
case "group":
|
||||
|
||||
case "mtab":
|
||||
b = append(b, [2]string{
|
||||
"/proc/mounts",
|
||||
"/etc/" + name,
|
||||
})
|
||||
default:
|
||||
b = append(b, [2]string{
|
||||
"/dev/fortify/etc/" + name,
|
||||
"/etc/" + name,
|
||||
})
|
||||
}
|
||||
}
|
||||
conf.Link = append(conf.Link, b...)
|
||||
}
|
||||
|
||||
config.Confinement.Sandbox = conf
|
||||
}
|
||||
seal.sys.bwrap = config.Confinement.Sandbox.Bwrap()
|
||||
seal.sys.override = config.Confinement.Sandbox.Override
|
||||
if seal.sys.bwrap.SetEnv == nil {
|
||||
seal.sys.bwrap.SetEnv = make(map[string]string)
|
||||
}
|
||||
|
||||
// create wayland struct and client wait channel if mediated wayland is enabled
|
||||
// this field being set enables mediated wayland setup later on
|
||||
if config.Confinement.Sandbox.Wayland {
|
||||
seal.wl = shim.NewWayland()
|
||||
}
|
||||
|
||||
// open process state store
|
||||
// the simple store only starts holding an open file after first action
|
||||
// store activity begins after Start is called and must end before Wait
|
||||
seal.store = state.NewSimple(seal.RunDirPath, seal.sys.user.Uid)
|
||||
|
||||
// parse string UID
|
||||
if u, err := strconv.Atoi(seal.sys.user.Uid); err != nil {
|
||||
// unreachable unless kernel bug
|
||||
panic("uid parse")
|
||||
} else {
|
||||
seal.sys.I = system.New(u)
|
||||
}
|
||||
|
||||
// pass through enablements
|
||||
seal.et = config.Confinement.Enablements
|
||||
|
||||
// this method calls all share methods in sequence
|
||||
if err := seal.shareAll([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// verbose log seal information
|
||||
fmsg.VPrintln("created application seal as user",
|
||||
seal.sys.user.Username, "("+seal.sys.user.Uid+"),",
|
||||
"method:", config.Method+",",
|
||||
"launcher:", seal.toolPath+",",
|
||||
"command:", config.Command)
|
||||
|
||||
// seal app and release lock
|
||||
a.seal = seal
|
||||
return nil
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"path"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
|
||||
dbusSystemBusAddress = "DBUS_SYSTEM_BUS_ADDRESS"
|
||||
)
|
||||
|
||||
func (seal *appSeal) shareDBus(config [2]*dbus.Config) error {
|
||||
if !seal.et.Has(system.EDBus) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// downstream socket paths
|
||||
sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
|
||||
|
||||
// configure dbus proxy
|
||||
if err := seal.sys.ProxyDBus(config[0], config[1], sessionPath, systemPath); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// share proxy sockets
|
||||
sessionInner := path.Join(seal.sys.runtime, "bus")
|
||||
seal.sys.bwrap.SetEnv[dbusSessionBusAddress] = "unix:path=" + sessionInner
|
||||
seal.sys.bwrap.Bind(sessionPath, sessionInner)
|
||||
seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
|
||||
if config[1] != nil {
|
||||
systemInner := "/run/dbus/system_bus_socket"
|
||||
seal.sys.bwrap.SetEnv[dbusSystemBusAddress] = "unix:path=" + systemInner
|
||||
seal.sys.bwrap.Bind(systemPath, systemInner)
|
||||
seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
|
@ -0,0 +1,68 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"path"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
term = "TERM"
|
||||
display = "DISPLAY"
|
||||
|
||||
// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html
|
||||
waylandDisplay = "WAYLAND_DISPLAY"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrWayland = errors.New(waylandDisplay + " unset")
|
||||
ErrXDisplay = errors.New(display + " unset")
|
||||
)
|
||||
|
||||
func (seal *appSeal) shareDisplay(os internal.System) error {
|
||||
// pass $TERM to launcher
|
||||
if t, ok := os.LookupEnv(term); ok {
|
||||
seal.sys.bwrap.SetEnv[term] = t
|
||||
}
|
||||
|
||||
// set up wayland
|
||||
if seal.et.Has(system.EWayland) {
|
||||
if wd, ok := os.LookupEnv(waylandDisplay); !ok {
|
||||
return fmsg.WrapError(ErrWayland,
|
||||
"WAYLAND_DISPLAY is not set")
|
||||
} else if seal.wl == nil {
|
||||
// hardlink wayland socket
|
||||
wp := path.Join(seal.RuntimePath, wd)
|
||||
wpi := path.Join(seal.shareLocal, "wayland")
|
||||
w := path.Join(seal.sys.runtime, "wayland-0")
|
||||
seal.sys.Link(wp, wpi)
|
||||
seal.sys.bwrap.SetEnv[waylandDisplay] = w
|
||||
seal.sys.bwrap.Bind(wpi, w)
|
||||
|
||||
// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
|
||||
seal.sys.UpdatePermType(system.EWayland, wp, acl.Read, acl.Write, acl.Execute)
|
||||
} else {
|
||||
// set wayland socket path for mediation (e.g. `/run/user/%d/wayland-%d`)
|
||||
seal.wl.Path = path.Join(seal.RuntimePath, wd)
|
||||
}
|
||||
}
|
||||
|
||||
// set up X11
|
||||
if seal.et.Has(system.EX11) {
|
||||
// discover X11 and grant user permission via the `ChangeHosts` command
|
||||
if d, ok := os.LookupEnv(display); !ok {
|
||||
return fmsg.WrapError(ErrXDisplay,
|
||||
"DISPLAY is not set")
|
||||
} else {
|
||||
seal.sys.ChangeHosts(seal.sys.user.Username)
|
||||
seal.sys.bwrap.SetEnv[display] = d
|
||||
seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
|
@ -0,0 +1,117 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"path"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
pulseServer = "PULSE_SERVER"
|
||||
pulseCookie = "PULSE_COOKIE"
|
||||
|
||||
home = "HOME"
|
||||
xdgConfigHome = "XDG_CONFIG_HOME"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrPulseCookie = errors.New("pulse cookie not present")
|
||||
ErrPulseSocket = errors.New("pulse socket not present")
|
||||
ErrPulseMode = errors.New("unexpected pulse socket mode")
|
||||
)
|
||||
|
||||
func (seal *appSeal) sharePulse(os internal.System) error {
|
||||
if !seal.et.Has(system.EPulse) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// check PulseAudio directory presence (e.g. `/run/user/%d/pulse`)
|
||||
pd := path.Join(seal.RuntimePath, "pulse")
|
||||
ps := path.Join(pd, "native")
|
||||
if _, err := os.Stat(pd); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio directory %q:", pd))
|
||||
}
|
||||
return fmsg.WrapError(ErrPulseSocket,
|
||||
fmt.Sprintf("PulseAudio directory %q not found", pd))
|
||||
}
|
||||
|
||||
// check PulseAudio socket permission (e.g. `/run/user/%d/pulse/native`)
|
||||
if s, err := os.Stat(ps); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio socket %q:", ps))
|
||||
}
|
||||
return fmsg.WrapError(ErrPulseSocket,
|
||||
fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pd))
|
||||
} else {
|
||||
if m := s.Mode(); m&0o006 != 0o006 {
|
||||
return fmsg.WrapError(ErrPulseMode,
|
||||
fmt.Sprintf("unexpected permissions on %q:", ps), m)
|
||||
}
|
||||
}
|
||||
|
||||
// hard link pulse socket into target-executable share
|
||||
psi := path.Join(seal.shareLocal, "pulse")
|
||||
p := path.Join(seal.sys.runtime, "pulse", "native")
|
||||
seal.sys.Link(ps, psi)
|
||||
seal.sys.bwrap.Bind(psi, p)
|
||||
seal.sys.bwrap.SetEnv[pulseServer] = "unix:" + p
|
||||
|
||||
// publish current user's pulse cookie for target user
|
||||
if src, err := discoverPulseCookie(os); err != nil {
|
||||
return err
|
||||
} else {
|
||||
dst := path.Join(seal.share, "pulse-cookie")
|
||||
seal.sys.bwrap.SetEnv[pulseCookie] = dst
|
||||
seal.sys.CopyFile(dst, src)
|
||||
seal.sys.bwrap.Bind(dst, dst)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
|
||||
func discoverPulseCookie(os internal.System) (string, error) {
|
||||
if p, ok := os.LookupEnv(pulseCookie); ok {
|
||||
return p, nil
|
||||
}
|
||||
|
||||
// dotfile $HOME/.pulse-cookie
|
||||
if p, ok := os.LookupEnv(home); ok {
|
||||
p = path.Join(p, ".pulse-cookie")
|
||||
if s, err := os.Stat(p); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return p, fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
|
||||
}
|
||||
// not found, try next method
|
||||
} else if !s.IsDir() {
|
||||
return p, nil
|
||||
}
|
||||
}
|
||||
|
||||
// $XDG_CONFIG_HOME/pulse/cookie
|
||||
if p, ok := os.LookupEnv(xdgConfigHome); ok {
|
||||
p = path.Join(p, "pulse", "cookie")
|
||||
if s, err := os.Stat(p); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
return p, fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
|
||||
}
|
||||
// not found, try next method
|
||||
} else if !s.IsDir() {
|
||||
return p, nil
|
||||
}
|
||||
}
|
||||
|
||||
return "", fmsg.WrapError(ErrPulseCookie,
|
||||
fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
|
||||
pulseCookie, xdgConfigHome, home))
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"path"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
||||
xdgSessionClass = "XDG_SESSION_CLASS"
|
||||
xdgSessionType = "XDG_SESSION_TYPE"
|
||||
)
|
||||
|
||||
// shareRuntime queues actions for sharing/ensuring the runtime and share directories
|
||||
func (seal *appSeal) shareRuntime() {
|
||||
// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
|
||||
seal.sys.bwrap.Tmpfs("/run/user", 1*1024*1024)
|
||||
seal.sys.bwrap.Tmpfs(seal.sys.runtime, 8*1024*1024)
|
||||
|
||||
// point to inner runtime path `/run/user/%d`
|
||||
seal.sys.bwrap.SetEnv[xdgRuntimeDir] = seal.sys.runtime
|
||||
seal.sys.bwrap.SetEnv[xdgSessionClass] = "user"
|
||||
seal.sys.bwrap.SetEnv[xdgSessionType] = "tty"
|
||||
|
||||
// ensure RunDir (e.g. `/run/user/%d/fortify`)
|
||||
seal.sys.Ensure(seal.RunDirPath, 0700)
|
||||
seal.sys.UpdatePermType(system.User, seal.RunDirPath, acl.Execute)
|
||||
|
||||
// ensure runtime directory ACL (e.g. `/run/user/%d`)
|
||||
seal.sys.Ensure(seal.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
|
||||
seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
|
||||
|
||||
// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
|
||||
seal.shareLocal = path.Join(seal.RunDirPath, seal.id)
|
||||
seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
|
||||
seal.sys.UpdatePerm(seal.shareLocal, acl.Execute)
|
||||
}
|
|
@ -0,0 +1,71 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"path"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
const (
|
||||
shell = "SHELL"
|
||||
)
|
||||
|
||||
// shareSystem queues various system-related actions
|
||||
func (seal *appSeal) shareSystem() {
|
||||
// ensure Share (e.g. `/tmp/fortify.%d`)
|
||||
// acl is unnecessary as this directory is world executable
|
||||
seal.sys.Ensure(seal.SharePath, 0701)
|
||||
|
||||
// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
|
||||
// acl is unnecessary as this directory is world executable
|
||||
seal.share = path.Join(seal.SharePath, seal.id)
|
||||
seal.sys.Ephemeral(system.Process, seal.share, 0701)
|
||||
|
||||
// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
|
||||
targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
|
||||
seal.sys.Ensure(targetTmpdirParent, 0700)
|
||||
seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
|
||||
|
||||
// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
|
||||
targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.Uid)
|
||||
seal.sys.Ensure(targetTmpdir, 01700)
|
||||
seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
|
||||
seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
|
||||
|
||||
// mount tmpfs on inner shared directory (e.g. `/tmp/fortify.%d`)
|
||||
seal.sys.bwrap.Tmpfs(seal.SharePath, 1*1024*1024)
|
||||
}
|
||||
|
||||
func (seal *appSeal) sharePasswd(os internal.System) {
|
||||
// look up shell
|
||||
sh := "/bin/sh"
|
||||
if s, ok := os.LookupEnv(shell); ok {
|
||||
seal.sys.bwrap.SetEnv[shell] = s
|
||||
sh = s
|
||||
}
|
||||
|
||||
// generate /etc/passwd
|
||||
passwdPath := path.Join(seal.share, "passwd")
|
||||
username := "chronos"
|
||||
if seal.sys.user.Username != "" {
|
||||
username = seal.sys.user.Username
|
||||
seal.sys.bwrap.SetEnv["USER"] = seal.sys.user.Username
|
||||
}
|
||||
homeDir := "/var/empty"
|
||||
if seal.sys.user.HomeDir != "" {
|
||||
homeDir = seal.sys.user.HomeDir
|
||||
seal.sys.bwrap.SetEnv["HOME"] = seal.sys.user.HomeDir
|
||||
}
|
||||
passwd := username + ":x:65534:65534:Fortify:" + homeDir + ":" + sh + "\n"
|
||||
seal.sys.Write(passwdPath, passwd)
|
||||
|
||||
// write /etc/group
|
||||
groupPath := path.Join(seal.share, "group")
|
||||
seal.sys.Write(groupPath, "fortify:x:65534:\n")
|
||||
|
||||
// bind /etc/passwd and /etc/group
|
||||
seal.sys.bwrap.Bind(passwdPath, "/etc/passwd")
|
||||
seal.sys.bwrap.Bind(groupPath, "/etc/group")
|
||||
}
|
|
@ -0,0 +1,254 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"os/exec"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/shim"
|
||||
"git.ophivana.moe/security/fortify/internal/state"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
// Start selects a user switcher and starts shim.
|
||||
// Note that Wait must be called regardless of error returned by Start.
|
||||
func (a *app) Start() error {
|
||||
a.lock.Lock()
|
||||
defer a.lock.Unlock()
|
||||
|
||||
// resolve exec paths
|
||||
shimExec := [3]string{a.seal.sys.executable, helper.BubblewrapName}
|
||||
if len(a.seal.command) > 0 {
|
||||
shimExec[2] = a.seal.command[0]
|
||||
}
|
||||
for i, n := range shimExec {
|
||||
if len(n) == 0 {
|
||||
continue
|
||||
}
|
||||
if filepath.Base(n) == n {
|
||||
if s, err := exec.LookPath(n); err == nil {
|
||||
shimExec[i] = s
|
||||
} else {
|
||||
return fmsg.WrapError(err,
|
||||
fmt.Sprintf("executable file %q not found in $PATH", n))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// select command builder
|
||||
var commandBuilder shim.CommandBuilder
|
||||
switch a.seal.launchOption {
|
||||
case LaunchMethodSudo:
|
||||
commandBuilder = a.commandBuilderSudo
|
||||
case LaunchMethodMachineCtl:
|
||||
commandBuilder = a.commandBuilderMachineCtl
|
||||
default:
|
||||
panic("unreachable")
|
||||
}
|
||||
|
||||
// construct shim manager
|
||||
a.shim = shim.New(a.seal.toolPath, uint32(a.seal.sys.UID()), path.Join(a.seal.share, "shim"), a.seal.wl,
|
||||
&shim.Payload{
|
||||
Argv: a.seal.command,
|
||||
Exec: shimExec,
|
||||
Bwrap: a.seal.sys.bwrap,
|
||||
WL: a.seal.wl != nil,
|
||||
|
||||
Verbose: fmsg.Verbose(),
|
||||
},
|
||||
// checkPid is impossible at the moment since there is no reliable way to obtain shim's pid
|
||||
// this feature is disabled here until sudo is replaced by fortify suid wrapper
|
||||
false,
|
||||
)
|
||||
|
||||
// startup will go ahead, commit system setup
|
||||
if err := a.seal.sys.Commit(); err != nil {
|
||||
return err
|
||||
}
|
||||
a.seal.sys.needRevert = true
|
||||
|
||||
if startTime, err := a.shim.Start(commandBuilder); err != nil {
|
||||
return err
|
||||
} else {
|
||||
// shim start and setup success, create process state
|
||||
sd := state.State{
|
||||
PID: a.shim.Unwrap().Process.Pid,
|
||||
Command: a.seal.command,
|
||||
Capability: a.seal.et,
|
||||
Method: method[a.seal.launchOption],
|
||||
Argv: a.shim.Unwrap().Args,
|
||||
Time: *startTime,
|
||||
}
|
||||
|
||||
// register process state
|
||||
var err0 = new(StateStoreError)
|
||||
err0.Inner, err0.DoErr = a.seal.store.Do(func(b state.Backend) {
|
||||
err0.InnerErr = b.Save(&sd)
|
||||
})
|
||||
a.seal.sys.saveState = true
|
||||
return err0.equiv("cannot save process state:")
|
||||
}
|
||||
}
|
||||
|
||||
// StateStoreError is returned for a failed state save
|
||||
type StateStoreError struct {
|
||||
// whether inner function was called
|
||||
Inner bool
|
||||
// error returned by state.Store Do method
|
||||
DoErr error
|
||||
// error returned by state.Backend Save method
|
||||
InnerErr error
|
||||
// any other errors needing to be tracked
|
||||
Err error
|
||||
}
|
||||
|
||||
func (e *StateStoreError) equiv(a ...any) error {
|
||||
if e.Inner && e.DoErr == nil && e.InnerErr == nil && e.Err == nil {
|
||||
return nil
|
||||
} else {
|
||||
return fmsg.WrapErrorSuffix(e, a...)
