pthbs

Packaging Through Hashed Build Scripts
git clone https://ccx.te2000.cz/git/pthbs
Log | Files | Refs | Submodules | README
commit af200830921c4167181862e92477763315d2fba7
parent 81d7bfeb7a4406ac5c4bbef2c1cc31430777efd1
Author: ccx <ccx@te2000.cz>
Date:   Sun, 10 Mar 2024 01:55:33 +0000

Start with SECBIT_NOROOT_LOCKED to completely disable suid and filecaps

Diffstat:

Mfiles/applyuidgid-caps.c | 3+--


Afiles/nosuid.c | 22++++++++++++++++++++++


Mpackages/applyuidgid-caps | 2+-


Mpackages/core-system-init | 2++


Mpackages/default.environment | 7++++---


Apackages/nosuid | 92+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Mpackages/userspace.environment | 5+++--


Mtemplates/pkg/core-system-init | 2++


Atemplates/pkg/nosuid | 24++++++++++++++++++++++++


Mtemplates/pkg/userspace.environment | 1+


10 files changed, 152 insertions(+), 8 deletions(-)

diff --git a/files/applyuidgid-caps.c b/files/applyuidgid-caps.c
@@ -77,10 +77,9 @@ int main (int argc, char const *const *argv)
       SECBIT_KEEP_CAPS | /* unneeded as NO_SETUID_FIXUP is superset */
       SECBIT_NO_SETUID_FIXUP |
       SECBIT_NOROOT | /* disables suid and filecap privilege gain */
-      SECBIT_NOROOT_LOCKED) < 1) {
+      SECBIT_NOROOT_LOCKED) < 0) {
     strerr_dief1sys(111, "Failed to set securebits via prctl()");
   }
-
   /* set these capabilities for the current process */
   if (cap_iab_set_proc(new_iab) != 0) {
     strerr_dief1sys(111, "Failed to set capabilities via cap_set_proc()");
diff --git a/files/nosuid.c b/files/nosuid.c
@@ -0,0 +1,22 @@
+/* ISC license. */
+
+#include <sys/prctl.h>
+#include <linux/securebits.h>
+
+#include <skalibs/exec.h>
+#include <skalibs/djbunix.h>
+#include <skalibs/strerr2.h>
+
+#define USAGE "nosuid prog..."
+#define dieusage() strerr_dieusage(100, USAGE)
+
+int main (int argc, char const *const *argv)
+{
+  if (argc < 2) dieusage() ;
+
+  if (prctl(PR_SET_SECUREBITS, SECBIT_NOROOT | SECBIT_NOROOT_LOCKED) < 0) {
+    strerr_dief1sys(111, "Failed to set securebits via prctl()");
+  }
+
+  else xexec(&argv[1]) ;
+}
diff --git a/packages/applyuidgid-caps b/packages/applyuidgid-caps
@@ -4,7 +4,7 @@
 #+busybox.e60885fe93ee85c01831673bb29f0e62a64903f4ce3094e3dc35bc8ec8887ad9
 #+skalibs.9c4a42aba2c3b6d3622a04a17fb8dbb75d51805220f45823c26fe7a73e842b5e
 #+libcap.3528f93ae9873fceae62855cb7c0fa521ac2c3cfabe71bf58ba01483136bf5fd
-#@sha256:1ca7801a4f247d9433de87373e243f3a38618e0e508501e4ecbb96516cbeee1d:applyuidgid-caps.c
+#@sha256:818a5ad7061ab1a740a5c2e7d7d8cdcc7be7e84e3f04b479731cf94ff1f1d093:applyuidgid-caps.c
 
 name=applyuidgid-caps
 check_static() {
diff --git a/packages/core-system-init b/packages/core-system-init
@@ -5,6 +5,7 @@
 #+s6-portable-utils.39f4babb8cd30769f1a931708e5442244b0305c36ddafe32348c7dc30c000b00
 #+s6-linux-init.396413eed542c149346f51a569f2d686c03b2104f4d062f52422e444ad9b502d
 #+execline.9d9d14aad09d9643f578727ab1ed3363b975772358c4ac8e756abdad4fca7a3d
+#+nosuid.ae35bf3fa1605f01e99b2c4c54b11da0156890c3ce38de1e26618f5db06b84f6
 #+core-system-rc.9604d0dac18456fc5af77ea9ab16dca585ad5fcb5854945b47281b1295a3f582
 