|
||||
}
|
||||
}
|
||||
|
||||
func (e *StateStoreError) Error() string {
|
||||
if e.Inner && e.InnerErr != nil {
|
||||
return e.InnerErr.Error()
|
||||
}
|
||||
|
||||
if e.DoErr != nil {
|
||||
return e.DoErr.Error()
|
||||
}
|
||||
|
||||
if e.Err != nil {
|
||||
return e.Err.Error()
|
||||
}
|
||||
|
||||
return "(nil)"
|
||||
}
|
||||
|
||||
func (e *StateStoreError) Unwrap() (errs []error) {
|
||||
errs = make([]error, 0, 3)
|
||||
if e.DoErr != nil {
|
||||
errs = append(errs, e.DoErr)
|
||||
}
|
||||
if e.InnerErr != nil {
|
||||
errs = append(errs, e.InnerErr)
|
||||
}
|
||||
if e.Err != nil {
|
||||
errs = append(errs, e.Err)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
type RevertCompoundError interface {
|
||||
Error() string
|
||||
Unwrap() []error
|
||||
}
|
||||
|
||||
func (a *app) Wait() (int, error) {
|
||||
a.lock.Lock()
|
||||
defer a.lock.Unlock()
|
||||
|
||||
if a.shim == nil {
|
||||
fmsg.VPrintln("shim not initialised, skipping cleanup")
|
||||
return 1, nil
|
||||
}
|
||||
|
||||
var r int
|
||||
|
||||
if cmd := a.shim.Unwrap(); cmd == nil {
|
||||
// failure prior to process start
|
||||
r = 255
|
||||
} else {
|
||||
// wait for process and resolve exit code
|
||||
if err := cmd.Wait(); err != nil {
|
||||
var exitError *exec.ExitError
|
||||
if !errors.As(err, &exitError) {
|
||||
// should be unreachable
|
||||
a.waitErr = err
|
||||
}
|
||||
|
||||
// store non-zero return code
|
||||
r = exitError.ExitCode()
|
||||
} else {
|
||||
r = cmd.ProcessState.ExitCode()
|
||||
}
|
||||
fmsg.VPrintf("process %d exited with exit code %d", cmd.Process.Pid, r)
|
||||
}
|
||||
|
||||
// child process exited, resume output
|
||||
fmsg.Resume()
|
||||
|
||||
// close wayland connection
|
||||
if a.seal.wl != nil {
|
||||
if err := a.seal.wl.Close(); err != nil {
|
||||
fmsg.Println("cannot close wayland connection:", err)
|
||||
}
|
||||
}
|
||||
|
||||
// update store and revert app setup transaction
|
||||
e := new(StateStoreError)
|
||||
e.Inner, e.DoErr = a.seal.store.Do(func(b state.Backend) {
|
||||
e.InnerErr = func() error {
|
||||
// destroy defunct state entry
|
||||
if cmd := a.shim.Unwrap(); cmd != nil && a.seal.sys.saveState {
|
||||
if err := b.Destroy(cmd.Process.Pid); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// enablements of remaining launchers
|
||||
rt, ec := new(system.Enablements), new(system.Criteria)
|
||||
ec.Enablements = new(system.Enablements)
|
||||
ec.Set(system.Process)
|
||||
if states, err := b.Load(); err != nil {
|
||||
return err
|
||||
} else {
|
||||
if l := len(states); l == 0 {
|
||||
// cleanup globals as the final launcher
|
||||
fmsg.VPrintln("no other launchers active, will clean up globals")
|
||||
ec.Set(system.User)
|
||||
} else {
|
||||
fmsg.VPrintf("found %d active launchers, cleaning up without globals", l)
|
||||
}
|
||||
|
||||
// accumulate capabilities of other launchers
|
||||
for _, s := range states {
|
||||
*rt |= s.Capability
|
||||
}
|
||||
}
|
||||
// invert accumulated enablements for cleanup
|
||||
for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
|
||||
if !rt.Has(i) {
|
||||
ec.Set(i)
|
||||
}
|
||||
}
|
||||
if fmsg.Verbose() {
|
||||
labels := make([]string, 0, system.ELen+1)
|
||||
for i := system.Enablement(0); i < system.Enablement(system.ELen+2); i++ {
|
||||
if ec.Has(i) {
|
||||
labels = append(labels, system.TypeString(i))
|
||||
}
|
||||
}
|
||||
if len(labels) > 0 {
|
||||
fmsg.VPrintln("reverting operations labelled", strings.Join(labels, ", "))
|
||||
}
|
||||
}
|
||||
|
||||
a.shim.AbortWait(errors.New("shim exited"))
|
||||
if err := a.seal.sys.Revert(ec); err != nil {
|
||||
return err.(RevertCompoundError)
|
||||
}
|
||||
|
||||
return nil
|
||||
}()
|
||||
})
|
||||
|
||||
e.Err = a.seal.store.Close()
|
||||
return r, e.equiv("error returned during cleanup:", e)
|
||||
}
|
|
@ -0,0 +1,64 @@
|
|||
package app
|
||||
|
||||
import (
|
||||
"os/user"
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
// appSealSys encapsulates app seal behaviour with OS interactions
|
||||
type appSealSys struct {
|
||||
bwrap *bwrap.Config
|
||||
// paths to override by mounting tmpfs over them
|
||||
override []string
|
||||
|
||||
// default formatted XDG_RUNTIME_DIR of User
|
||||
runtime string
|
||||
// sealed path to fortify executable, used by shim
|
||||
executable string
|
||||
// target user sealed from config
|
||||
user *user.User
|
||||
|
||||
needRevert bool
|
||||
saveState bool
|
||||
*system.I
|
||||
|
||||
// protected by upstream mutex
|
||||
}
|
||||
|
||||
// shareAll calls all share methods in sequence
|
||||
func (seal *appSeal) shareAll(bus [2]*dbus.Config, os internal.System) error {
|
||||
if seal.shared {
|
||||
panic("seal shared twice")
|
||||
}
|
||||
seal.shared = true
|
||||
|
||||
seal.shareSystem()
|
||||
seal.shareRuntime()
|
||||
seal.sharePasswd(os)
|
||||
if err := seal.shareDisplay(os); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := seal.sharePulse(os); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// ensure dbus session bus defaults
|
||||
if bus[0] == nil {
|
||||
bus[0] = dbus.NewConfig(seal.fid, true, true)
|
||||
}
|
||||
|
||||
if err := seal.shareDBus(bus); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
|
||||
for _, dest := range seal.sys.override {
|
||||
seal.sys.bwrap.Tmpfs(dest, 8*1024)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
|
@ -0,0 +1,72 @@
|
|||
package fmsg
|
||||
|
||||
import (
|
||||
"os"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
)
|
||||
|
||||
var (
|
||||
wstate atomic.Bool
|
||||
withhold = make(chan struct{}, 1)
|
||||
msgbuf = make(chan dOp, 64) // these ops are tiny so a large buffer is allocated for withholding output
|
||||
|
||||
dequeueOnce sync.Once
|
||||
queueSync sync.WaitGroup
|
||||
)
|
||||
|
||||
func dequeue() {
|
||||
go func() {
|
||||
for {
|
||||
select {
|
||||
case op := <-msgbuf:
|
||||
op.Do()
|
||||
queueSync.Done()
|
||||
case <-withhold:
|
||||
<-withhold
|
||||
}
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
type dOp interface{ Do() }
|
||||
|
||||
func Exit(code int) {
|
||||
queueSync.Wait()
|
||||
os.Exit(code)
|
||||
}
|
||||
|
||||
func Withhold() {
|
||||
dequeueOnce.Do(dequeue)
|
||||
if wstate.CompareAndSwap(false, true) {
|
||||
withhold <- struct{}{}
|
||||
}
|
||||
}
|
||||
|
||||
func Resume() {
|
||||
dequeueOnce.Do(dequeue)
|
||||
if wstate.CompareAndSwap(true, false) {
|
||||
withhold <- struct{}{}
|
||||
}
|
||||
}
|
||||
|
||||
type dPrint []any
|
||||
|
||||
func (v dPrint) Do() {
|
||||
std.Print(v...)
|
||||
}
|
||||
|
||||
type dPrintf struct {
|
||||
format string
|
||||
v []any
|
||||
}
|
||||
|
||||
func (d *dPrintf) Do() {
|
||||
std.Printf(d.format, d.v...)
|
||||
}
|
||||
|
||||
type dPrintln []any
|
||||
|
||||
func (v dPrintln) Do() {
|
||||
std.Println(v...)
|
||||
}
|
|
@ -0,0 +1,72 @@
|
|||
package fmsg
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"reflect"
|
||||
)
|
||||
|
||||
// baseError implements a basic error container
|
||||
type baseError struct {
|
||||
Err error
|
||||
}
|
||||
|
||||
func (e *baseError) Error() string {
|
||||
return e.Err.Error()
|
||||
}
|
||||
|
||||
func (e *baseError) Unwrap() error {
|
||||
return e.Err
|
||||
}
|
||||
|
||||
// BaseError implements an error container with a user-facing message
|
||||
type BaseError struct {
|
||||
message string
|
||||
baseError
|
||||
}
|
||||
|
||||
// Message returns a user-facing error message
|
||||
func (e *BaseError) Message() string {
|
||||
return e.message
|
||||
}
|
||||
|
||||
// WrapError wraps an error with a corresponding message.
|
||||
func WrapError(err error, a ...any) error {
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
return wrapError(err, fmt.Sprintln(a...))
|
||||
}
|
||||
|
||||
// WrapErrorSuffix wraps an error with a corresponding message with err at the end of the message.
|
||||
func WrapErrorSuffix(err error, a ...any) error {
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
return wrapError(err, fmt.Sprintln(append(a, err)...))
|
||||
}
|
||||
|
||||
// WrapErrorFunc wraps an error with a corresponding message returned by f.
|
||||
func WrapErrorFunc(err error, f func(err error) string) error {
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
return wrapError(err, f(err))
|
||||
}
|
||||
|
||||
func wrapError(err error, message string) *BaseError {
|
||||
return &BaseError{message, baseError{err}}
|
||||
}
|
||||
|
||||
var (
|
||||
baseErrorType = reflect.TypeFor[*BaseError]()
|
||||
)
|
||||
|
||||
func AsBaseError(err error, target **BaseError) bool {
|
||||
v := reflect.ValueOf(err)
|
||||
if !v.CanConvert(baseErrorType) {
|
||||
return false
|
||||
}
|
||||
|
||||
*target = v.Convert(baseErrorType).Interface().(*BaseError)
|
||||
return true
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
// Package fmsg provides various functions for output messages.
|
||||
package fmsg
|
||||
|
||||
import (
|
||||
"log"
|
||||
"os"
|
||||
)
|
||||
|
||||
var std = log.New(os.Stderr, "fortify: ", 0)
|
||||
|
||||
func SetPrefix(prefix string) {
|
||||
prefix += ": "
|
||||
std.SetPrefix(prefix)
|
||||
std.SetPrefix(prefix)
|
||||
}
|
||||
|
||||
func Print(v ...any) {
|
||||
dequeueOnce.Do(dequeue)
|
||||
queueSync.Add(1)
|
||||
msgbuf <- dPrint(v)
|
||||
}
|
||||
|
||||
func Printf(format string, v ...any) {
|
||||
dequeueOnce.Do(dequeue)
|
||||
queueSync.Add(1)
|
||||
msgbuf <- &dPrintf{format, v}
|
||||
}
|
||||
|
||||
func Println(v ...any) {
|
||||
dequeueOnce.Do(dequeue)
|
||||
queueSync.Add(1)
|
||||
msgbuf <- dPrintln(v)
|
||||
}
|
||||
|
||||
func Fatal(v ...any) {
|
||||
Print(v...)
|
||||
Exit(1)
|
||||
}
|
||||
|
||||
func Fatalf(format string, v ...any) {
|
||||
Printf(format, v...)
|
||||
Exit(1)
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
package fmsg
|
||||
|
||||
import "sync/atomic"
|
||||
|
||||
var verbose = new(atomic.Bool)
|
||||
|
||||
func Verbose() bool {
|
||||
return verbose.Load()
|
||||
}
|
||||
|
||||
func SetVerbose(v bool) {
|
||||
verbose.Store(v)
|
||||
}
|
||||
|
||||
func VPrintf(format string, v ...any) {
|
||||
if verbose.Load() {
|
||||
Printf(format, v...)
|
||||
}
|
||||
}
|
||||
|
||||
func VPrintln(v ...any) {
|
||||
if verbose.Load() {
|
||||
Println(v...)
|
||||
}
|
||||
}
|
|
@ -0,0 +1,174 @@
|
|||
package init0
|
||||
|
||||
import (
|
||||
"encoding/gob"
|
||||
"errors"
|
||||
"flag"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/signal"
|
||||
"path"
|
||||
"strconv"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
const (
|
||||
// time to wait for linger processes after death initial process
|
||||
residualProcessTimeout = 5 * time.Second
|
||||
)
|
||||
|
||||
// everything beyond this point runs within pid namespace
|
||||
// proceed with caution!
|
||||
|
||||
func doInit(fd uintptr) {
|
||||
fmsg.SetPrefix("init")
|
||||
|
||||
// re-exec
|
||||
if len(os.Args) > 0 && os.Args[0] != "fortify" && path.IsAbs(os.Args[0]) {
|
||||
if err := syscall.Exec(os.Args[0], []string{"fortify", "init"}, os.Environ()); err != nil {
|
||||
fmsg.Println("cannot re-exec self:", err)
|
||||
// continue anyway
|
||||
}
|
||||
}
|
||||
|
||||
var payload Payload
|
||||
p := os.NewFile(fd, "config-stream")
|
||||
if p == nil {
|
||||
fmsg.Fatal("invalid config descriptor")
|
||||
}
|
||||
if err := gob.NewDecoder(p).Decode(&payload); err != nil {
|
||||
fmsg.Fatal("cannot decode init payload:", err)
|
||||
} else {
|
||||
// sharing stdout with parent
|
||||
// USE WITH CAUTION
|
||||
fmsg.SetVerbose(payload.Verbose)
|
||||
|
||||
// child does not need to see this
|
||||
if err = os.Unsetenv(EnvInit); err != nil {
|
||||
fmsg.Println("cannot unset", EnvInit+":", err)
|
||||
// not fatal
|
||||
} else {
|
||||
fmsg.VPrintln("received configuration")
|
||||
}
|
||||
}
|
||||
|
||||
// close config fd
|
||||
if err := p.Close(); err != nil {
|
||||
fmsg.Println("cannot close config fd:", err)
|
||||
// not fatal
|
||||
}
|
||||
|
||||
// die with parent
|
||||
if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 {
|
||||
fmsg.Fatal("prctl(PR_SET_PDEATHSIG, SIGKILL):", errno.Error())
|
||||
}
|
||||
|
||||
cmd := exec.Command(payload.Argv0)
|
||||
cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
|
||||
cmd.Args = payload.Argv
|
||||
cmd.Env = os.Environ()
|
||||
|
||||
// pass wayland fd
|
||||
if payload.WL != -1 {
|
||||
if f := os.NewFile(uintptr(payload.WL), "wayland"); f != nil {
|
||||
cmd.Env = append(cmd.Env, "WAYLAND_SOCKET="+strconv.Itoa(3+len(cmd.ExtraFiles)))
|
||||
cmd.ExtraFiles = append(cmd.ExtraFiles, f)
|
||||
}
|
||||
}
|
||||
|
||||
if err := cmd.Start(); err != nil {
|
||||
fmsg.Fatalf("cannot start %q: %v", payload.Argv0, err)
|
||||
}
|
||||
|
||||
sig := make(chan os.Signal, 2)
|
||||
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
|
||||
|
||||
type winfo struct {
|
||||
wpid int
|
||||
wstatus syscall.WaitStatus
|
||||
}
|
||||
info := make(chan winfo, 1)
|
||||
done := make(chan struct{})
|
||||
|
||||
go func() {
|
||||
var (
|
||||
err error
|
||||
wpid = -2
|
||||
wstatus syscall.WaitStatus
|
||||
)
|
||||
|
||||
// keep going until no child process is left
|
||||
for wpid != -1 {
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
|
||||
if wpid != -2 {
|
||||
info <- winfo{wpid, wstatus}
|
||||
}
|
||||
|
||||
err = syscall.EINTR
|
||||
for errors.Is(err, syscall.EINTR) {
|
||||
wpid, err = syscall.Wait4(-1, &wstatus, 0, nil)
|
||||
}
|
||||
}
|
||||
if !errors.Is(err, syscall.ECHILD) {
|
||||
fmsg.Println("unexpected wait4 response:", err)
|
||||
}
|
||||
|
||||
close(done)
|
||||
}()
|
||||
|
||||
timeout := make(chan struct{})
|
||||
|
||||
r := 2
|
||||
for {
|
||||
select {
|
||||
case s := <-sig:
|
||||
fmsg.VPrintln("received", s.String())
|
||||
fmsg.Exit(0)
|
||||
case w := <-info:
|
||||
if w.wpid == cmd.Process.Pid {
|
||||
switch {
|
||||
case w.wstatus.Exited():
|
||||
r = w.wstatus.ExitStatus()
|
||||
case w.wstatus.Signaled():
|
||||
r = 128 + int(w.wstatus.Signal())
|
||||
default:
|
||||
r = 255
|
||||
}
|
||||
|
||||
go func() {
|
||||
time.Sleep(residualProcessTimeout)
|
||||
close(timeout)
|
||||
}()
|
||||
}
|
||||
case <-done:
|
||||
fmsg.Exit(r)
|
||||
case <-timeout:
|
||||
fmsg.Println("timeout exceeded waiting for lingering processes")
|
||||
fmsg.Exit(r)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Try runs init and stops execution if FORTIFY_INIT is set.
|
||||
func Try() {
|
||||
if os.Getpid() != 1 {
|
||||
return
|
||||
}
|
||||
|
||||
if args := flag.Args(); len(args) == 1 && args[0] == "init" {
|
||||
if s, ok := os.LookupEnv(EnvInit); ok {
|
||||
if fd, err := strconv.Atoi(s); err != nil {
|
||||
fmsg.Fatalf("cannot parse %q: %v", s, err)
|
||||
} else {
|
||||
doInit(uintptr(fd))
|
||||
}
|
||||
panic("unreachable")
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
package init0
|
||||
|
||||
const EnvInit = "FORTIFY_INIT"
|
||||
|
||||
type Payload struct {
|
||||
// target full exec path
|
||||
Argv0 string
|
||||
// child full argv
|
||||
Argv []string
|
||||
// wayland fd, -1 to disable
|
||||
WL int
|
||||
|
||||
// verbosity pass through
|
||||
Verbose bool
|
||||
}
|
|
@ -0,0 +1,179 @@
|
|||
package shim
|
||||
|
||||
import (
|
||||
"encoding/gob"
|
||||
"errors"
|
||||
"flag"
|
||||
"net"
|
||||
"os"
|
||||
"path"
|
||||
"strconv"
|
||||
"syscall"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
init0 "git.ophivana.moe/security/fortify/internal/init"
|
||||
)
|
||||
|
||||
// everything beyond this point runs as target user
|
||||
// proceed with caution!
|
||||
|
||||
func doShim(socket string) {
|
||||
fmsg.SetPrefix("shim")
|
||||
|
||||
// re-exec
|
||||
if len(os.Args) > 0 && os.Args[0] != "fortify" && path.IsAbs(os.Args[0]) {
|
||||
if err := syscall.Exec(os.Args[0], []string{"fortify", "shim"}, os.Environ()); err != nil {
|
||||
fmsg.Println("cannot re-exec self:", err)
|
||||
// continue anyway
|
||||
}
|
||||
}
|
||||
|
||||
// dial setup socket
|
||||
var conn *net.UnixConn
|
||||
if c, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: socket, Net: "unix"}); err != nil {
|
||||
fmsg.Fatal("cannot dial setup socket:", err)
|
||||
panic("unreachable")
|
||||
} else {
|
||||
conn = c
|
||||
}
|
||||
|
||||
// decode payload gob stream
|
||||
var payload Payload
|
||||
if err := gob.NewDecoder(conn).Decode(&payload); err != nil {
|
||||
fmsg.Fatal("cannot decode shim payload:", err)
|
||||
} else {
|
||||
// sharing stdout with parent
|
||||
// USE WITH CAUTION
|
||||
fmsg.SetVerbose(payload.Verbose)
|
||||
}
|
||||
|
||||
if payload.Bwrap == nil {
|
||||
fmsg.Fatal("bwrap config not supplied")
|
||||
}
|
||||
|
||||
// receive wayland fd over socket
|
||||
wfd := -1
|
||||
if payload.WL {
|
||||
if fd, err := receiveWLfd(conn); err != nil {
|
||||
fmsg.Fatal("cannot receive wayland fd:", err)
|
||||
} else {
|
||||
wfd = fd
|
||||
}
|
||||
}
|
||||
|
||||
// close setup socket
|
||||
if err := conn.Close(); err != nil {
|
||||
fmsg.Println("cannot close setup socket:", err)
|
||||
// not fatal
|
||||
}
|
||||
|
||||
var ic init0.Payload
|
||||
|
||||
// resolve argv0
|
||||
ic.Argv = payload.Argv
|
||||
if len(ic.Argv) > 0 {
|
||||
// looked up from $PATH by parent
|
||||
ic.Argv0 = payload.Exec[2]
|
||||
} else {
|
||||
// no argv, look up shell instead
|
||||
var ok bool
|
||||
if ic.Argv0, ok = os.LookupEnv("SHELL"); !ok {
|
||||
fmsg.Fatal("no command was specified and $SHELL was unset")
|
||||
}
|
||||
|
||||
ic.Argv = []string{ic.Argv0}
|
||||
}
|
||||
|
||||
conf := payload.Bwrap
|
||||
|
||||
var extraFiles []*os.File
|
||||
|
||||
// pass wayland fd
|
||||
if wfd != -1 {
|
||||
if f := os.NewFile(uintptr(wfd), "wayland"); f != nil {
|
||||
ic.WL = 3 + len(extraFiles)
|
||||
extraFiles = append(extraFiles, f)
|
||||
}
|
||||
} else {
|
||||
ic.WL = -1
|
||||
}
|
||||
|
||||
// share config pipe
|
||||
if r, w, err := os.Pipe(); err != nil {
|
||||
fmsg.Fatal("cannot pipe:", err)
|
||||
} else {
|
||||
conf.SetEnv[init0.EnvInit] = strconv.Itoa(3 + len(extraFiles))
|
||||
extraFiles = append(extraFiles, r)
|
||||
|
||||
fmsg.VPrintln("transmitting config to init")
|
||||
go func() {
|
||||
// stream config to pipe
|
||||
if err = gob.NewEncoder(w).Encode(&ic); err != nil {
|
||||
fmsg.Fatal("cannot transmit init config:", err)
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
helper.BubblewrapName = payload.Exec[1] // resolved bwrap path by parent
|
||||
if b, err := helper.NewBwrap(conf, nil, payload.Exec[0], func(int, int) []string { return []string{"init"} }); err != nil {
|
||||
fmsg.Fatal("malformed sandbox config:", err)
|
||||
} else {
|
||||
cmd := b.Unwrap()
|
||||
cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
|
||||
cmd.ExtraFiles = extraFiles
|
||||
|
||||
if fmsg.Verbose() {
|
||||
fmsg.VPrintln("bwrap args:", conf.Args())
|
||||
}
|
||||
|
||||
// run and pass through exit code
|
||||
if err = b.Start(); err != nil {
|
||||
fmsg.Fatal("cannot start target process:", err)
|
||||
} else if err = b.Wait(); err != nil {
|
||||
fmsg.VPrintln("wait:", err)
|
||||
}
|
||||
if b.Unwrap().ProcessState != nil {
|
||||
fmsg.Exit(b.Unwrap().ProcessState.ExitCode())
|
||||
} else {
|
||||
fmsg.Exit(127)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func receiveWLfd(conn *net.UnixConn) (int, error) {
|
||||
oob := make([]byte, syscall.CmsgSpace(4)) // single fd
|
||||
|
||||
if _, oobn, _, _, err := conn.ReadMsgUnix(nil, oob); err != nil {
|
||||
return -1, err
|
||||
} else if len(oob) != oobn {
|
||||
return -1, errors.New("invalid message length")
|
||||
}
|
||||
|
||||
var msg syscall.SocketControlMessage
|
||||
if messages, err := syscall.ParseSocketControlMessage(oob); err != nil {
|
||||
return -1, err
|
||||
} else if len(messages) != 1 {
|
||||
return -1, errors.New("unexpected message count")
|
||||
} else {
|
||||
msg = messages[0]
|
||||
}
|
||||
|
||||
if fds, err := syscall.ParseUnixRights(&msg); err != nil {
|
||||
return -1, err
|
||||
} else if len(fds) != 1 {
|
||||
return -1, errors.New("unexpected fd count")
|
||||
} else {
|
||||
return fds[0], nil
|
||||
}
|
||||
}
|
||||
|
||||
// Try runs shim and stops execution if FORTIFY_SHIM is set.
|
||||
func Try() {
|
||||
if args := flag.Args(); len(args) == 1 && args[0] == "shim" {
|
||||
if s, ok := os.LookupEnv(EnvShim); ok {
|
||||
doShim(s)
|
||||
panic("unreachable")
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,200 @@
|
|||
package shim
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
// used by the parent process
|
||||
|
||||
type Shim struct {
|
||||
// user switcher process
|
||||
cmd *exec.Cmd
|
||||
// uid of shim target user
|
||||
uid uint32
|
||||
// whether to check shim pid
|
||||
checkPid bool
|
||||
// user switcher executable path
|
||||
executable string
|
||||
// path to setup socket
|
||||
socket string
|
||||
// shim setup abort reason and completion
|
||||
abort chan error
|
||||
abortErr atomic.Pointer[error]
|
||||
abortOnce sync.Once
|
||||
// wayland mediation, nil if disabled
|
||||
wl *Wayland
|
||||
// shim setup payload
|
||||
payload *Payload
|
||||
}
|
||||
|
||||
func New(executable string, uid uint32, socket string, wl *Wayland, payload *Payload, checkPid bool) *Shim {
|
||||
return &Shim{uid: uid, executable: executable, socket: socket, wl: wl, payload: payload, checkPid: checkPid}
|
||||
}
|
||||
|
||||
func (s *Shim) String() string {
|
||||
if s.cmd == nil {
|
||||
return "(unused shim manager)"
|
||||
}
|
||||
return s.cmd.String()
|
||||
}
|
||||
|
||||
func (s *Shim) Unwrap() *exec.Cmd {
|
||||
return s.cmd
|
||||
}
|
||||
|
||||
func (s *Shim) Abort(err error) {
|
||||
s.abortOnce.Do(func() {
|
||||
s.abortErr.Store(&err)
|
||||
// s.abort is buffered so this will never block
|
||||
s.abort <- err
|
||||
})
|
||||
}
|
||||
|
||||
func (s *Shim) AbortWait(err error) {
|
||||
s.Abort(err)
|
||||
<-s.abort
|
||||
}
|
||||
|
||||
type CommandBuilder func(shimEnv string) (args []string)
|
||||
|
||||
func (s *Shim) Start(f CommandBuilder) (*time.Time, error) {
|
||||
var (
|
||||
cf chan *net.UnixConn
|
||||
accept func()
|
||||
)
|
||||
|
||||
// listen on setup socket
|
||||
if c, a, err := s.serve(); err != nil {
|
||||
return nil, fmsg.WrapErrorSuffix(err,
|
||||
"cannot listen on shim setup socket:")
|
||||
} else {
|
||||
// accepts a connection after each call to accept
|
||||
// connections are sent to the channel cf
|
||||
cf, accept = c, a
|
||||
}
|
||||
|
||||
// start user switcher process and save time
|
||||
s.cmd = exec.Command(s.executable, f(EnvShim+"="+s.socket)...)
|
||||
s.cmd.Env = []string{}
|
||||
s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
|
||||
s.cmd.Dir = "/"
|
||||
fmsg.VPrintln("starting shim via user switcher:", s.cmd)
|
||||
fmsg.Withhold() // withhold messages to stderr
|
||||
if err := s.cmd.Start(); err != nil {
|
||||
return nil, fmsg.WrapErrorSuffix(err,
|
||||
"cannot start user switcher:")
|
||||
}
|
||||
startTime := time.Now().UTC()
|
||||
|
||||
// kill shim if something goes wrong and an error is returned
|
||||
killShim := func() {
|
||||
if err := s.cmd.Process.Signal(os.Interrupt); err != nil {
|
||||
fmsg.Println("cannot terminate shim on faulted setup:", err)
|
||||
}
|
||||
}
|
||||
defer func() { killShim() }()
|
||||
|
||||
accept()
|
||||
conn := <-cf
|
||||
if conn == nil {
|
||||
return &startTime, fmsg.WrapErrorSuffix(*s.abortErr.Load(), "cannot accept call on setup socket:")
|
||||
}
|
||||
|
||||
// authenticate against called provided uid and shim pid
|
||||
if cred, err := peerCred(conn); err != nil {
|
||||
return &startTime, fmsg.WrapErrorSuffix(*s.abortErr.Load(), "cannot retrieve shim credentials:")
|
||||
} else if cred.Uid != s.uid {
|
||||
fmsg.Printf("process %d owned by user %d tried to connect, expecting %d",
|
||||
cred.Pid, cred.Uid, s.uid)
|
||||
err = errors.New("compromised fortify build")
|
||||
s.Abort(err)
|
||||
return &startTime, err
|
||||
} else if s.checkPid && cred.Pid != int32(s.cmd.Process.Pid) {
|
||||
fmsg.Printf("process %d tried to connect to shim setup socket, expecting shim %d",
|
||||
cred.Pid, s.cmd.Process.Pid)
|
||||
err = errors.New("compromised target user")
|
||||
s.Abort(err)
|
||||
return &startTime, err
|
||||
}
|
||||
|
||||
// serve payload and wayland fd if enabled
|
||||
// this also closes the connection
|
||||
err := s.payload.serve(conn, s.wl)
|
||||
if err == nil {
|
||||
killShim = func() {}
|
||||
}
|
||||
s.Abort(err) // aborting with nil indicates success
|
||||
return &startTime, err
|
||||
}
|
||||
|
||||
func (s *Shim) serve() (chan *net.UnixConn, func(), error) {
|
||||
if s.abort != nil {
|
||||
panic("attempted to serve shim setup twice")
|
||||
}
|
||||
s.abort = make(chan error, 1)
|
||||
|
||||
cf := make(chan *net.UnixConn)
|
||||
accept := make(chan struct{}, 1)
|
||||
|
||||
if l, err := net.ListenUnix("unix", &net.UnixAddr{Name: s.socket, Net: "unix"}); err != nil {
|
||||
return nil, nil, err
|
||||
} else {
|
||||
l.SetUnlinkOnClose(true)
|
||||
|
||||
fmsg.VPrintf("listening on shim setup socket %q", s.socket)
|
||||
if err = acl.UpdatePerm(s.socket, int(s.uid), acl.Read, acl.Write, acl.Execute); err != nil {
|
||||
fmsg.Println("cannot append ACL entry to shim setup socket:", err)
|
||||
s.Abort(err) // ensures setup socket cleanup
|
||||
}
|
||||
|
||||
go func() {
|
||||
for {
|
||||
select {
|
||||
case err = <-s.abort:
|
||||
if err != nil {
|
||||
fmsg.VPrintln("aborting shim setup, reason:", err)
|
||||
}
|
||||
if err = l.Close(); err != nil {
|
||||
fmsg.Println("cannot close setup socket:", err)
|
||||
}
|
||||
close(s.abort)
|
||||
close(cf)
|
||||
return
|
||||
case <-accept:
|
||||
if conn, err0 := l.AcceptUnix(); err0 != nil {
|
||||
s.Abort(err0) // does not block, breaks loop
|
||||
cf <- nil // receiver sees nil value and loads err0 stored during abort
|
||||
} else {
|
||||
cf <- conn
|
||||
}
|
||||
}
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
return cf, func() { accept <- struct{}{} }, nil
|
||||
}
|
||||
|
||||
// peerCred fetches peer credentials of conn
|
||||
func peerCred(conn *net.UnixConn) (ucred *syscall.Ucred, err error) {
|
||||
var raw syscall.RawConn
|
||||
if raw, err = conn.SyscallConn(); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err0 := raw.Control(func(fd uintptr) {
|
||||
ucred, err = syscall.GetsockoptUcred(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERCRED)
|
||||
})
|
||||
err = errors.Join(err, err0)
|
||||
return
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
package shim
|
||||
|
||||
import (
|
||||
"encoding/gob"
|
||||
"errors"
|
||||
"net"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
const EnvShim = "FORTIFY_SHIM"
|
||||
|
||||
type Payload struct {
|
||||
// child full argv
|
||||
Argv []string
|
||||
// fortify, bwrap, target full exec path
|
||||
Exec [3]string
|
||||
// bwrap config
|
||||
Bwrap *bwrap.Config
|
||||
// whether to pass wayland fd
|
||||
WL bool
|
||||
|
||||
// verbosity pass through
|
||||
Verbose bool
|
||||
}
|
||||
|
||||
func (p *Payload) serve(conn *net.UnixConn, wl *Wayland) error {
|
||||
if err := gob.NewEncoder(conn).Encode(*p); err != nil {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
"cannot stream shim payload:")
|
||||
}
|
||||
|
||||
if wl != nil {
|
||||
if err := wl.WriteUnix(conn); err != nil {
|
||||
return errors.Join(err, conn.Close())
|
||||
}
|
||||
}
|
||||
|
||||
return fmsg.WrapErrorSuffix(conn.Close(),
|
||||
"cannot close setup connection:")
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
package shim
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"sync"
|
||||
"syscall"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
// Wayland implements wayland mediation.
|
||||
type Wayland struct {
|
||||
// wayland socket path
|
||||
Path string
|
||||
|
||||
// wayland connection
|
||||
conn *net.UnixConn
|
||||
|
||||
connErr error
|
||||
sync.Once
|
||||
// wait for wayland client to exit
|
||||
done chan struct{}
|
||||
}
|
||||
|
||||
func (wl *Wayland) WriteUnix(conn *net.UnixConn) error {
|
||||
// connect to host wayland socket
|
||||
if f, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: wl.Path, Net: "unix"}); err != nil {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot connect to wayland at %q:", wl.Path))
|
||||
} else {
|
||||
fmsg.VPrintf("connected to wayland at %q", wl.Path)
|
||||
wl.conn = f
|
||||
}
|
||||
|
||||
// set up for passing wayland socket
|
||||
if rc, err := wl.conn.SyscallConn(); err != nil {
|
||||
return fmsg.WrapErrorSuffix(err, "cannot obtain raw wayland connection:")
|
||||
} else {
|
||||
ec := make(chan error)
|
||||
go func() {
|
||||
// pass wayland connection fd
|
||||
if err = rc.Control(func(fd uintptr) {
|
||||
if _, _, err = conn.WriteMsgUnix(nil, syscall.UnixRights(int(fd)), nil); err != nil {
|
||||
ec <- fmsg.WrapErrorSuffix(err, "cannot pass wayland connection to shim:")
|
||||
return
|
||||
}
|
||||
ec <- nil
|
||||
|
||||
// block until shim exits
|
||||
<-wl.done
|
||||
fmsg.VPrintln("releasing wayland connection")
|
||||
}); err != nil {
|
||||
ec <- fmsg.WrapErrorSuffix(err, "cannot obtain wayland connection fd:")
|
||||
return
|
||||
}
|
||||
}()
|
||||
return <-ec
|
||||
}
|
||||
}
|
||||
|
||||
func (wl *Wayland) Close() error {
|
||||
wl.Do(func() {
|
||||
close(wl.done)
|
||||
wl.connErr = wl.conn.Close()
|
||||
})
|
||||
|
||||
return wl.connErr
|
||||
}
|
||||
|
||||
func NewWayland() *Wayland {
|
||||
wl := new(Wayland)
|
||||
wl.done = make(chan struct{})
|
||||
return wl
|
||||
}
|
|
@ -0,0 +1,121 @@
|
|||
package state
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
"text/tabwriter"
|
||||
"time"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
// MustPrintLauncherStateSimpleGlobal prints active launcher states of all simple stores
|
||||
// in an implementation-specific way.
|
||||
func MustPrintLauncherStateSimpleGlobal(w **tabwriter.Writer, runDir string) {
|
||||
now := time.Now().UTC()
|
||||
|
||||
// read runtime directory to get all UIDs
|
||||
if dirs, err := os.ReadDir(path.Join(runDir, "state")); err != nil && !errors.Is(err, os.ErrNotExist) {
|
||||
fmsg.Fatal("cannot read runtime directory:", err)
|
||||
} else {
|
||||
for _, e := range dirs {
|
||||
// skip non-directories
|
||||
if !e.IsDir() {
|
||||
fmsg.VPrintf("skipped non-directory entry %q", e.Name())
|
||||
continue
|
||||
}
|
||||
|
||||
// skip non-numerical names
|
||||
if _, err = strconv.Atoi(e.Name()); err != nil {
|
||||
fmsg.VPrintf("skipped non-uid entry %q", e.Name())
|
||||
continue
|
||||
}
|
||||
|
||||
// obtain temporary store
|
||||
s := NewSimple(runDir, e.Name()).(*simpleStore)
|
||||
|
||||
// print states belonging to this store
|
||||
s.mustPrintLauncherState(w, now)
|
||||
|
||||
// mustPrintLauncherState causes store activity so store needs to be closed
|
||||
if err = s.Close(); err != nil {
|
||||
fmsg.Printf("cannot close store for user %q: %s", e.Name(), err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (s *simpleStore) mustPrintLauncherState(w **tabwriter.Writer, now time.Time) {
|
||||
var innerErr error
|
||||
|
||||
if ok, err := s.Do(func(b Backend) {
|
||||
innerErr = func() error {
|
||||
// read launcher states
|
||||
states, err := b.Load()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// initialise tabwriter if nil
|
||||
if *w == nil {
|
||||
*w = tabwriter.NewWriter(os.Stdout, 0, 1, 4, ' ', 0)
|
||||
|
||||
// write header when initialising
|
||||
if !fmsg.Verbose() {
|
||||
_, _ = fmt.Fprintln(*w, "\tUID\tPID\tUptime\tEnablements\tMethod\tCommand")
|
||||
} else {
|
||||
// argv is emitted in body when verbose
|
||||
_, _ = fmt.Fprintln(*w, "\tUID\tPID\tArgv")
|
||||
}
|
||||
}
|
||||
|
||||
// print each state
|
||||
for _, state := range states {
|
||||
// skip nil states
|
||||
if state == nil {
|
||||
_, _ = fmt.Fprintln(*w, "\tnil state entry")
|
||||
continue
|
||||
}
|
||||
|
||||
// build enablements string
|
||||
ets := strings.Builder{}
|
||||
// append enablement strings in order
|
||||
for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
|
||||
if state.Capability.Has(i) {
|
||||
ets.WriteString(", " + i.String())
|
||||
}
|
||||
}
|
||||
// prevent an empty string when
|
||||
if ets.Len() == 0 {
|
||||
ets.WriteString("(No enablements)")
|
||||
}
|
||||
|
||||
if !fmsg.Verbose() {
|
||||
_, _ = fmt.Fprintf(*w, "\t%s\t%d\t%s\t%s\t%s\t%s\n",
|
||||
s.path[len(s.path)-1], state.PID, now.Sub(state.Time).Round(time.Second).String(), strings.TrimPrefix(ets.String(), ", "), state.Method,
|
||||
state.Command)
|
||||
} else {
|
||||
// emit argv instead when verbose
|
||||
_, _ = fmt.Fprintf(*w, "\t%s\t%d\t%s\n",
|
||||
s.path[len(s.path)-1], state.PID, state.Argv)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}()
|
||||
}); err != nil {
|
||||
fmsg.Printf("cannot perform action on store %q: %s", path.Join(s.path...), err)
|
||||
if !ok {
|
||||
fmsg.Fatal("store faulted before printing")
|
||||
}
|
||||
}
|
||||
|
||||
if innerErr != nil {
|
||||
fmsg.Fatalf("cannot print launcher state for store %q: %s", path.Join(s.path...), innerErr)
|
||||
}
|
||||
}
|
|
@ -0,0 +1,218 @@
|
|||
package state
|
||||
|
||||
import (
|
||||
"encoding/gob"
|
||||
"errors"
|
||||
"io/fs"
|
||||
"os"
|
||||
"path"
|
||||
"strconv"
|
||||
"sync"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
// file-based locking
|
||||
type simpleStore struct {
|
||||
path []string
|
||||
|
||||
// created/opened by prepare
|
||||
lockfile *os.File
|
||||
// enforce prepare method
|
||||
init sync.Once
|
||||
// error returned by prepare
|
||||
initErr error
|
||||
|
||||
lock sync.Mutex
|
||||
}
|
||||
|
||||
func (s *simpleStore) Do(f func(b Backend)) (bool, error) {
|
||||
s.init.Do(s.prepare)
|
||||
if s.initErr != nil {
|
||||
return false, s.initErr
|
||||
}
|
||||
|
||||
s.lock.Lock()
|
||||
defer s.lock.Unlock()
|
||||
|
||||
// lock store
|
||||
if err := s.lockFile(); err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
// initialise new backend for caller
|
||||
b := new(simpleBackend)
|
||||
b.path = path.Join(s.path...)