 s6rcdb=/versions/core-system-rc.9604d0dac18456fc5af77ea9ab16dca585ad5fcb5854945b47281b1295a3f582/config/s6-rc-db
@@ -49,6 +50,7 @@ el=$prefix/deps/command/$name
 s6-cat >"$pkgdir/bin/init.new" <<EOF || exit $?
 #!$el -S0
 $(qx pthbs-enter)
+$(qx nosuid)
 $(qx s6-envdir) -I /run/current/env
 EOF
 s6-cat >>"$pkgdir/bin/init.new" <"$pkgdir/bin/init"
diff --git a/packages/default.environment b/packages/default.environment
@@ -1,7 +1,7 @@
 #+core-system-conf.77e085927bd24f87018573434d43d14ea7ac1e92bb2a724bd0786e4e7eb31190
 #+core-system-rc.9604d0dac18456fc5af77ea9ab16dca585ad5fcb5854945b47281b1295a3f582
 #+core-system-scripts.132a3b1c6b226dee79156049db1244ebeacdf5a4bfcffc74b6b97175dad000fd
-#+core-system-init.241086865d7897cba12a880be6343e775307a00c1f47bf9a11b00514d48959a6
+#+core-system-init.933b54f3eb5efe84f5d13bdb123089935a2e0db809b71be37193db46a0b8e6cb
 #+busybox.e60885fe93ee85c01831673bb29f0e62a64903f4ce3094e3dc35bc8ec8887ad9
 #+gnu-make.782c9e6625fd7420e2cd38b847afed19db3b3844cae8a0426a0dbf73e10d78e5
 #+musl-cross-make.65f98305f5666435bf0c6b9ccedffae2179ff1b3286752756886f760cf7771d2
@@ -36,4 +36,5 @@
 #+getconf.d16039d91561f2bb7f430eb2250f1e7c03d59ddeea80a9c55c21e293fb528fd9
 #+iconv.0b381a2e57a5e7b3df6b6a68d72230eec4e5ef2f6a460509c94d3d502fe1f2cf
 #+libcap.3528f93ae9873fceae62855cb7c0fa521ac2c3cfabe71bf58ba01483136bf5fd
-#+applyuidgid-caps.c36c2852aba239646b379f9ea3dfc520be308a1d263c577f0da97a0d0b20b307-
\ No newline at end of file
+#+applyuidgid-caps.e36af59c076e13332a716eb4cdf6571c93d9cde48fb0bdb98acb5a770e25bb30
+#+nosuid.ae35bf3fa1605f01e99b2c4c54b11da0156890c3ce38de1e26618f5db06b84f6+
\ No newline at end of file
diff --git a/packages/nosuid b/packages/nosuid
@@ -0,0 +1,92 @@
+#!/usr/bin/env pthbs-build
+#+musl-cross-make.65f98305f5666435bf0c6b9ccedffae2179ff1b3286752756886f760cf7771d2
+#+gnu-make.782c9e6625fd7420e2cd38b847afed19db3b3844cae8a0426a0dbf73e10d78e5
+#+busybox.e60885fe93ee85c01831673bb29f0e62a64903f4ce3094e3dc35bc8ec8887ad9
+#+skalibs.9c4a42aba2c3b6d3622a04a17fb8dbb75d51805220f45823c26fe7a73e842b5e
+#@sha256:d53f929459d390275a98f948b570697c03b55384fd2536b8a5d72950d194c0c4:nosuid.c
+
+name=nosuid
+check_static() {
+	local exe || true
+	exe=$pthbs_destdir/'/versions'/$pthbs_package/$1
+	if ! test -f $exe; then
+		printf '%s\n' "Error: file '$1' doesn't exist!"
+		exit 1
+	fi
+	interp_info=$(readelf --string-dump=.interp "$exe") || exit $?
+	if test x '!=' "x$interp_info"; then
+		printf '%s\n' "Error: '$1' is a dynamic binary!"
+		exit 1
+	fi
+}
+build_env_static() {
+	export LD_LIBRARY_PATH="$pthbs_build_environment/library"
+	export CPATH="$pthbs_build_environment/include"
+	export LDFLAGS="-static -L$pthbs_build_environment/library $LDFLAGS"
+}
+def_prefix() {
+	prefix=/versions/$pthbs_package
+}
+def_dest() {
+	dest=${pthbs_destdir%/}//versions/$pthbs_package
+}
+build_env_static
+def_prefix
+
+gcc -D_GNU_SOURCE -static -o $name $name.c $LDFLAGS -lskarnet
+
+install -d "$pthbs_destdir/$prefix/command"
+install -m 755 $name "$pthbs_destdir/$prefix/command"
+check_static command/$name
+
+cd "$pthbs_destdir/versions/$pthbs_package"
+find -type d -o -print | awk -F/ '
+BEGIN {
+	x["./command/nosuid"]=1}
+
+function r1(s) {
+	sub("^[.]/[^/]*", ".", s)
+	return s
+}
+function s1(repl, s) {
+	sub("^[.]/[^/]*", "./"repl, s)
+	return s
+}
+function link(src) {
+	x[$0]=0
+	printf "%s\t%s\n", $0, src
+	printf "genlinks >>%s\t%s<<\n", $0, src >>"/dev/stderr"
+}
+$1!="."{exit 1}
+
+
+$2 == "command" { link($0); next }
+$2 == "bin" { link(s1("command", $0)); next }
+
+$2 == "library.so" { link($0); next }
+$2 == "library" { link($0); next }
+$2 == "lib" && $NF ~ /\.l?a$/ { link(s1("library", $0)); next }
+$2 == "lib" && $NF ~ /\.so(|\..*)$/ { link(s1("library.so", $0)); next }
+
+$2 == "share" && $3 ~ /^(info|man|doc|icons|terminfo)$/ { link(r1($0)); next }
+
+$2 == "man" { link($0); next }
+$2 == "info" { link($0); next }
+$2 == "doc" { link($0); next }
+$2 == "icons" { link($0); next }
+$2 == "terminfo" { link($0); next }
+$2 == "data" { link($0); next }
+$2 == "include" { link($0); next }
+
+{ printf "genlinks ##%s## skipped\n", $0 >>"/dev/stderr" }
+
+END {
+	for(fname in x) { printf "DEBUG: x[\"%s\"]=\"%s\"\n", fname, x[fname] >"/dev/stderr" }
+	for(fname in x) {
+		if(x[fname]) {
+			printf "ERROR: missing expected file \"%s\"\n", fname >"/dev/stderr"
+			exit 3
+		}
+	}
+}' >.install-links.new
+mv .install-links.new .install-links
diff --git a/packages/userspace.environment b/packages/userspace.environment
@@ -32,4 +32,5 @@
 #+getconf.d16039d91561f2bb7f430eb2250f1e7c03d59ddeea80a9c55c21e293fb528fd9
 #+iconv.0b381a2e57a5e7b3df6b6a68d72230eec4e5ef2f6a460509c94d3d502fe1f2cf
 #+libcap.3528f93ae9873fceae62855cb7c0fa521ac2c3cfabe71bf58ba01483136bf5fd
-#+applyuidgid-caps.c36c2852aba239646b379f9ea3dfc520be308a1d263c577f0da97a0d0b20b307-
\ No newline at end of file
+#+applyuidgid-caps.e36af59c076e13332a716eb4cdf6571c93d9cde48fb0bdb98acb5a770e25bb30
+#+nosuid.ae35bf3fa1605f01e99b2c4c54b11da0156890c3ce38de1e26618f5db06b84f6+
\ No newline at end of file
diff --git a/templates/pkg/core-system-init b/templates/pkg/core-system-init
@@ -6,6 +6,7 @@
 #+{{pkg_install_name("s6-portable-utils")}}
 #+{{pkg_install_name("s6-linux-init")}}
 #+{{pkg_install_name("execline")}}
+#+{{pkg_install_name("nosuid")}}
 #+{{pkg_install_name("core-system-rc")}}
 