|
||||
f(b)
|
||||
// disable backend
|
||||
b.lock.Lock()
|
||||
|
||||
// unlock store
|
||||
return true, s.unlockFile()
|
||||
}
|
||||
|
||||
func (s *simpleStore) lockFileAct(lt int) (err error) {
|
||||
op := "LockAct"
|
||||
switch lt {
|
||||
case syscall.LOCK_EX:
|
||||
op = "Lock"
|
||||
case syscall.LOCK_UN:
|
||||
op = "Unlock"
|
||||
}
|
||||
|
||||
for {
|
||||
err = syscall.Flock(int(s.lockfile.Fd()), lt)
|
||||
if !errors.Is(err, syscall.EINTR) {
|
||||
break
|
||||
}
|
||||
}
|
||||
if err != nil {
|
||||
return &fs.PathError{
|
||||
Op: op,
|
||||
Path: s.lockfile.Name(),
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *simpleStore) lockFile() error {
|
||||
return s.lockFileAct(syscall.LOCK_EX)
|
||||
}
|
||||
|
||||
func (s *simpleStore) unlockFile() error {
|
||||
return s.lockFileAct(syscall.LOCK_UN)
|
||||
}
|
||||
|
||||
func (s *simpleStore) prepare() {
|
||||
s.initErr = func() error {
|
||||
prefix := path.Join(s.path...)
|
||||
// ensure directory
|
||||
if err := os.MkdirAll(prefix, 0700); err != nil && !errors.Is(err, fs.ErrExist) {
|
||||
return err
|
||||
}
|
||||
|
||||
// open locker file
|
||||
if f, err := os.OpenFile(prefix+".lock", os.O_RDWR|os.O_CREATE, 0600); err != nil {
|
||||
return err
|
||||
} else {
|
||||
s.lockfile = f
|
||||
}
|
||||
|
||||
return nil
|
||||
}()
|
||||
}
|
||||
|
||||
func (s *simpleStore) Close() error {
|
||||
s.lock.Lock()
|
||||
defer s.lock.Unlock()
|
||||
|
||||
err := s.lockfile.Close()
|
||||
if err == nil || errors.Is(err, os.ErrInvalid) || errors.Is(err, os.ErrClosed) {
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
type simpleBackend struct {
|
||||
path string
|
||||
|
||||
lock sync.RWMutex
|
||||
}
|
||||
|
||||
func (b *simpleBackend) filename(pid int) string {
|
||||
return path.Join(b.path, strconv.Itoa(pid))
|
||||
}
|
||||
|
||||
// reads all launchers in simpleBackend
|
||||
// file contents are ignored if decode is false
|
||||
func (b *simpleBackend) load(decode bool) ([]*State, error) {
|
||||
b.lock.RLock()
|
||||
defer b.lock.RUnlock()
|
||||
|
||||
var (
|
||||
r []*State
|
||||
f *os.File
|
||||
)
|
||||
|
||||
// read directory contents, should only contain files named after PIDs
|
||||
if pl, err := os.ReadDir(b.path); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
for _, e := range pl {
|
||||
// run in a function to better handle file closing
|
||||
if err = func() error {
|
||||
// open state file for reading
|
||||
if f, err = os.Open(path.Join(b.path, e.Name())); err != nil {
|
||||
return err
|
||||
} else {
|
||||
defer func() {
|
||||
if f.Close() != nil {
|
||||
// unreachable
|
||||
panic("foreign state file closed prematurely")
|
||||
}
|
||||
}()
|
||||
|
||||
var s State
|
||||
r = append(r, &s)
|
||||
|
||||
// append regardless, but only parse if required, used to implement Len
|
||||
if decode {
|
||||
return gob.NewDecoder(f).Decode(&s)
|
||||
} else {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return r, nil
|
||||
}
|
||||
|
||||
// Save writes process state to filesystem
|
||||
func (b *simpleBackend) Save(state *State) error {
|
||||
b.lock.Lock()
|
||||
defer b.lock.Unlock()
|
||||
|
||||
statePath := b.filename(state.PID)
|
||||
|
||||
// create and open state data file
|
||||
if f, err := os.OpenFile(statePath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600); err != nil {
|
||||
return err
|
||||
} else {
|
||||
defer func() {
|
||||
if f.Close() != nil {
|
||||
// unreachable
|
||||
panic("state file closed prematurely")
|
||||
}
|
||||
}()
|
||||
// encode into state file
|
||||
return gob.NewEncoder(f).Encode(state)
|
||||
}
|
||||
}
|
||||
|
||||
func (b *simpleBackend) Destroy(pid int) error {
|
||||
b.lock.Lock()
|
||||
defer b.lock.Unlock()
|
||||
|
||||
return os.Remove(b.filename(pid))
|
||||
}
|
||||
|
||||
func (b *simpleBackend) Load() ([]*State, error) {
|
||||
return b.load(true)
|
||||
}
|
||||
|
||||
func (b *simpleBackend) Len() (int, error) {
|
||||
// rn consists of only nil entries but has the correct length
|
||||
rn, err := b.load(false)
|
||||
return len(rn), err
|
||||
}
|
||||
|
||||
// NewSimple returns an instance of a file-based store.
|
||||
func NewSimple(runDir string, prefix ...string) Store {
|
||||
b := new(simpleStore)
|
||||
b.path = append([]string{runDir, "state"}, prefix...)
|
||||
return b
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
package state
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
type Store interface {
|
||||
// Do calls f exactly once and ensures store exclusivity until f returns.
|
||||
// Returns whether f is called and any errors during the locking process.
|
||||
// Backend provided to f becomes invalid as soon as f returns.
|
||||
Do(f func(b Backend)) (bool, error)
|
||||
|
||||
// Close releases any resources held by Store.
|
||||
Close() error
|
||||
}
|
||||
|
||||
// Backend provides access to the store
|
||||
type Backend interface {
|
||||
Save(state *State) error
|
||||
Destroy(pid int) error
|
||||
Load() ([]*State, error)
|
||||
Len() (int, error)
|
||||
}
|
||||
|
||||
// State is the on-disk format for a fortified process's state information
|
||||
type State struct {
|
||||
// child process PID value
|
||||
PID int
|
||||
// command used to seal the app
|
||||
Command []string
|
||||
// capability enablements applied to child
|
||||
Capability system.Enablements
|
||||
|
||||
// user switch method
|
||||
Method string
|
||||
// full argv whe launching
|
||||
Argv []string
|
||||
// process start time
|
||||
Time time.Time
|
||||
}
|
|
@ -0,0 +1,126 @@
|
|||
package internal
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io/fs"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"path"
|
||||
"strconv"
|
||||
"sync"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
// System provides safe access to operating system resources.
|
||||
type System interface {
|
||||
// Geteuid provides [os.Geteuid].
|
||||
Geteuid() int
|
||||
// LookupEnv provides [os.LookupEnv].
|
||||
LookupEnv(key string) (string, bool)
|
||||
// TempDir provides [os.TempDir].
|
||||
TempDir() string
|
||||
// LookPath provides [exec.LookPath].
|
||||
LookPath(file string) (string, error)
|
||||
// Executable provides [os.Executable].
|
||||
Executable() (string, error)
|
||||
// Lookup provides [user.Lookup].
|
||||
Lookup(username string) (*user.User, error)
|
||||
// ReadDir provides [os.ReadDir].
|
||||
ReadDir(name string) ([]fs.DirEntry, error)
|
||||
// Stat provides [os.Stat].
|
||||
Stat(name string) (fs.FileInfo, error)
|
||||
// Open provides [os.Open]
|
||||
Open(name string) (fs.File, error)
|
||||
// Exit provides [os.Exit].
|
||||
Exit(code int)
|
||||
|
||||
// Paths returns a populated [Paths] struct.
|
||||
Paths() Paths
|
||||
// SdBooted implements https://www.freedesktop.org/software/systemd/man/sd_booted.html
|
||||
SdBooted() bool
|
||||
}
|
||||
|
||||
// Paths contains environment dependent paths used by fortify.
|
||||
type Paths struct {
|
||||
// path to shared directory e.g. /tmp/fortify.%d
|
||||
SharePath string `json:"share_path"`
|
||||
// XDG_RUNTIME_DIR value e.g. /run/user/%d
|
||||
RuntimePath string `json:"runtime_path"`
|
||||
// application runtime directory e.g. /run/user/%d/fortify
|
||||
RunDirPath string `json:"run_dir_path"`
|
||||
}
|
||||
|
||||
// CopyPaths is a generic implementation of [System.Paths].
|
||||
func CopyPaths(os System, v *Paths) {
|
||||
v.SharePath = path.Join(os.TempDir(), "fortify."+strconv.Itoa(os.Geteuid()))
|
||||
|
||||
fmsg.VPrintf("process share directory at %q", v.SharePath)
|
||||
|
||||
if r, ok := os.LookupEnv(xdgRuntimeDir); !ok || r == "" || !path.IsAbs(r) {
|
||||
// fall back to path in share since fortify has no hard XDG dependency
|
||||
v.RunDirPath = path.Join(v.SharePath, "run")
|
||||
v.RuntimePath = path.Join(v.RunDirPath, "compat")
|
||||
} else {
|
||||
v.RuntimePath = r
|
||||
v.RunDirPath = path.Join(v.RuntimePath, "fortify")
|
||||
}
|
||||
|
||||
fmsg.VPrintf("runtime directory at %q", v.RunDirPath)
|
||||
}
|
||||
|
||||
// Std implements System using the standard library.
|
||||
type Std struct {
|
||||
paths Paths
|
||||
pathsOnce sync.Once
|
||||
|
||||
sdBooted bool
|
||||
sdBootedOnce sync.Once
|
||||
}
|
||||
|
||||
func (s *Std) Geteuid() int { return os.Geteuid() }
|
||||
func (s *Std) LookupEnv(key string) (string, bool) { return os.LookupEnv(key) }
|
||||
func (s *Std) TempDir() string { return os.TempDir() }
|
||||
func (s *Std) LookPath(file string) (string, error) { return exec.LookPath(file) }
|
||||
func (s *Std) Executable() (string, error) { return os.Executable() }
|
||||
func (s *Std) Lookup(username string) (*user.User, error) { return user.Lookup(username) }
|
||||
func (s *Std) ReadDir(name string) ([]os.DirEntry, error) { return os.ReadDir(name) }
|
||||
func (s *Std) Stat(name string) (fs.FileInfo, error) { return os.Stat(name) }
|
||||
func (s *Std) Open(name string) (fs.File, error) { return os.Open(name) }
|
||||
func (s *Std) Exit(code int) { fmsg.Exit(code) }
|
||||
|
||||
const xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
||||
|
||||
func (s *Std) Paths() Paths {
|
||||
s.pathsOnce.Do(func() { CopyPaths(s, &s.paths) })
|
||||
return s.paths
|
||||
}
|
||||
|
||||
func (s *Std) SdBooted() bool {
|
||||
s.sdBootedOnce.Do(func() { s.sdBooted = copySdBooted() })
|
||||
return s.sdBooted
|
||||
}
|
||||
|
||||
const systemdCheckPath = "/run/systemd/system"
|
||||
|
||||
func copySdBooted() bool {
|
||||
if v, err := sdBooted(); err != nil {
|
||||
fmsg.Println("cannot read systemd marker:", err)
|
||||
return false
|
||||
} else {
|
||||
return v
|
||||
}
|
||||
}
|
||||
|
||||
func sdBooted() (bool, error) {
|
||||
_, err := os.Stat(systemdCheckPath)
|
||||
if err != nil {
|
||||
if errors.Is(err, fs.ErrNotExist) {
|
||||
err = nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
|
@ -0,0 +1,70 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"slices"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
// UpdatePerm appends an ephemeral acl update Op.
|
||||
func (sys *I) UpdatePerm(path string, perms ...acl.Perm) *I {
|
||||
sys.UpdatePermType(Process, path, perms...)
|
||||
|
||||
return sys
|
||||
}
|
||||
|
||||
// UpdatePermType appends an acl update Op.
|
||||
func (sys *I) UpdatePermType(et Enablement, path string, perms ...acl.Perm) *I {
|
||||
sys.lock.Lock()
|
||||
defer sys.lock.Unlock()
|
||||
|
||||
sys.ops = append(sys.ops, &ACL{et, path, perms})
|
||||
|
||||
return sys
|
||||
}
|
||||
|
||||
type ACL struct {
|
||||
et Enablement
|
||||
path string
|
||||
perms acl.Perms
|
||||
}
|
||||
|
||||
func (a *ACL) Type() Enablement {
|
||||
return a.et
|
||||
}
|
||||
|
||||
func (a *ACL) apply(sys *I) error {
|
||||
fmsg.VPrintln("applying ACL", a)
|
||||
return fmsg.WrapErrorSuffix(acl.UpdatePerm(a.path, sys.uid, a.perms...),
|
||||
fmt.Sprintf("cannot apply ACL entry to %q:", a.path))
|
||||
}
|
||||
|
||||
func (a *ACL) revert(sys *I, ec *Criteria) error {
|
||||
if ec.hasType(a) {
|
||||
fmsg.VPrintln("stripping ACL", a)
|
||||
return fmsg.WrapErrorSuffix(acl.UpdatePerm(a.path, sys.uid),
|
||||
fmt.Sprintf("cannot strip ACL entry from %q:", a.path))
|
||||
} else {
|
||||
fmsg.VPrintln("skipping ACL", a)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func (a *ACL) Is(o Op) bool {
|
||||
a0, ok := o.(*ACL)
|
||||
return ok && a0 != nil &&
|
||||
a.et == a0.et &&
|
||||
a.path == a0.path &&
|
||||
slices.Equal(a.perms, a0.perms)
|
||||
}
|
||||
|
||||
func (a *ACL) Path() string {
|
||||
return a.path
|
||||
}
|
||||
|
||||
func (a *ACL) String() string {
|
||||
return fmt.Sprintf("%s type: %s path: %q",
|
||||
a.perms, TypeString(a.et), a.path)
|
||||
}
|
|
@ -0,0 +1,90 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
)
|
||||
|
||||
func TestUpdatePerm(t *testing.T) {
|
||||
testCases := []struct {
|
||||
path string
|
||||
perms []acl.Perm
|
||||
}{
|
||||
{"/run/user/1971/fortify", []acl.Perm{acl.Execute}},
|
||||
{"/tmp/fortify.1971/tmpdir/150", []acl.Perm{acl.Read, acl.Write, acl.Execute}},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.path+permSubTestSuffix(tc.perms), func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.UpdatePerm(tc.path, tc.perms...)
|
||||
(&tcOp{Process, tc.path}).test(t, sys.ops, []Op{&ACL{Process, tc.path, tc.perms}}, "UpdatePerm")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestUpdatePermType(t *testing.T) {
|
||||
testCases := []struct {
|
||||
perms []acl.Perm
|
||||
tcOp
|
||||
}{
|
||||
{[]acl.Perm{acl.Execute}, tcOp{User, "/tmp/fortify.1971/tmpdir"}},
|
||||
{[]acl.Perm{acl.Read, acl.Write, acl.Execute}, tcOp{User, "/tmp/fortify.1971/tmpdir/150"}},
|
||||
{[]acl.Perm{acl.Execute}, tcOp{Process, "/run/user/1971/fortify/fcb8a12f7c482d183ade8288c3de78b5"}},
|
||||
{[]acl.Perm{acl.Read}, tcOp{Process, "/tmp/fortify.1971/fcb8a12f7c482d183ade8288c3de78b5/passwd"}},
|
||||
{[]acl.Perm{acl.Read}, tcOp{Process, "/tmp/fortify.1971/fcb8a12f7c482d183ade8288c3de78b5/group"}},
|
||||
{[]acl.Perm{acl.Read, acl.Write, acl.Execute}, tcOp{EWayland, "/run/user/1971/wayland-0"}},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.path+"_"+TypeString(tc.et)+permSubTestSuffix(tc.perms), func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.UpdatePermType(tc.et, tc.path, tc.perms...)
|
||||
tc.test(t, sys.ops, []Op{&ACL{tc.et, tc.path, tc.perms}}, "UpdatePermType")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestACL_String(t *testing.T) {
|
||||
testCases := []struct {
|
||||
want string
|
||||
et Enablement
|
||||
perms []acl.Perm
|
||||
}{
|
||||
{`--- type: Process path: "/nonexistent"`, Process, []acl.Perm{}},
|
||||
{`r-- type: User path: "/nonexistent"`, User, []acl.Perm{acl.Read}},
|
||||
{`-w- type: Wayland path: "/nonexistent"`, EWayland, []acl.Perm{acl.Write}},
|
||||
{`--x type: X11 path: "/nonexistent"`, EX11, []acl.Perm{acl.Execute}},
|
||||
{`rw- type: D-Bus path: "/nonexistent"`, EDBus, []acl.Perm{acl.Read, acl.Write}},
|
||||
{`r-x type: PulseAudio path: "/nonexistent"`, EPulse, []acl.Perm{acl.Read, acl.Execute}},
|
||||
{`rwx type: User path: "/nonexistent"`, User, []acl.Perm{acl.Read, acl.Write, acl.Execute}},
|
||||
{`rwx type: Process path: "/nonexistent"`, Process, []acl.Perm{acl.Read, acl.Write, acl.Write, acl.Execute}},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.want, func(t *testing.T) {
|
||||
a := &ACL{et: tc.et, perms: tc.perms, path: "/nonexistent"}
|
||||
if got := a.String(); got != tc.want {
|
||||
t.Errorf("String() = %v, want %v",
|
||||
got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func permSubTestSuffix(perms []acl.Perm) (suffix string) {
|
||||
for _, perm := range perms {
|
||||
switch perm {
|
||||
case acl.Read:
|
||||
suffix += "_read"
|
||||
case acl.Write:
|
||||
suffix += "_write"
|
||||
case acl.Execute:
|
||||
suffix += "_execute"
|
||||
default:
|
||||
panic("unreachable")
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
|
@ -0,0 +1,166 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"os"
|
||||
|
||||
"git.ophivana.moe/security/fortify/dbus"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrDBusConfig = errors.New("dbus config not supplied")
|
||||
)
|
||||
|
||||
func (sys *I) MustProxyDBus(sessionPath string, session *dbus.Config, systemPath string, system *dbus.Config) *I {
|
||||
if err := sys.ProxyDBus(session, system, sessionPath, systemPath); err != nil {
|
||||
panic(err.Error())
|
||||
} else {
|
||||
return sys
|
||||
}
|
||||
}
|
||||
|
||||
func (sys *I) ProxyDBus(session, system *dbus.Config, sessionPath, systemPath string) error {
|
||||
d := new(DBus)
|
||||
|
||||
// used by waiting goroutine to notify process exit
|
||||
d.done = make(chan struct{})
|
||||
|
||||
// session bus is mandatory
|
||||
if session == nil {
|
||||
return fmsg.WrapError(ErrDBusConfig,
|
||||
"attempted to seal message bus proxy without session bus config")
|
||||
}
|
||||
|
||||
// system bus is optional
|
||||
d.system = system == nil
|
||||
|
||||
// upstream address, downstream socket path
|
||||
var sessionBus, systemBus [2]string
|
||||
|
||||
// resolve upstream bus addresses
|
||||
sessionBus[0], systemBus[0] = dbus.Address()
|
||||
|
||||
// set paths from caller
|
||||
sessionBus[1], systemBus[1] = sessionPath, systemPath
|
||||
|
||||
// create proxy instance
|
||||
d.proxy = dbus.New(sessionBus, systemBus)
|
||||
|
||||
defer func() {
|
||||
if fmsg.Verbose() && d.proxy.Sealed() {
|
||||
fmsg.VPrintln("sealed session proxy", session.Args(sessionBus))
|
||||
if system != nil {
|
||||
fmsg.VPrintln("sealed system proxy", system.Args(systemBus))
|
||||
}
|
||||
fmsg.VPrintln("message bus proxy final args:", d.proxy)
|
||||
}
|
||||
}()
|
||||
|
||||
// queue operation
|
||||
sys.ops = append(sys.ops, d)
|
||||
|
||||
// seal dbus proxy
|
||||
return fmsg.WrapErrorSuffix(d.proxy.Seal(session, system),
|
||||
"cannot seal message bus proxy:")
|
||||
}
|
||||
|
||||
type DBus struct {
|
||||
proxy *dbus.Proxy
|
||||
|
||||
// whether system bus proxy is enabled
|
||||
system bool
|
||||
// notification from goroutine waiting for dbus.Proxy
|
||||
done chan struct{}
|
||||
}
|
||||
|
||||
func (d *DBus) Type() Enablement {
|
||||
return Process
|
||||
}
|
||||
|
||||
func (d *DBus) apply(_ *I) error {
|
||||
fmsg.VPrintf("session bus proxy on %q for upstream %q", d.proxy.Session()[1], d.proxy.Session()[0])
|
||||
if d.system {
|
||||
fmsg.VPrintf("system bus proxy on %q for upstream %q", d.proxy.System()[1], d.proxy.System()[0])
|
||||
}
|
||||
|
||||
// ready channel passed to dbus package
|
||||
ready := make(chan error, 1)
|
||||
|
||||
// background dbus proxy start
|
||||
if err := d.proxy.Start(ready, os.Stderr, true); err != nil {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
"cannot start message bus proxy:")
|
||||
}
|
||||
fmsg.VPrintln("starting message bus proxy:", d.proxy)
|
||||
if fmsg.Verbose() { // save the extra bwrap arg build when verbose logging is off
|
||||
fmsg.VPrintln("message bus proxy bwrap args:", d.proxy.Bwrap())
|
||||
}
|
||||
|
||||
// background wait for proxy instance and notify completion
|
||||
go func() {
|
||||
if err := d.proxy.Wait(); err != nil {
|
||||
fmsg.Println("message bus proxy exited with error:", err)
|
||||
go func() { ready <- err }()
|
||||
} else {
|
||||
fmsg.VPrintln("message bus proxy exit")
|
||||
}
|
||||
|
||||
// ensure socket removal so ephemeral directory is empty at revert
|
||||
if err := os.Remove(d.proxy.Session()[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
|
||||
fmsg.Println("cannot remove dangling session bus socket:", err)
|
||||
}
|
||||
if d.system {
|
||||
if err := os.Remove(d.proxy.System()[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
|
||||
fmsg.Println("cannot remove dangling system bus socket:", err)
|
||||
}
|
||||
}
|
||||
|
||||
// notify proxy completion
|
||||
close(d.done)
|
||||
}()
|
||||
|
||||
// ready is not nil if the proxy process faulted
|
||||
if err := <-ready; err != nil {
|
||||
// note that err here is either an I/O error or a predetermined unexpected behaviour error
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
"message bus proxy fault after start:")
|
||||
}
|
||||
fmsg.VPrintln("message bus proxy ready")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *DBus) revert(_ *I, _ *Criteria) error {
|
||||
// criteria ignored here since dbus is always process-scoped
|
||||
fmsg.VPrintln("terminating message bus proxy")
|
||||
|
||||
if err := d.proxy.Close(); err != nil {
|
||||
if errors.Is(err, os.ErrClosed) {
|
||||
return fmsg.WrapError(err,
|
||||
"message bus proxy already closed")
|
||||
} else {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
"cannot stop message bus proxy:")
|
||||
}
|
||||
}
|
||||
|
||||
// block until proxy wait returns
|
||||
<-d.done
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *DBus) Is(o Op) bool {
|
||||
d0, ok := o.(*DBus)
|
||||
return ok && d0 != nil &&
|
||||
((d.proxy == nil && d0.proxy == nil) ||
|
||||
(d.proxy != nil && d0.proxy != nil && d.proxy.String() == d0.proxy.String()))
|
||||
}
|
||||
|
||||
func (d *DBus) Path() string {
|
||||
return "(dbus proxy)"
|
||||
}
|
||||
|
||||
func (d *DBus) String() string {
|
||||
return d.proxy.String()
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
package system
|
||||
|
||||
type (
|
||||
// Enablement represents an optional system resource
|
||||
Enablement uint8
|
||||
// Enablements represents optional system resources to share
|
||||
Enablements uint64
|
||||
)
|
||||
|
||||
const (
|
||||
EWayland Enablement = iota
|
||||
EX11
|
||||
EDBus
|
||||
EPulse
|
||||
)
|
||||
|
||||
var enablementString = [...]string{
|
||||
EWayland: "Wayland",
|
||||
EX11: "X11",
|
||||
EDBus: "D-Bus",
|
||||
EPulse: "PulseAudio",
|
||||
}
|
||||
|
||||
const ELen = len(enablementString)
|
||||
|
||||
func (e Enablement) String() string {
|
||||
if int(e) >= ELen {
|
||||
return "<invalid enablement>"
|
||||
}
|
||||
return enablementString[e]
|
||||
}
|
||||
|
||||
func (e Enablement) Mask() Enablements {
|
||||
return 1 << e
|
||||
}
|
||||
|
||||
// Has returns whether a feature is enabled
|
||||
func (es *Enablements) Has(e Enablement) bool {
|
||||
return *es&e.Mask() != 0
|
||||
}
|
||||
|
||||
// Set enables a feature
|
||||
func (es *Enablements) Set(e Enablement) {
|
||||
if es.Has(e) {
|
||||
panic("enablement " + e.String() + " set twice")
|
||||
}
|
||||
|
||||
*es |= e.Mask()
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
// Ensure the existence and mode of a directory.
|
||||
func (sys *I) Ensure(name string, perm os.FileMode) *I {
|
||||
sys.lock.Lock()
|
||||
defer sys.lock.Unlock()
|
||||
|
||||
sys.ops = append(sys.ops, &Mkdir{User, name, perm, false})
|
||||
|
||||
return sys
|
||||
}
|
||||
|
||||
// Ephemeral ensures the temporary existence and mode of a directory through the life of et.
|
||||
func (sys *I) Ephemeral(et Enablement, name string, perm os.FileMode) *I {
|
||||
sys.lock.Lock()
|
||||
defer sys.lock.Unlock()
|
||||
|
||||
sys.ops = append(sys.ops, &Mkdir{et, name, perm, true})
|
||||
|
||||
return sys
|
||||
}
|
||||
|
||||
type Mkdir struct {
|
||||
et Enablement
|
||||
path string
|
||||
perm os.FileMode
|
||||
ephemeral bool
|
||||
}
|
||||
|
||||
func (m *Mkdir) Type() Enablement {
|
||||
return m.et
|
||||
}
|
||||
|
||||
func (m *Mkdir) apply(_ *I) error {
|
||||
fmsg.VPrintln("ensuring directory", m)
|
||||
|
||||
// create directory
|
||||
err := os.Mkdir(m.path, m.perm)
|
||||
if !errors.Is(err, os.ErrExist) {
|
||||
return fmsg.WrapErrorSuffix(err,
|
||||
fmt.Sprintf("cannot create directory %q:", m.path))
|
||||
}
|
||||
|
||||
// directory exists, ensure mode
|
||||
return fmsg.WrapErrorSuffix(os.Chmod(m.path, m.perm),
|
||||
fmt.Sprintf("cannot change mode of %q to %s:", m.path, m.perm))
|
||||
}
|
||||
|
||||
func (m *Mkdir) revert(_ *I, ec *Criteria) error {
|
||||
if !m.ephemeral {
|
||||
// skip non-ephemeral dir and do not log anything
|
||||
return nil
|
||||
}
|
||||
|
||||
if ec.hasType(m) {
|
||||
fmsg.VPrintln("destroying ephemeral directory", m)
|
||||
return fmsg.WrapErrorSuffix(os.Remove(m.path),
|
||||
fmt.Sprintf("cannot remove ephemeral directory %q:", m.path))
|
||||
} else {
|
||||
fmsg.VPrintln("skipping ephemeral directory", m)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func (m *Mkdir) Is(o Op) bool {
|
||||
m0, ok := o.(*Mkdir)
|
||||
return ok && m0 != nil && *m == *m0
|
||||
}
|
||||
|
||||
func (m *Mkdir) Path() string {
|
||||
return m.path
|
||||
}
|
||||
|
||||
func (m *Mkdir) String() string {
|
||||
t := "Ensure"
|
||||
if m.ephemeral {
|
||||
t = TypeString(m.Type())
|
||||
}
|
||||
return fmt.Sprintf("mode: %s type: %s path: %q", m.perm.String(), t, m.path)
|
||||
}
|
|
@ -0,0 +1,73 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"os"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestEnsure(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
perm os.FileMode
|
||||
}{
|
||||
{"/tmp/fortify.1971", 0701},
|
||||
{"/tmp/fortify.1971/tmpdir", 0700},
|
||||
{"/tmp/fortify.1971/tmpdir/150", 0700},
|
||||
{"/run/user/1971/fortify", 0700},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name+"_"+tc.perm.String(), func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.Ensure(tc.name, tc.perm)
|
||||
(&tcOp{User, tc.name}).test(t, sys.ops, []Op{&Mkdir{User, tc.name, tc.perm, false}}, "Ensure")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestEphemeral(t *testing.T) {
|
||||
testCases := []struct {
|
||||
perm os.FileMode
|
||||
tcOp
|
||||
}{
|
||||
{0700, tcOp{Process, "/run/user/1971/fortify/ec07546a772a07cde87389afc84ffd13"}},
|
||||
{0701, tcOp{Process, "/tmp/fortify.1971/ec07546a772a07cde87389afc84ffd13"}},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.path+"_"+tc.perm.String()+"_"+TypeString(tc.et), func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.Ephemeral(tc.et, tc.path, tc.perm)
|
||||
tc.test(t, sys.ops, []Op{&Mkdir{tc.et, tc.path, tc.perm, true}}, "Ephemeral")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestMkdir_String(t *testing.T) {
|
||||
testCases := []struct {
|
||||
want string
|
||||
ephemeral bool
|
||||
et Enablement
|
||||
}{
|
||||
{"Ensure", false, User},
|
||||
{"Ensure", false, Process},
|
||||
{"Ensure", false, EWayland},
|
||||
|
||||
{"Wayland", true, EWayland},
|
||||
{"X11", true, EX11},
|
||||
{"D-Bus", true, EDBus},
|
||||
{"PulseAudio", true, EPulse},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.want, func(t *testing.T) {
|
||||
m := &Mkdir{
|
||||
et: tc.et,
|
||||
path: "/nonexistent",
|
||||
perm: 0701,
|
||||
ephemeral: tc.ephemeral,
|
||||
}
|
||||
want := "mode: " + os.FileMode(0701).String() + " type: " + tc.want + " path: \"/nonexistent\""
|
||||
if got := m.String(); got != want {
|
||||
t.Errorf("String() = %v, want %v", got, want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -0,0 +1,140 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"sync"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
const (
|
||||
// User type is reverted at final launcher exit.
|
||||
User = Enablement(ELen)
|
||||
// Process type is unconditionally reverted on exit.
|
||||
Process = Enablement(ELen + 1)
|
||||
)
|
||||
|
||||
type Criteria struct {
|
||||
*Enablements
|
||||
}
|
||||
|
||||
func (ec *Criteria) hasType(o Op) bool {
|
||||
// nil criteria: revert everything except User
|
||||
if ec.Enablements == nil {
|
||||
return o.Type() != User
|
||||
}
|
||||
|
||||
return ec.Has(o.Type())
|
||||
}
|
||||
|
||||
// Op is a reversible system operation.
|
||||
type Op interface {
|
||||
// Type returns Op's enablement type.
|
||||
Type() Enablement
|
||||
|
||||
// apply the Op
|
||||
apply(sys *I) error
|
||||
// revert reverses the Op if criteria is met
|
||||
revert(sys *I, ec *Criteria) error
|
||||
|
||||
Is(o Op) bool
|
||||
Path() string
|
||||
String() string
|
||||
}
|
||||
|
||||
func TypeString(e Enablement) string {
|
||||
switch e {
|
||||
case User:
|
||||
return "User"
|
||||
case Process:
|
||||
return "Process"
|
||||
default:
|
||||
return e.String()
|
||||
}
|
||||
}
|
||||
|
||||
type I struct {
|
||||
uid int
|
||||
ops []Op
|
||||
|
||||
state [2]bool
|
||||
lock sync.Mutex
|
||||
}
|
||||
|
||||
func (sys *I) UID() int {
|
||||
return sys.uid
|
||||
}
|
||||
|
||||
func (sys *I) Equal(v *I) bool {
|
||||
if v == nil || sys.uid != v.uid || len(sys.ops) != len(v.ops) {
|
||||
return false
|
||||
}
|
||||
|
||||
for i, o := range sys.ops {
|
||||
if !o.Is(v.ops[i]) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func (sys *I) Commit() error {
|
||||
sys.lock.Lock()
|
||||
defer sys.lock.Unlock()
|
||||
|
||||
if sys.state[0] {
|
||||
panic("sys instance committed twice")
|
||||
}
|
||||
sys.state[0] = true
|
||||
|
||||
sp := New(sys.uid)
|
||||
sp.ops = make([]Op, 0, len(sys.ops)) // prevent copies during commits
|
||||
defer func() {
|
||||
// sp is set to nil when all ops are applied
|
||||
if sp != nil {
|
||||
// rollback partial commit
|
||||
fmsg.VPrintf("commit faulted after %d ops, rolling back partial commit", len(sp.ops))
|
||||
if err := sp.Revert(&Criteria{nil}); err != nil {
|
||||
fmsg.Println("errors returned reverting partial commit:", err)
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
for _, o := range sys.ops {
|
||||
if err := o.apply(sys); err != nil {
|
||||
return err
|
||||
} else {
|
||||
// register partial commit
|
||||
sp.ops = append(sp.ops, o)
|
||||
}
|
||||
}
|
||||
|
||||
// disarm partial commit rollback
|
||||
sp = nil
|
||||
return nil
|
||||
}
|
||||
|
||||
func (sys *I) Revert(ec *Criteria) error {
|
||||
sys.lock.Lock()
|
||||
defer sys.lock.Unlock()
|
||||
|
||||
if sys.state[1] {
|
||||
panic("sys instance reverted twice")
|
||||
}
|
||||
sys.state[1] = true
|
||||
|
||||
// collect errors
|
||||
errs := make([]error, len(sys.ops))
|
||||
|
||||
for i := range sys.ops {
|
||||
errs[i] = sys.ops[len(sys.ops)-i-1].revert(sys, ec)
|
||||
}
|
||||
|
||||
// errors.Join filters nils
|
||||
return errors.Join(errs...)
|
||||
}
|
||||
|
||||
func New(uid int) *I {
|
||||
return &I{uid: uid}
|
||||
}
|
|
@ -0,0 +1,79 @@
|
|||
package system
|
||||
|
||||
import "testing"
|
||||
|
||||
type tcOp struct {
|
||||
et Enablement
|
||||
path string
|
||||
}
|
||||
|
||||
// test an instance of the Op interface
|
||||
func (ptc tcOp) test(t *testing.T, gotOps []Op, wantOps []Op, fn string) {
|
||||
if len(gotOps) != len(wantOps) {
|
||||
t.Errorf("%s: inserted %v Ops, want %v", fn,
|
||||
len(gotOps), len(wantOps))
|
||||
return
|
||||
}
|
||||
|
||||
t.Run("path", func(t *testing.T) {
|
||||
if len(gotOps) > 0 {
|
||||
if got := gotOps[0].Path(); got != ptc.path {
|
||||
t.Errorf("Path() = %q, want %q",
|
||||
got, ptc.path)
|
||||
return
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
for i := range gotOps {
|
||||
o := gotOps[i]
|
||||
|
||||
t.Run("is", func(t *testing.T) {
|
||||
if !o.Is(o) {
|
||||
t.Errorf("Is returned false on self")
|
||||
return
|
||||
}
|
||||
if !o.Is(wantOps[i]) {
|
||||
t.Errorf("%s: inserted %#v, want %#v",
|
||||
fn,
|
||||
o, wantOps[i])
|
||||
return
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("criteria", func(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
ec *Criteria
|
||||
want bool
|
||||
}{
|
||||
{"nil", newCriteria(), ptc.et != User},
|
||||
{"self", newCriteria(ptc.et), true},
|
||||
{"all", newCriteria(EWayland, EX11, EDBus, EPulse, User, Process), true},
|
||||
{"enablements", newCriteria(EWayland, EX11, EDBus, EPulse), ptc.et != User && ptc.et != Process},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if got := tc.ec.hasType(o); got != tc.want {
|
||||
t.Errorf("hasType: got %v, want %v",
|
||||
got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func newCriteria(labels ...Enablement) *Criteria {
|
||||
ec := new(Criteria)
|
||||
if len(labels) == 0 {
|
||||
return ec
|
||||
}
|
||||
|
||||
ec.Enablements = new(Enablements)
|
||||
for _, e := range labels {
|
||||
ec.Set(e)
|
||||
}
|
||||
return ec
|
||||
}
|
|
@ -0,0 +1,129 @@
|
|||
package system_test
|
||||
|
||||
import (
|
||||
"strconv"
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/system"
|
||||
)
|
||||
|
||||
func TestNew(t *testing.T) {
|
||||
testCases := []struct {
|
||||
uid int
|
||||
}{
|
||||
{150},
|
||||
{149},
|
||||
{148},
|
||||
{147},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run("sys initialised with uid "+strconv.Itoa(tc.uid), func(t *testing.T) {
|
||||
if got := system.New(tc.uid); got.UID() != tc.uid {
|
||||
t.Errorf("New(%d) uid = %d, want %d",
|
||||
tc.uid,
|
||||
got.UID(), tc.uid)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestTypeString(t *testing.T) {
|
||||
testCases := []struct {
|
||||
e system.Enablement
|
||||
want string
|
||||
}{
|
||||
{system.EWayland, system.EWayland.String()},
|
||||
{system.EX11, system.EX11.String()},
|
||||
{system.EDBus, system.EDBus.String()},
|
||||
{system.EPulse, system.EPulse.String()},
|
||||
{system.User, "User"},
|
||||
{system.Process, "Process"},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run("label type string "+tc.want, func(t *testing.T) {
|
||||
if got := system.TypeString(tc.e); got != tc.want {
|
||||
t.Errorf("TypeString(%d) = %v, want %v",
|
||||
tc.e,
|
||||
got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestI_Equal(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
sys *system.I
|
||||
v *system.I
|
||||
want bool
|
||||
}{
|
||||
{
|
||||
"simple UID",
|
||||
system.New(150),
|
||||
system.New(150),
|
||||
true,
|
||||
},
|
||||
{
|
||||
"simple UID differ",
|
||||
system.New(150),
|
||||
system.New(151),
|
||||
false,
|
||||
},
|
||||
{
|
||||
"simple UID nil",
|
||||
system.New(150),
|
||||
nil,
|
||||
false,
|
||||
},
|
||||
{
|
||||
"op length mismatch",
|
||||
system.New(150).