 s6rcdb={{pkg_install_dir("core-system-rc")}}/config/s6-rc-db
@@ -50,6 +51,7 @@ el=$prefix/deps/command/$name
 s6-cat >"$pkgdir/bin/init.new" <<EOF || exit $?
 #!$el -S0
 $(qx pthbs-enter)
+$(qx nosuid)
 $(qx s6-envdir) -I /run/current/env
 EOF
 s6-cat >>"$pkgdir/bin/init.new" <"$pkgdir/bin/init"
diff --git a/templates/pkg/nosuid b/templates/pkg/nosuid
@@ -0,0 +1,24 @@
+{% extends "genlinks" %}
+{%- block script %}
+#+{{pkg_install_name("musl-cross-make")}}
+#+{{pkg_install_name("gnu-make")}}
+#+{{pkg_install_name("busybox")}}
+#+{{pkg_install_name("skalibs")}}
+#@sha256:{{files["nosuid.c"]}}:nosuid.c
+
+name=nosuid
+{% include "functions/check_static" %}
+{% include "functions/build_env_static" %}
+{% include "functions/vars" %}
+build_env_static
+def_prefix
+
+gcc -D_GNU_SOURCE -static -o $name $name.c $LDFLAGS -lskarnet
+
+install -d "$pthbs_destdir/$prefix/command"
+install -m 755 $name "$pthbs_destdir/$prefix/command"
+check_static command/$name
+{% endblock %}
+{% block genlinks_begin %}
+	x["./command/nosuid"]=1
+{%- endblock %}
diff --git a/templates/pkg/userspace.environment b/templates/pkg/userspace.environment
@@ -33,3 +33,4 @@
 #+{{pkg_install_name("iconv")}}
 #+{{pkg_install_name("libcap")}}
 #+{{pkg_install_name("applyuidgid-caps")}}
+#+{{pkg_install_name("nosuid")}}