|
||||
ChangeHosts("chronos"),
|
||||
system.New(150).
|
||||
ChangeHosts("chronos").
|
||||
Ensure("/run", 0755),
|
||||
false,
|
||||
},
|
||||
{
|
||||
"op value mismatch",
|
||||
system.New(150).
|
||||
ChangeHosts("chronos").
|
||||
Ensure("/run", 0644),
|
||||
system.New(150).
|
||||
ChangeHosts("chronos").
|
||||
Ensure("/run", 0755),
|
||||
false,
|
||||
},
|
||||
{
|
||||
"op type mismatch",
|
||||
system.New(150).
|
||||
ChangeHosts("chronos").
|
||||
CopyFile("/tmp/fortify.1971/30c9543e0a2c9621a8bfecb9d874c347/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"),
|
||||
system.New(150).
|
||||
ChangeHosts("chronos").
|
||||
Ensure("/run", 0755),
|
||||
false,
|
||||
},
|
||||
{
|
||||
"op equals",
|
||||
system.New(150).
|
||||
ChangeHosts("chronos").
|
||||
Ensure("/run", 0755),
|
||||
system.New(150).
|
||||
ChangeHosts("chronos").
|
||||
Ensure("/run", 0755),
|
||||
true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if tc.sys.Equal(tc.v) != tc.want {
|
||||
t.Errorf("Equal: got %v; want %v",
|
||||
!tc.want, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -0,0 +1,145 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"strconv"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
)
|
||||
|
||||
// CopyFile registers an Op that copies path dst from src.
|
||||
func (sys *I) CopyFile(dst, src string) *I {
|
||||
return sys.CopyFileType(Process, dst, src)
|
||||
}
|
||||
|
||||
// CopyFileType registers a file copying Op labelled with type et.
|
||||
func (sys *I) CopyFileType(et Enablement, dst, src string) *I {
|
||||
sys.lock.Lock()
|
||||
sys.ops = append(sys.ops, &Tmpfile{et, tmpfileCopy, dst, src})
|
||||
sys.lock.Unlock()
|
||||
|
||||
sys.UpdatePermType(et, dst, acl.Read)
|
||||
|
||||
return sys
|
||||
}
|
||||
|
||||
// Link registers an Op that links dst to src.
|
||||
func (sys *I) Link(oldname, newname string) *I {
|
||||
return sys.LinkFileType(Process, oldname, newname)
|
||||
}
|
||||
|
||||
// LinkFileType registers a file linking Op labelled with type et.
|
||||
func (sys *I) LinkFileType(et Enablement, oldname, newname string) *I {
|
||||
sys.lock.Lock()
|
||||
defer sys.lock.Unlock()
|
||||
|
||||
sys.ops = append(sys.ops, &Tmpfile{et, tmpfileLink, newname, oldname})
|
||||
|
||||
return sys
|
||||
}
|
||||
|
||||
// Write registers an Op that writes dst with the contents of src.
|
||||
func (sys *I) Write(dst, src string) *I {
|
||||
return sys.WriteType(Process, dst, src)
|
||||
}
|
||||
|
||||
// WriteType registers a file writing Op labelled with type et.
|
||||
func (sys *I) WriteType(et Enablement, dst, src string) *I {
|
||||
sys.lock.Lock()
|
||||
sys.ops = append(sys.ops, &Tmpfile{et, tmpfileWrite, dst, src})
|
||||
sys.lock.Unlock()
|
||||
|
||||
sys.UpdatePermType(et, dst, acl.Read)
|
||||
|
||||
return sys
|
||||
}
|
||||
|
||||
const (
|
||||
tmpfileCopy uint8 = iota
|
||||
tmpfileLink
|
||||
tmpfileWrite
|
||||
)
|
||||
|
||||
type Tmpfile struct {
|
||||
et Enablement
|
||||
method uint8
|
||||
dst, src string
|
||||
}
|
||||
|
||||
func (t *Tmpfile) Type() Enablement {
|
||||
return t.et
|
||||
}
|
||||
|
||||
func (t *Tmpfile) apply(_ *I) error {
|
||||
switch t.method {
|
||||
case tmpfileCopy:
|
||||
fmsg.VPrintln("publishing tmpfile", t)
|
||||
return fmsg.WrapErrorSuffix(copyFile(t.dst, t.src),
|
||||
fmt.Sprintf("cannot copy tmpfile %q:", t.dst))
|
||||
case tmpfileLink:
|
||||
fmsg.VPrintln("linking tmpfile", t)
|
||||
return fmsg.WrapErrorSuffix(os.Link(t.src, t.dst),
|
||||
fmt.Sprintf("cannot link tmpfile %q:", t.dst))
|
||||
case tmpfileWrite:
|
||||
fmsg.VPrintln("writing", t)
|
||||
return fmsg.WrapErrorSuffix(os.WriteFile(t.dst, []byte(t.src), 0600),
|
||||
fmt.Sprintf("cannot write tmpfile %q:", t.dst))
|
||||
default:
|
||||
panic("invalid tmpfile method " + strconv.Itoa(int(t.method)))
|
||||
}
|
||||
}
|
||||
|
||||
func (t *Tmpfile) revert(_ *I, ec *Criteria) error {
|
||||
if ec.hasType(t) {
|
||||
fmsg.VPrintf("removing tmpfile %q", t.dst)
|
||||
return fmsg.WrapErrorSuffix(os.Remove(t.dst),
|
||||
fmt.Sprintf("cannot remove tmpfile %q:", t.dst))
|
||||
} else {
|
||||
fmsg.VPrintf("skipping tmpfile %q", t.dst)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func (t *Tmpfile) Is(o Op) bool {
|
||||
t0, ok := o.(*Tmpfile)
|
||||
return ok && t0 != nil && *t == *t0
|
||||
}
|
||||
|
||||
func (t *Tmpfile) Path() string {
|
||||
if t.method == tmpfileWrite {
|
||||
return fmt.Sprintf("(%d bytes of data)", len(t.src))
|
||||
}
|
||||
return t.src
|
||||
}
|
||||
|
||||
func (t *Tmpfile) String() string {
|
||||
switch t.method {
|
||||
case tmpfileCopy:
|
||||
return fmt.Sprintf("%q from %q", t.dst, t.src)
|
||||
case tmpfileLink:
|
||||
return fmt.Sprintf("%q from %q", t.dst, t.src)
|
||||
case tmpfileWrite:
|
||||
return fmt.Sprintf("%d bytes of data to %q", len(t.src), t.dst)
|
||||
default:
|
||||
panic("invalid tmpfile method " + strconv.Itoa(int(t.method)))
|
||||
}
|
||||
}
|
||||
|
||||
func copyFile(dst, src string) error {
|
||||
dstD, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
srcD, err := os.Open(src)
|
||||
if err != nil {
|
||||
return errors.Join(err, dstD.Close())
|
||||
}
|
||||
|
||||
_, err = io.Copy(dstD, srcD)
|
||||
return errors.Join(err, dstD.Close(), srcD.Close())
|
||||
}
|
|
@ -0,0 +1,167 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"strconv"
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/acl"
|
||||
)
|
||||
|
||||
func TestCopyFile(t *testing.T) {
|
||||
testCases := []struct {
|
||||
dst, src string
|
||||
}{
|
||||
{"/tmp/fortify.1971/f587afe9fce3c8e1ad5b64deb6c41ad5/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"},
|
||||
{"/tmp/fortify.1971/62154f708b5184ab01f9dcc2bbe7a33b/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run("copy file "+tc.dst+" from "+tc.src, func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.CopyFile(tc.dst, tc.src)
|
||||
(&tcOp{Process, tc.src}).test(t, sys.ops, []Op{
|
||||
&Tmpfile{Process, tmpfileCopy, tc.dst, tc.src},
|
||||
&ACL{Process, tc.dst, []acl.Perm{acl.Read}},
|
||||
}, "CopyFile")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestCopyFileType(t *testing.T) {
|
||||
testCases := []struct {
|
||||
tcOp
|
||||
dst string
|
||||
}{
|
||||
{tcOp{User, "/tmp/fortify.1971/f587afe9fce3c8e1ad5b64deb6c41ad5/pulse-cookie"}, "/home/ophestra/xdg/config/pulse/cookie"},
|
||||
{tcOp{Process, "/tmp/fortify.1971/62154f708b5184ab01f9dcc2bbe7a33b/pulse-cookie"}, "/home/ophestra/xdg/config/pulse/cookie"},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run("copy file "+tc.dst+" from "+tc.path+" with type "+TypeString(tc.et), func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.CopyFileType(tc.et, tc.dst, tc.path)
|
||||
tc.test(t, sys.ops, []Op{
|
||||
&Tmpfile{tc.et, tmpfileCopy, tc.dst, tc.path},
|
||||
&ACL{tc.et, tc.dst, []acl.Perm{acl.Read}},
|
||||
}, "CopyFileType")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestLink(t *testing.T) {
|
||||
testCases := []struct {
|
||||
dst, src string
|
||||
}{
|
||||
{"/tmp/fortify.1971/f587afe9fce3c8e1ad5b64deb6c41ad5/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"},
|
||||
{"/tmp/fortify.1971/62154f708b5184ab01f9dcc2bbe7a33b/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie"},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run("link file "+tc.dst+" from "+tc.src, func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.Link(tc.src, tc.dst)
|
||||
(&tcOp{Process, tc.src}).test(t, sys.ops, []Op{
|
||||
&Tmpfile{Process, tmpfileLink, tc.dst, tc.src},
|
||||
}, "Link")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestLinkFileType(t *testing.T) {
|
||||
testCases := []struct {
|
||||
tcOp
|
||||
dst string
|
||||
}{
|
||||
{tcOp{User, "/tmp/fortify.1971/f587afe9fce3c8e1ad5b64deb6c41ad5/pulse-cookie"}, "/home/ophestra/xdg/config/pulse/cookie"},
|
||||
{tcOp{Process, "/tmp/fortify.1971/62154f708b5184ab01f9dcc2bbe7a33b/pulse-cookie"}, "/home/ophestra/xdg/config/pulse/cookie"},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run("link file "+tc.dst+" from "+tc.path+" with type "+TypeString(tc.et), func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.LinkFileType(tc.et, tc.path, tc.dst)
|
||||
tc.test(t, sys.ops, []Op{
|
||||
&Tmpfile{tc.et, tmpfileLink, tc.dst, tc.path},
|
||||
}, "LinkFileType")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestWrite(t *testing.T) {
|
||||
testCases := []struct {
|
||||
dst, src string
|
||||
}{
|
||||
{"/etc/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n"},
|
||||
{"/etc/group", "fortify:x:65534:\n"},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run("write "+strconv.Itoa(len(tc.src))+" bytes to "+tc.dst, func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.Write(tc.dst, tc.src)
|
||||
(&tcOp{Process, "(" + strconv.Itoa(len(tc.src)) + " bytes of data)"}).test(t, sys.ops, []Op{
|
||||
&Tmpfile{Process, tmpfileWrite, tc.dst, tc.src},
|
||||
&ACL{Process, tc.dst, []acl.Perm{acl.Read}},
|
||||
}, "Write")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestWriteType(t *testing.T) {
|
||||
testCases := []struct {
|
||||
et Enablement
|
||||
dst, src string
|
||||
}{
|
||||
{Process, "/etc/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n"},
|
||||
{Process, "/etc/group", "fortify:x:65534:\n"},
|
||||
{User, "/etc/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n"},
|
||||
{User, "/etc/group", "fortify:x:65534:\n"},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run("write "+strconv.Itoa(len(tc.src))+" bytes to "+tc.dst+" with type "+TypeString(tc.et), func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.WriteType(tc.et, tc.dst, tc.src)
|
||||
(&tcOp{tc.et, "(" + strconv.Itoa(len(tc.src)) + " bytes of data)"}).test(t, sys.ops, []Op{
|
||||
&Tmpfile{tc.et, tmpfileWrite, tc.dst, tc.src},
|
||||
&ACL{tc.et, tc.dst, []acl.Perm{acl.Read}},
|
||||
}, "WriteType")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestTmpfile_String(t *testing.T) {
|
||||
t.Run("invalid method panic", func(t *testing.T) {
|
||||
defer func() {
|
||||
wantPanic := "invalid tmpfile method 255"
|
||||
if r := recover(); r != wantPanic {
|
||||
t.Errorf("String() panic = %v, want %v",
|
||||
r, wantPanic)
|
||||
}
|
||||
}()
|
||||
_ = (&Tmpfile{method: 255}).String()
|
||||
})
|
||||
|
||||
testCases := []struct {
|
||||
method uint8
|
||||
dst, src string
|
||||
want string
|
||||
}{
|
||||
{tmpfileCopy, "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie",
|
||||
`"/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse-cookie" from "/home/ophestra/xdg/config/pulse/cookie"`},
|
||||
{tmpfileLink, "/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/wayland", "/run/user/1971/wayland-0",
|
||||
`"/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/wayland" from "/run/user/1971/wayland-0"`},
|
||||
{tmpfileLink, "/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse", "/run/user/1971/pulse/native",
|
||||
`"/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse" from "/run/user/1971/pulse/native"`},
|
||||
{tmpfileWrite, "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n",
|
||||
`75 bytes of data to "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/passwd"`},
|
||||
{tmpfileWrite, "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/group", "fortify:x:65534:\n",
|
||||
`17 bytes of data to "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/group"`},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.want, func(t *testing.T) {
|
||||
if got := (&Tmpfile{
|
||||
method: tc.method,
|
||||
dst: tc.dst,
|
||||
src: tc.src,
|
||||
}).String(); got != tc.want {
|
||||
t.Errorf("String() = %v, want %v", got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -0,0 +1,54 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/xcb"
|
||||
)
|
||||
|
||||
// ChangeHosts appends an X11 ChangeHosts command Op.
|
||||
func (sys *I) ChangeHosts(username string) *I {
|
||||
sys.lock.Lock()
|
||||
defer sys.lock.Unlock()
|
||||
|
||||
sys.ops = append(sys.ops, XHost(username))
|
||||
|
||||
return sys
|
||||
}
|
||||
|
||||
type XHost string
|
||||
|
||||
func (x XHost) Type() Enablement {
|
||||
return EX11
|
||||
}
|
||||
|
||||
func (x XHost) apply(_ *I) error {
|
||||
fmsg.VPrintf("inserting entry %s to X11", x)
|
||||
return fmsg.WrapErrorSuffix(xcb.ChangeHosts(xcb.HostModeInsert, xcb.FamilyServerInterpreted, "localuser\x00"+string(x)),
|
||||
fmt.Sprintf("cannot insert entry %s to X11:", x))
|
||||
}
|
||||
|
||||
func (x XHost) revert(_ *I, ec *Criteria) error {
|
||||
if ec.hasType(x) {
|
||||
fmsg.VPrintf("deleting entry %s from X11", x)
|
||||
return fmsg.WrapErrorSuffix(xcb.ChangeHosts(xcb.HostModeDelete, xcb.FamilyServerInterpreted, "localuser\x00"+string(x)),
|
||||
fmt.Sprintf("cannot delete entry %s from X11:", x))
|
||||
} else {
|
||||
fmsg.VPrintf("skipping entry %s in X11", x)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func (x XHost) Is(o Op) bool {
|
||||
x0, ok := o.(XHost)
|
||||
return ok && x == x0
|
||||
}
|
||||
|
||||
func (x XHost) Path() string {
|
||||
return string(x)
|
||||
}
|
||||
|
||||
func (x XHost) String() string {
|
||||
return string("SI:localuser:" + x)
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
package system
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestChangeHosts(t *testing.T) {
|
||||
testCases := []string{"chronos", "keyring", "cat", "kbd", "yonah"}
|
||||
for _, tc := range testCases {
|
||||
t.Run("append ChangeHosts operation for "+tc, func(t *testing.T) {
|
||||
sys := New(150)
|
||||
sys.ChangeHosts(tc)
|
||||
(&tcOp{EX11, tc}).test(t, sys.ops, []Op{
|
||||
XHost(tc),
|
||||
}, "ChangeHosts")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestXHost_String(t *testing.T) {
|
||||
testCases := []struct {
|
||||
username string
|
||||
want string
|
||||
}{
|
||||
{"chronos", "SI:localuser:chronos"},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.want, func(t *testing.T) {
|
||||
if got := XHost(tc.username).String(); got != tc.want {
|
||||
t.Errorf("String() = %v, want %v", got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
72
launcher.go
72
launcher.go
|
@ -1,72 +0,0 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/base64"
|
||||
"encoding/gob"
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
const (
|
||||
// hidden path for main to act as a launcher
|
||||
egoLauncher = "EGO_LAUNCHER"
|
||||
)
|
||||
|
||||
// hidden launcher path
|
||||
func tryLauncher() {
|
||||
if printVersion {
|
||||
if r, ok := os.LookupEnv(egoLauncher); ok {
|
||||
// egoLauncher variable contains launcher payload
|
||||
dec := base64.NewDecoder(base64.StdEncoding, strings.NewReader(r))
|
||||
|
||||
var argv []string
|
||||
if err := gob.NewDecoder(dec).Decode(&argv); err != nil {
|
||||
fmt.Println("Error decoding launcher payload:", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
if err := os.Unsetenv(egoLauncher); err != nil {
|
||||
fmt.Println("Error unsetting launcher payload:", err)
|
||||
// not fatal, do not fail
|
||||
}
|
||||
|
||||
var p string
|
||||
|
||||
if len(argv) > 0 {
|
||||
if p, ok = which(argv[0]); !ok {
|
||||
fmt.Printf("Did not find '%s' in PATH\n", argv[0])
|
||||
os.Exit(1)
|
||||
}
|
||||
} else {
|
||||
if p, ok = os.LookupEnv("SHELL"); !ok {
|
||||
fmt.Println("No command was specified and $SHELL was unset")
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
|
||||
if err := syscall.Exec(p, argv, os.Environ()); err != nil {
|
||||
fmt.Println("Error executing launcher payload:", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
// unreachable
|
||||
os.Exit(1)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func launcherPayloadEnv() string {
|
||||
r := &bytes.Buffer{}
|
||||
enc := base64.NewEncoder(base64.StdEncoding, r)
|
||||
|
||||
if err := gob.NewEncoder(enc).Encode(command); err != nil {
|
||||
fatal("Error encoding launcher payload:", err)
|
||||
}
|
||||
|
||||
_ = enc.Close()
|
||||
return egoLauncher + "=" + r.String()
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
package ldd
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrUnexpectedSeparator = errors.New("unexpected separator")
|
||||
ErrPathNotAbsolute = errors.New("path not absolute")
|
||||
ErrBadLocationFormat = errors.New("bad location format")
|
||||
ErrUnexpectedNewline = errors.New("unexpected newline")
|
||||
)
|
||||
|
||||
type EntryUnexpectedSegmentsError string
|
||||
|
||||
func (e EntryUnexpectedSegmentsError) Is(err error) bool {
|
||||
var eq EntryUnexpectedSegmentsError
|
||||
if !errors.As(err, &eq) {
|
||||
return false
|
||||
}
|
||||
return e == eq
|
||||
}
|
||||
|
||||
func (e EntryUnexpectedSegmentsError) Error() string {
|
||||
return fmt.Sprintf("unexpected segments in entry %q", string(e))
|
||||
}
|
|
@ -0,0 +1,41 @@
|
|||
package ldd
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strings"
|
||||
|
||||
"git.ophivana.moe/security/fortify/helper"
|
||||
"git.ophivana.moe/security/fortify/helper/bwrap"
|
||||
)
|
||||
|
||||
func Exec(p string) ([]*Entry, error) {
|
||||
var (
|
||||
h helper.Helper
|
||||
cmd *exec.Cmd
|
||||
)
|
||||
|
||||
if b, err := helper.NewBwrap((&bwrap.Config{
|
||||
Hostname: "fortify-ldd",
|
||||
Chdir: "/",
|
||||
NewSession: true,
|
||||
DieWithParent: true,
|
||||
}).Bind("/", "/").DevTmpfs("/dev"),
|
||||
nil, "ldd", func(_, _ int) []string { return []string{p} }); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
cmd = b.Unwrap()
|
||||
h = b
|
||||
}
|
||||
|
||||
cmd.Stdout, cmd.Stderr = new(strings.Builder), os.Stderr
|
||||
if err := h.Start(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err := h.Wait(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return Parse(cmd.Stdout.(fmt.Stringer))
|
||||
}
|
|
@ -0,0 +1,66 @@
|
|||
package ldd
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type Entry struct {
|
||||
Name string `json:"name,omitempty"`
|
||||
Path string `json:"path,omitempty"`
|
||||
Location uint64 `json:"location"`
|
||||
}
|
||||
|
||||
func Parse(stdout fmt.Stringer) ([]*Entry, error) {
|
||||
payload := strings.Split(strings.TrimSpace(stdout.String()), "\n")
|
||||
result := make([]*Entry, len(payload))
|
||||
|
||||
for i, ent := range payload {
|
||||
if len(ent) == 0 {
|
||||
return nil, ErrUnexpectedNewline
|
||||
}
|
||||
|
||||
segment := strings.SplitN(ent, " ", 5)
|
||||
|
||||
// location index
|
||||
var iL int
|
||||
|
||||
switch len(segment) {
|
||||
case 2: // /lib/ld-musl-x86_64.so.1 (0x7f04d14ef000)
|
||||
iL = 1
|
||||
result[i] = &Entry{Name: segment[0]}
|
||||
case 4: // libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f04d14ef000)
|
||||
iL = 3
|
||||
if segment[1] != "=>" {
|
||||
return nil, ErrUnexpectedSeparator
|
||||
}
|
||||
if !path.IsAbs(segment[2]) {
|
||||
return nil, ErrPathNotAbsolute
|
||||
}
|
||||
result[i] = &Entry{
|
||||
Name: segment[0],
|
||||
Path: segment[2],
|
||||
}
|
||||
default:
|
||||
return nil, EntryUnexpectedSegmentsError(ent)
|
||||
}
|
||||
|
||||
if loc, err := parseLocation(segment[iL]); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
result[i].Location = loc
|
||||
}
|
||||
}
|
||||
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func parseLocation(s string) (uint64, error) {
|
||||
if len(s) < 4 || s[len(s)-1] != ')' || s[:3] != "(0x" {
|
||||
return math.MaxUint64, ErrBadLocationFormat
|
||||
}
|
||||
return strconv.ParseUint(s[3:len(s)-1], 16, 64)
|
||||
}
|
|
@ -0,0 +1,95 @@
|
|||
package ldd_test
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"reflect"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.ophivana.moe/security/fortify/ldd"
|
||||
)
|
||||
|
||||
func TestParseError(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name, out string
|
||||
wantErr error
|
||||
}{
|
||||
{"unexpected newline", `
|
||||
/lib/ld-musl-x86_64.so.1 (0x7ff71c0a4000)
|
||||
|
||||
libzstd.so.1 => /usr/lib/libzstd.so.1 (0x7ff71bfd2000)
|
||||
`, ldd.ErrUnexpectedNewline},
|
||||
{"unexpected separator", `
|
||||
libzstd.so.1 = /usr/lib/libzstd.so.1 (0x7ff71bfd2000)
|
||||
`, ldd.ErrUnexpectedSeparator},
|
||||
{"path not absolute", `
|
||||
libzstd.so.1 => usr/lib/libzstd.so.1 (0x7ff71bfd2000)
|
||||
`, ldd.ErrPathNotAbsolute},
|
||||
{"unexpected segments", `
|
||||
meow libzstd.so.1 => /usr/lib/libzstd.so.1 (0x7ff71bfd2000)
|
||||
`, ldd.EntryUnexpectedSegmentsError("meow libzstd.so.1 => /usr/lib/libzstd.so.1 (0x7ff71bfd2000)")},
|
||||
{"bad location format", `
|
||||
libzstd.so.1 => /usr/lib/libzstd.so.1 7ff71bfd2000
|
||||
`, ldd.ErrBadLocationFormat},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
stdout := new(strings.Builder)
|
||||
stdout.WriteString(tc.out)
|
||||
|
||||
if _, err := ldd.Parse(stdout); !errors.Is(err, tc.wantErr) {
|
||||
t.Errorf("Parse() error = %v, wantErr %v", err, tc.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestParse(t *testing.T) {
|
||||
testCases := []struct {
|
||||
file, out string
|
||||
want []*ldd.Entry
|
||||
}{
|
||||
{"musl /bin/kmod", `
|
||||
/lib/ld-musl-x86_64.so.1 (0x7ff71c0a4000)
|
||||
libzstd.so.1 => /usr/lib/libzstd.so.1 (0x7ff71bfd2000)
|
||||
liblzma.so.5 => /usr/lib/liblzma.so.5 (0x7ff71bf9a000)
|
||||
libz.so.1 => /lib/libz.so.1 (0x7ff71bf80000)
|
||||
libcrypto.so.3 => /lib/libcrypto.so.3 (0x7ff71ba00000)
|
||||
libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7ff71c0a4000)`,
|
||||
[]*ldd.Entry{
|
||||
{"/lib/ld-musl-x86_64.so.1", "", 0x7ff71c0a4000},
|
||||
{"libzstd.so.1", "/usr/lib/libzstd.so.1", 0x7ff71bfd2000},
|
||||
{"liblzma.so.5", "/usr/lib/liblzma.so.5", 0x7ff71bf9a000},
|
||||
{"libz.so.1", "/lib/libz.so.1", 0x7ff71bf80000},
|
||||
{"libcrypto.so.3", "/lib/libcrypto.so.3", 0x7ff71ba00000},
|
||||
{"libc.musl-x86_64.so.1", "/lib/ld-musl-x86_64.so.1", 0x7ff71c0a4000},
|
||||
}},
|
||||
{"glibc /nix/store/rc3n2r3nffpib2gqpxlkjx36frw6n34z-kmod-31/bin/kmod", `
|
||||
linux-vdso.so.1 (0x00007ffed65be000)
|
||||
libzstd.so.1 => /nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1 (0x00007f3199cd1000)
|
||||
liblzma.so.5 => /nix/store/g78jna1i5qhh8gqs4mr64648f0szqgw4-xz-5.4.7/lib/liblzma.so.5 (0x00007f3199ca2000)
|
||||
libc.so.6 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libc.so.6 (0x00007f3199ab5000)
|
||||
libpthread.so.0 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0 (0x00007f3199ab0000)
|
||||
/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2 => /nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2 (0x00007f3199da5000)`,
|
||||
[]*ldd.Entry{
|
||||
{"linux-vdso.so.1", "", 0x00007ffed65be000},
|
||||
{"libzstd.so.1", "/nix/store/80pxmvb9q43kh9rkjagc4h41vf6dh1y6-zstd-1.5.6/lib/libzstd.so.1", 0x00007f3199cd1000},
|
||||
{"liblzma.so.5", "/nix/store/g78jna1i5qhh8gqs4mr64648f0szqgw4-xz-5.4.7/lib/liblzma.so.5", 0x00007f3199ca2000},
|
||||
{"libc.so.6", "/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libc.so.6", 0x00007f3199ab5000},
|
||||
{"libpthread.so.0", "/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/libpthread.so.0", 0x00007f3199ab0000},
|
||||
{"/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib/ld-linux-x86-64.so.2", "/nix/store/c10zhkbp6jmyh0xc5kd123ga8yy2p4hk-glibc-2.39-52/lib64/ld-linux-x86-64.so.2", 0x00007f3199da5000},
|
||||
}},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.file, func(t *testing.T) {
|
||||
stdout := new(strings.Builder)
|
||||
stdout.WriteString(tc.out)
|
||||
|
||||
if got, err := ldd.Parse(stdout); err != nil {
|
||||
t.Errorf("Parse() error = %v", err)
|
||||
} else if !reflect.DeepEqual(got, tc.want) {
|
||||
t.Errorf("Parse() got = %#v, want %#v", got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -4,7 +4,6 @@ import (
|
|||
_ "embed"
|
||||
"flag"
|
||||
"fmt"
|
||||
"os"
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
385
main.go
385
main.go
|
@ -1,363 +1,78 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"git.ophivana.moe/security/fortify/internal"
|
||||
"git.ophivana.moe/security/fortify/internal/app"
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
init0 "git.ophivana.moe/security/fortify/internal/init"
|
||||
"git.ophivana.moe/security/fortify/internal/shim"
|
||||
)
|
||||
|
||||
var Version = "impure"
|
||||
|
||||
func tryVersion() {
|
||||
if printVersion {
|
||||
fmt.Println(Version)
|
||||
os.Exit(0)
|
||||
}
|
||||
}
|
||||
|
||||
var (
|
||||
ego *user.User
|
||||
uid int
|
||||
env []string
|
||||
command []string
|
||||
verbose bool
|
||||
runtime string
|
||||
runDir string
|
||||
flagVerbose bool
|
||||
)
|
||||
|
||||
const (
|
||||
term = "TERM"
|
||||
home = "HOME"
|
||||
sudoAskPass = "SUDO_ASKPASS"
|
||||
xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
||||
xdgConfigHome = "XDG_CONFIG_HOME"
|
||||
display = "DISPLAY"
|
||||
pulseServer = "PULSE_SERVER"
|
||||
pulseCookie = "PULSE_COOKIE"
|
||||
func init() {
|
||||
flag.BoolVar(&flagVerbose, "v", false, "Verbose output")
|
||||
}
|
||||
|
||||
// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html
|
||||
waylandDisplay = "WAYLAND_DISPLAY"
|
||||
)
|
||||
var os = new(internal.Std)
|
||||
|
||||
func main() {
|
||||
// linux/sched/coredump.h
|
||||
if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, 0, 0); errno != 0 {
|
||||
fmsg.Printf("fortify: cannot set SUID_DUMP_DISABLE: %s", errno.Error())
|
||||
}
|
||||
|
||||
flag.Parse()
|
||||
copyArgs()
|
||||
fmsg.SetVerbose(flagVerbose)
|
||||
|
||||
if u, err := strconv.Atoi(ego.Uid); err != nil {
|
||||
// usually unreachable
|
||||
panic("ego uid parse")
|
||||
} else {
|
||||
uid = u
|
||||
if os.SdBooted() {
|
||||
fmsg.VPrintln("system booted with systemd as init system")
|
||||
}
|
||||
|
||||
if r, ok := os.LookupEnv(xdgRuntimeDir); !ok {
|
||||
fatal("Env variable", xdgRuntimeDir, "unset")
|
||||
} else {
|
||||
runtime = r
|
||||
runDir = path.Join(runtime, "ego")
|
||||
// shim/init early exit
|
||||
init0.Try()
|
||||
shim.Try()
|
||||
|
||||
// root check
|
||||
if os.Geteuid() == 0 {
|
||||
fmsg.Fatal("this program must not run as root")
|
||||
panic("unreachable")
|
||||
}
|
||||
|
||||
// state query command
|
||||
// version/license/template command early exit
|
||||
tryVersion()
|
||||
tryLicense()
|
||||
tryTemplate()
|
||||
|
||||
// state query command early exit
|
||||
tryState()
|
||||
|
||||
// Report warning if user home directory does not exist or has wrong ownership
|
||||
if stat, err := os.Stat(ego.HomeDir); err != nil {
|
||||
if verbose {
|
||||
switch {
|
||||
case errors.Is(err, fs.ErrPermission):
|
||||
fmt.Printf("User %s home directory %s is not accessible", ego.Username, ego.HomeDir)
|
||||
case errors.Is(err, fs.ErrNotExist):
|
||||
fmt.Printf("User %s home directory %s does not exist", ego.Username, ego.HomeDir)
|
||||
default:
|
||||
fmt.Printf("Error stat user %s home directory %s: %s", ego.Username, ego.HomeDir, err)
|
||||
}
|
||||
}
|
||||
return
|
||||
} else {
|
||||
// FreeBSD: not cross-platform
|
||||
if u := strconv.Itoa(int(stat.Sys().(*syscall.Stat_t).Uid)); u != ego.Uid {
|
||||
fmt.Printf("User %s home directory %s has incorrect ownership (expected UID %s, found %s)", ego.Username, ego.HomeDir, ego.Uid, u)
|
||||
}
|
||||
}
|
||||
|
||||
// Add execute perm to runtime dir, e.g. `/run/user/%d`
|
||||
if s, err := os.Stat(runtime); err != nil {
|
||||
if errors.Is(err, fs.ErrNotExist) {
|
||||
fatal("Runtime directory does not exist")
|
||||
}
|
||||
fatal("Error accessing runtime directory:", err)
|
||||
} else if !s.IsDir() {
|
||||
fatal(fmt.Sprintf("Path '%s' is not a directory", runtime))
|
||||
} else {
|
||||
if err = aclUpdatePerm(runtime, uid, aclExecute); err != nil {
|
||||
fatal("Error preparing runtime dir:", err)
|
||||
} else {
|
||||
registerRevertPath(runtime)
|
||||
}
|
||||
if verbose {
|
||||
fmt.Printf("Runtime data dir '%s' configured\n", runtime)
|
||||
}
|
||||
}
|
||||
|
||||
// Create runtime dir for Ego itself (e.g. `/run/user/%d/ego`) and make it readable for target
|
||||
if err := os.Mkdir(runDir, 0700); err != nil && !errors.Is(err, fs.ErrExist) {
|
||||
fatal("Error creating Ego runtime dir:", err)
|
||||
}
|
||||
if err := aclUpdatePerm(runDir, uid, aclExecute); err != nil {
|
||||
fatal("Error preparing Ego runtime dir:", err)
|
||||
} else {
|
||||
registerRevertPath(runDir)
|
||||
}
|
||||
|
||||
// Add rwx permissions to Wayland socket (e.g. `/run/user/%d/wayland-0`)
|
||||
if w, ok := os.LookupEnv(waylandDisplay); !ok {
|
||||
if verbose {
|
||||
fmt.Println("Wayland: WAYLAND_DISPLAY not set, skipping")
|
||||
}
|
||||
} else {
|
||||
// add environment variable for new process
|
||||
env = append(env, waylandDisplay+"="+path.Join(runtime, w))
|
||||
wp := path.Join(runtime, w)
|
||||
if err := aclUpdatePerm(wp, uid, aclRead, aclWrite, aclExecute); err != nil {
|
||||
fatal(fmt.Sprintf("Error preparing Wayland '%s':", w), err)
|
||||
} else {
|
||||
registerRevertPath(wp)
|
||||
}
|
||||
if verbose {
|
||||
fmt.Printf("Wayland socket '%s' configured\n", w)
|
||||
}
|
||||
}
|
||||
|
||||
// Detect `DISPLAY` and grant permissions via X11 protocol `ChangeHosts` command
|
||||
if d, ok := os.LookupEnv(display); !ok {
|
||||
if verbose {
|
||||
fmt.Println("X11: DISPLAY not set, skipping")
|
||||
}
|
||||
} else {
|
||||
// add environment variable for new process
|
||||
env = append(env, display+"="+d)
|
||||
|
||||
if verbose {
|
||||
fmt.Printf("X11: Adding XHost entry SI:localuser:%s to display '%s'\n", ego.Username, d)
|
||||
}
|
||||
if err := changeHosts(xcbHostModeInsert, xcbFamilyServerInterpreted, "localuser\x00"+ego.Username); err != nil {
|
||||
fatal(fmt.Sprintf("Error adding XHost entry to '%s':", d), err)
|
||||
} else {
|
||||
xcbActionComplete = true
|
||||
}
|
||||
}
|
||||
|
||||
// Add execute permissions to PulseAudio directory (e.g. `/run/user/%d/pulse`)
|
||||
pulse := path.Join(runtime, "pulse")
|
||||
pulseS := path.Join(pulse, "native")
|
||||
if s, err := os.Stat(pulse); err != nil {
|
||||
if !errors.Is(err, fs.ErrNotExist) {
|
||||
fatal("Error accessing PulseAudio directory:", err)
|
||||
}
|
||||
if mustPulse {
|
||||
fatal("PulseAudio is unavailable")
|
||||
}
|
||||
if verbose {
|
||||
fmt.Printf("PulseAudio dir '%s' not found, skipping\n", pulse)
|
||||
}
|
||||
} else {
|
||||
// add environment variable for new process
|
||||
env = append(env, pulseServer+"=unix:"+pulseS)
|
||||
if err = aclUpdatePerm(pulse, uid, aclExecute); err != nil {
|
||||
fatal("Error preparing PulseAudio:", err)
|
||||
} else {
|
||||
registerRevertPath(pulse)
|
||||
}
|
||||
|
||||
// Ensure permissions of PulseAudio socket `/run/user/%d/pulse/native`
|
||||
if s, err = os.Stat(pulseS); err != nil {
|
||||
if errors.Is(err, fs.ErrNotExist) {
|
||||
fatal("PulseAudio directory found but socket does not exist")
|
||||
}
|
||||
fatal("Error accessing PulseAudio socket:", err)
|
||||
} else {
|
||||
if m := s.Mode(); m&0o006 != 0o006 {
|
||||
fatal(fmt.Sprintf("Unexpected permissions on '%s':", pulseS), m)
|
||||
}
|
||||
}
|
||||
|
||||
// Publish current user's pulse-cookie for target user
|
||||
pulseCookieSource := discoverPulseCookie()
|
||||
env = append(env, pulseCookie+"="+pulseCookieSource)
|
||||
pulseCookieFinal := path.Join(runDir, "pulse-cookie")
|
||||
if verbose {
|
||||
fmt.Printf("Publishing PulseAudio cookie '%s' to '%s'\n", pulseCookieSource, pulseCookieFinal)
|
||||
}
|
||||
if err = copyFile(pulseCookieFinal, pulseCookieSource); err != nil {
|
||||
fatal("Error copying PulseAudio cookie:", err)
|
||||
}
|
||||
if err = aclUpdatePerm(pulseCookieFinal, uid, aclRead); err != nil {
|
||||
fatal("Error publishing PulseAudio cookie:", err)
|
||||
} else {
|
||||
registerRevertPath(pulseCookieFinal)
|
||||
}
|
||||
|
||||
if verbose {
|
||||
fmt.Printf("PulseAudio dir '%s' configured\n", pulse)
|
||||
}
|
||||
}
|
||||
|
||||
// pass $TERM to launcher
|
||||
if t, ok := os.LookupEnv(term); ok {
|
||||
env = append(env, term+"="+t)
|
||||
}
|
||||
|
||||
f := launchBySudo
|
||||
m, b := false, false
|
||||
switch {
|
||||
case methodFlags[0]: // sudo
|
||||
case methodFlags[1]: // bare
|
||||
m, b = true, true
|
||||
default: // machinectl
|
||||
m, b = true, false
|
||||
}
|
||||
|
||||
var toolPath string
|
||||
|
||||
// dependency checks
|
||||
const sudoFallback = "Falling back to 'sudo', some desktop integration features may not work"
|
||||
if m {
|
||||
if !sdBooted() {
|
||||
fmt.Println("This system was not booted through systemd")
|
||||
fmt.Println(sudoFallback)
|
||||
} else if tp, ok := which("machinectl"); !ok {
|
||||
fmt.Println("Did not find 'machinectl' in PATH")
|
||||
fmt.Println(sudoFallback)
|
||||
} else {
|
||||
toolPath = tp
|
||||
f = func() []string { return launchByMachineCtl(b) }
|
||||
}
|
||||
} else if tp, ok := which("sudo"); !ok {
|
||||
fatal("Did not find 'sudo' in PATH")
|
||||
} else {
|
||||
toolPath = tp
|
||||
}
|
||||
|
||||
if verbose {
|
||||
fmt.Printf("Selected launcher '%s' bare=%t\n", toolPath, b)
|
||||
}
|
||||
|
||||
cmd := exec.Command(toolPath, f()...)
|
||||
cmd.Env = env
|
||||
cmd.Stdin = os.Stdin
|
||||
cmd.Stdout = os.Stdout
|
||||
cmd.Stderr = os.Stderr
|
||||
cmd.Dir = runDir
|
||||
|
||||
if verbose {
|
||||
fmt.Println("Executing:", cmd)
|
||||
}
|
||||
|
||||
if err := cmd.Start(); err != nil {
|
||||
fatal("Error starting process:", err)
|
||||
}
|
||||
|
||||
if err := registerProcess(ego.Uid, cmd); err != nil {
|
||||
// process already started, shouldn't be fatal
|
||||
fmt.Println("Error registering process:", err)
|
||||
// invoke app
|
||||
a, err := app.New(os)
|
||||
if err != nil {
|
||||
fmsg.Fatalf("cannot create app: %s\n", err)
|
||||
} else if err = a.Seal(loadConfig()); err != nil {
|
||||
logBaseError(err, "cannot seal app:")
|
||||
fmsg.Exit(1)
|
||||
} else if err = a.Start(); err != nil {
|
||||
logBaseError(err, "cannot start app:")
|
||||
}
|
||||
|
||||
var r int
|
||||
if err := cmd.Wait(); err != nil {
|
||||
var exitError *exec.ExitError
|
||||
if !errors.As(err, &exitError) {
|
||||
fatal("Error running process:", err)
|
||||
// wait must be called regardless of result of start
|
||||
if r, err = a.Wait(); err != nil {
|
||||
if r < 1 {
|
||||
r = 1
|
||||
}
|
||||
logWaitError(err)
|
||||
}
|
||||
|
||||
if verbose {
|
||||
fmt.Println("Process exited with exit code", r)
|
||||
if err = a.WaitErr(); err != nil {
|
||||
fmsg.Println("inner wait failed:", err)
|
||||
}
|
||||
beforeExit()
|
||||
os.Exit(r)
|
||||
}
|
||||
|
||||
func launchBySudo() (args []string) {
|
||||
args = make([]string, 0, 4+len(env)+len(command))
|
||||
|
||||
// -Hiu $USER
|
||||
args = append(args, "-Hiu", ego.Username)
|
||||
|
||||
// -A?
|
||||
if _, ok := os.LookupEnv(sudoAskPass); ok {
|
||||
if verbose {
|
||||
fmt.Printf("%s set, adding askpass flag\n", sudoAskPass)
|
||||
}
|
||||
args = append(args, "-A")
|
||||
}
|
||||
|
||||
// environ
|
||||
args = append(args, env...)
|
||||
|
||||
// -- $@
|
||||
args = append(args, "--")
|
||||
args = append(args, command...)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func launchByMachineCtl(bare bool) (args []string) {
|
||||
args = make([]string, 0, 9+len(env))
|
||||
|
||||
// shell --uid=$USER
|
||||
args = append(args, "shell", "--uid="+ego.Username)
|
||||
|
||||
// --quiet
|
||||
if !verbose {
|
||||
args = append(args, "--quiet")
|
||||
}
|
||||
|
||||
// environ
|
||||
envQ := make([]string, len(env)+1)
|
||||
for i, e := range env {
|
||||
envQ[i] = "-E" + e
|
||||
}
|
||||
envQ[len(env)] = "-E" + launcherPayloadEnv()
|
||||
args = append(args, envQ...)
|
||||
|
||||
// -- .host
|
||||
args = append(args, "--", ".host")
|
||||
|
||||
// /bin/sh -c
|
||||
if sh, ok := which("sh"); !ok {
|
||||
fatal("Did not find 'sh' in PATH")
|
||||
} else {
|
||||
args = append(args, sh, "-c")
|
||||
}
|
||||
|
||||
if len(command) == 0 { // execute shell if command is not provided
|
||||
command = []string{"$SHELL"}
|
||||
}
|
||||
|
||||
innerCommand := strings.Builder{}
|
||||
|
||||
if !bare {
|
||||
innerCommand.WriteString("dbus-update-activation-environment --systemd")
|
||||
for _, e := range env {
|
||||
innerCommand.WriteString(" " + strings.SplitN(e, "=", 2)[0])
|
||||
}
|
||||
innerCommand.WriteString("; systemctl --user start xdg-desktop-portal-gtk; ")
|
||||
}
|
||||
|
||||
if executable, err := os.Executable(); err != nil {
|
||||
fatal("Error reading executable path:", err)
|
||||
} else {
|
||||
innerCommand.WriteString("exec " + executable + " -V")
|
||||
}
|
||||
args = append(args, innerCommand.String())
|
||||
|
||||
return
|
||||
fmsg.Exit(r)
|
||||
}
|
||||
|
|
|
@ -0,0 +1,296 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
types
|
||||
mkOption
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mapAttrs
|
||||
mapAttrsToList
|
||||
foldlAttrs
|
||||
optional
|
||||
;
|
||||
|
||||
cfg = config.environment.fortify;
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
environment.fortify = {
|
||||
enable = mkEnableOption "fortify";
|
||||
|
||||
target = mkOption {
|
||||
default = { };
|
||||
type =
|
||||
let
|
||||
inherit (types)
|
||||
str
|
||||
enum
|
||||
bool
|
||||
package
|
||||
anything
|
||||
submodule
|
||||
listOf
|
||||
attrsOf
|
||||
nullOr
|
||||
;
|
||||
in
|
||||
attrsOf (submodule {
|
||||
options = {
|
||||
packages = mkOption {
|
||||
type = listOf package;
|
||||
default = [ ];
|
||||
description = ''
|
||||
List of extra packages to install via home-manager.
|
||||
'';
|
||||
};
|
||||
|
||||
launchers = mkOption {
|
||||
type = attrsOf (submodule {
|
||||
options = {
|
||||
command = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
Command to run as the target user.
|
||||
Setting this to null will default command to wrapper name.
|
||||
'';
|
||||
};
|
||||
|
||||
dbus = {
|
||||
config = mkOption {
|
||||
type = nullOr anything;
|
||||
default = null;
|
||||
description = ''
|
||||
D-Bus custom configuration.
|
||||
Setting this to null will enable built-in defaults.
|
||||
'';
|
||||
};
|
||||
|
||||
configSystem = mkOption {
|
||||
type = nullOr anything;
|
||||
default = null;
|
||||
description = ''
|
||||
D-Bus system bus custom configuration.
|
||||
Setting this to null will disable the system bus proxy.
|
||||
'';
|
||||
};
|
||||
|
||||
id = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
D-Bus application id.
|
||||
Setting this to null will disable own path in defaults.
|
||||
Has no effect if custom configuration is set.
|
||||
'';
|
||||
};
|
||||
|
||||
mpris = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable MPRIS in D-Bus defaults.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
capability = {
|
||||
wayland = mkOption {
|
||||
type = bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to share the Wayland socket.
|
||||
'';
|
||||
};
|
||||
|
||||
x11 = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to share the X11 socket and allow connection.
|
||||
'';
|
||||
};
|
||||
|
||||
dbus = mkOption {
|
||||
type = bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to proxy D-Bus.
|
||||
'';
|
||||
};
|
||||
|
||||
pulse = mkOption {
|
||||
type = bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to share the PulseAudio socket and cookie.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
share = mkOption {
|
||||
type = nullOr package;
|
||||
default = null;
|
||||
description = ''
|
||||
Package containing share files.
|
||||
Setting this to null will default package name to wrapper name.
|
||||
'';
|
||||
};
|
||||
|
||||
method = mkOption {
|
||||
type = enum [
|
||||
"simple"
|
||||
"sudo"
|
||||
"systemd"
|
||||
];
|
||||
default = "systemd";
|
||||
description = ''
|
||||
Launch method for the sandboxed program.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
default = { };
|
||||
};
|
||||
|
||||
persistence = mkOption {
|
||||
type = submodule {
|
||||
options = {
|
||||
directories = mkOption {
|
||||
type = listOf anything;
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
files = mkOption {
|
||||
type = listOf anything;
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
description = ''
|
||||
Per-user state passed to github:nix-community/impermanence.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = anything;
|
||||
default = { };
|
||||
description = "Extra home-manager configuration.";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.callPackage ./package.nix { };
|
||||
description = "Package providing fortify.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
description = "Privileged user account.";
|
||||
};
|
||||
|
||||
stateDir = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The path to persistent storage where per-user state should be stored.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.persistence.${cfg.stateDir}.users = mapAttrs (_: target: target.persistence) cfg.target;
|
||||
|
||||
home-manager.users =
|
||||
mapAttrs (_: target: target.extraConfig // { home.packages = target.packages; }) cfg.target
|
||||
// {
|
||||
${cfg.user}.home.packages =
|
||||
let
|
||||
wrap =
|
||||
user: launchers:
|
||||
mapAttrsToList (
|
||||
name: launcher:
|
||||
with launcher.capability;
|
||||
let
|
||||
command = if launcher.command == null then name else launcher.command;
|
||||
dbusConfig =
|
||||
if launcher.dbus.config != null then
|
||||
pkgs.writeText "${name}-dbus.json" (builtins.toJSON launcher.dbus.config)
|
||||
else
|
||||
null;
|
||||
dbusSystem =
|
||||
if launcher.dbus.configSystem != null then
|
||||
pkgs.writeText "${name}-dbus-system.json" (builtins.toJSON launcher.dbus.configSystem)
|
||||
else
|
||||
null;
|
||||
capArgs =
|
||||
(if wayland then " --wayland" else "")
|
||||
+ (if x11 then " -X" else "")
|
||||
+ (if dbus then " --dbus" else "")
|
||||
+ (if pulse then " --pulse" else "")
|
||||
+ (if launcher.dbus.mpris then " --mpris" else "")
|
||||
+ (if launcher.dbus.id != null then " --dbus-id ${launcher.dbus.id}" else "")
|
||||
+ (if dbusConfig != null then " --dbus-config ${dbusConfig}" else "")
|
||||
+ (if dbusSystem != null then " --dbus-system ${dbusSystem}" else "");
|
||||
in
|
||||
pkgs.writeShellScriptBin name (
|
||||
if launcher.method == "simple" then
|
||||
''
|
||||
exec sudo -u ${user} -i ${command} $@
|
||||
''
|
||||
else
|
||||
''
|
||||
exec fortify${capArgs} --method ${launcher.method} -u ${user} $SHELL -c "exec ${command} $@"
|
||||
''
|
||||
)
|
||||
) launchers;
|
||||
in
|
||||
foldlAttrs (
|
||||
acc: user: target:
|
||||
acc
|
||||
++ (foldlAttrs (
|
||||
shares: name: launcher:
|
||||
let
|
||||
pkg = if launcher.share != null then launcher.share else pkgs.${name};
|
||||
link = source: "[ -d '${source}' ] && ln -sv '${source}' $out/share || true";
|
||||
in
|
||||
shares
|
||||
++
|
||||
optional (launcher.method != "simple" && (launcher.capability.wayland || launcher.capability.x11))
|
||||
(
|
||||
pkgs.runCommand "${name}-share" { } ''
|
||||
mkdir -p $out/share
|
||||
${link "${pkg}/share/applications"}
|
||||
${link "${pkg}/share/icons"}
|
||||
${link "${pkg}/share/man"}
|
||||
''
|
||||
)
|
||||
) (wrap user target.launchers) target.launchers)
|
||||
) [ cfg.package ] cfg.target;
|
||||
};
|
||||
|
||||
security.polkit.extraConfig =
|
||||
let
|
||||
allowList = builtins.toJSON (mapAttrsToList (name: _: name) cfg.target);
|
||||
in
|
||||
''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (action.id == "org.freedesktop.machine1.host-shell" &&
|
||||
${allowList}.indexOf(action.lookup("user")) > -1 &&
|
||||
subject.user == "${cfg.user}") {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
{
|
||||
lib,
|
||||
buildGoModule,
|
||||
makeBinaryWrapper,
|
||||
xdg-dbus-proxy,
|
||||
bubblewrap,
|
||||
acl,
|
||||
xorg,
|
||||
}:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "fortify";
|
||||
version = "0.0.10";
|
||||
|
||||
src = ./.;
|
||||
vendorHash = null;
|
||||
|
||||
ldflags = [
|
||||
"-s"
|
||||
"-w"
|
||||
"-X"
|
||||
"main.Version=v${version}"
|
||||
"-X"
|
||||
"main.FortifyPath=${placeholder "out"}/bin/.fortify-wrapped"
|
||||
];
|
||||
|
||||
buildInputs = [
|
||||
acl
|
||||
xorg.libxcb
|
||||
];
|
||||
|
||||
nativeBuildInputs = [ makeBinaryWrapper ];
|
||||
|
||||
postInstall = ''
|
||||
wrapProgram $out/bin/${pname} --prefix PATH : ${
|
||||
lib.makeBinPath [
|
||||
bubblewrap
|
||||
xdg-dbus-proxy
|
||||
]
|
||||
}
|
||||
|
||||
mv $out/bin/fsu $out/bin/.fsu
|
||||
'';
|
||||
}
|
163
state.go
163
state.go
|
@ -1,162 +1,35 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"encoding/gob"
|
||||
"errors"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path"
|
||||
"strconv"
|
||||
)
|
||||
"text/tabwriter"
|
||||
|
||||
// we unfortunately have to assume there are never races between processes
|
||||
// this and launcher should eventually be replaced by a server process
|
||||
"git.ophivana.moe/security/fortify/internal/fmsg"
|
||||
"git.ophivana.moe/security/fortify/internal/state"
|
||||
)
|
||||
|
||||
var (
|
||||
stateActionEarly bool
|
||||
statePath string
|
||||
cleanupCandidate []string
|
||||
xcbActionComplete bool
|
||||
stateActionEarly bool
|
||||
)
|
||||
|
||||
type launcherState struct {
|
||||
PID int
|
||||
Launcher string
|
||||
Argv []string
|
||||
Command []string
|
||||
}
|
||||
|
||||
func init() {
|
||||
flag.BoolVar(&stateActionEarly, "state", false, "query state value of current active launchers")
|
||||
flag.BoolVar(&stateActionEarly, "state", false, "print state information of active launchers")
|
||||
}
|
||||
|
||||
// tryState is called after app initialisation
|
||||
func tryState() {
|
||||
if !stateActionEarly {
|
||||
return
|
||||
}
|
||||
|
||||
launchers, err := readLaunchers()
|
||||
if err != nil {
|
||||
fmt.Println("Error reading launchers:", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
fmt.Println("\tPID\tLauncher")
|
||||
for _, state := range launchers {
|
||||
fmt.Printf("\t%d\t%s\nCommand: %s\nArgv: %s\n", state.PID, state.Launcher, state.Command, state.Argv)
|
||||
}
|
||||
|
||||
os.Exit(0)
|
||||
}
|
||||
|
||||
func registerRevertPath(p string) {
|
||||
cleanupCandidate = append(cleanupCandidate, p)
|
||||
}
|
||||
|
||||
// called after process start, before wait
|
||||
func registerProcess(uid string, cmd *exec.Cmd) error {
|
||||
statePath = path.Join(runDir, uid, strconv.Itoa(cmd.Process.Pid))
|
||||
state := launcherState{
|
||||
PID: cmd.Process.Pid,
|
||||
Launcher: cmd.Path,
|
||||
Argv: cmd.Args,
|
||||
Command: command,
|
||||
}
|
||||
|
||||
if err := os.Mkdir(path.Join(runDir, uid), 0700); err != nil && !errors.Is(err, fs.ErrExist) {
|
||||
return err
|
||||
}
|
||||
|
||||
if f, err := os.OpenFile(statePath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600); err != nil {
|
||||
return err
|
||||
} else {
|
||||
defer func() {
|
||||
if f.Close() != nil {
|
||||
// unreachable
|
||||
panic("state file closed prematurely")
|
||||
if stateActionEarly {
|
||||
var w *tabwriter.Writer
|
||||
state.MustPrintLauncherStateSimpleGlobal(&w, os.Paths().RunDirPath)
|
||||
if w != nil {
|
||||
if err := w.Flush(); err != nil {
|
||||
fmsg.Println("cannot format output:", err)
|
||||
}
|
||||
}()
|
||||
return gob.NewEncoder(f).Encode(state)
|
||||
} else {
|
||||
fmt.Println("No information available")
|
||||
}
|
||||
|
||||
fmsg.Exit(0)
|
||||
}
|
||||
}
|
||||
|
||||
func readLaunchers() ([]*launcherState, error) {
|
||||
var f *os.File
|
||||
var r []*launcherState
|
||||
launcherPrefix := path.Join(runDir, ego.Uid)
|
||||
|
||||
if pl, err := os.ReadDir(launcherPrefix); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
for _, e := range pl {
|
||||
if err = func() error {
|
||||
if f, err = os.Open(path.Join(launcherPrefix, e.Name())); err != nil {
|
||||
return err
|
||||
} else {
|
||||
defer func() {
|
||||
if f.Close() != nil {
|
||||
// unreachable
|
||||
panic("foreign state file closed prematurely")
|
||||
}
|
||||
}()
|
||||
|
||||
var s launcherState
|
||||
r = append(r, &s)
|
||||
return gob.NewDecoder(f).Decode(&s)
|
||||
}
|
||||
}(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return r, nil
|
||||
}
|
||||
|
||||
func beforeExit() {
|
||||
if err := os.Remove(statePath); err != nil && !errors.Is(err, fs.ErrNotExist) {
|
||||
fmt.Println("Error removing state file:", err)
|
||||
}
|
||||
|
||||
if a, err := readLaunchers(); err != nil {
|
||||
fmt.Println("Error reading active launchers:", err)
|
||||
os.Exit(1)
|
||||
} else if len(a) > 0 {
|
||||
// other launchers are still active
|
||||
if verbose {
|
||||
fmt.Printf("Found %d active launchers, exiting without cleaning up\n", len(a))
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
if verbose {
|
||||
fmt.Println("No other launchers active, will clean up")
|
||||
}
|
||||
|
||||
if xcbActionComplete {
|
||||
if verbose {
|
||||
fmt.Printf("X11: Removing XHost entry SI:localuser:%s\n", ego.Username)
|
||||
}
|
||||
if err := changeHosts(xcbHostModeDelete, xcbFamilyServerInterpreted, "localuser\x00"+ego.Username); err != nil {
|
||||
fmt.Println("Error removing XHost entry:", err)
|
||||
}
|
||||
}
|
||||
|
||||
for _, candidate := range cleanupCandidate {
|
||||
if err := aclUpdatePerm(candidate, uid); err != nil {
|
||||
fmt.Printf("Error stripping ACL entry from '%s': %s\n", candidate, err)
|
||||
}
|
||||
if verbose {
|
||||
fmt.Printf("Stripped ACL entry for user '%s' from '%s'\n", ego.Username, candidate)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func fatal(msg ...any) {
|
||||
fmt.Println(msg...)
|
||||
beforeExit()
|
||||
os.Exit(1)
|
||||
}
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue