linprov 0.2.10

eBPF mark-of-the-web for Linux: tag network-touched files and enforce who can exec them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211

//! `linprov upgrade` — copy the running binary over the system-wide
//! install path, reload systemd, restart the daemon.
//!
//! Expected flow: `cargo install --force linprov` drops a fresh
//! binary in `~/.cargo/bin/`; the user runs
//! `sudo $(which linprov) upgrade`, which copies that binary over
//! `/usr/local/bin/linprov` and bounces the unit.

use std::{
    fs,
    path::{Path, PathBuf},
    process::Command,
};

use anyhow::{anyhow, Context, Result};
use clap::Parser;
use log::{info, warn};

use crate::{
    config::{DEFAULT_INSTALL_PATH, DEFAULT_SYSTEMD_UNIT_NAME, DEFAULT_SYSTEMD_UNIT_PATH},
    install, privilege,
};

#[derive(Parser, Debug)]
pub struct UpgradeArgs {
    /// Name of the systemd unit to restart.
    #[arg(long, default_value = DEFAULT_SYSTEMD_UNIT_NAME)]
    unit: String,

    /// Path to the unit file on disk. Inspected to confirm the
    /// `ExecStart` path still matches the install path.
    #[arg(long, default_value = DEFAULT_SYSTEMD_UNIT_PATH)]
    unit_file: PathBuf,

    /// System-wide install path; the copy destination. Defaults to
    /// `/usr/local/bin/linprov` (matches what `setup` wrote).
    #[arg(long, default_value = DEFAULT_INSTALL_PATH)]
    install_path: PathBuf,

    /// Explicit source binary. Default: `$SUDO_USER`'s
    /// `~/.cargo/bin/linprov` (where `cargo install --force linprov`
    /// just laid down a fresh build), falling back to the currently-
    /// running executable if that lookup fails.
    #[arg(long)]
    source: Option<PathBuf>,

    /// Don't copy the binary, just `daemon-reload` + `restart`.
    #[arg(long)]
    no_install: bool,

    /// Don't actually run systemctl or copy; print what would happen.
    #[arg(long)]
    dry_run: bool,
}

pub fn run(args: UpgradeArgs) -> Result<()> {
    if !args.dry_run {
        privilege::require_root("linprov upgrade")?;
    }

    // Skip systemctl when the source was already byte-identical to
    // the install path. Otherwise we'd bounce the daemon for nothing
    // — which is wasteful and surprises people who run
    // `linprov upgrade` to check whether they're up-to-date.
    let mut changed = true;
    if !args.no_install {
        let source = resolve_source(args.source.as_deref(), &args.install_path)?;
        if args.dry_run {
            println!(
                "would copy {} -> {}",
                source.display(),
                args.install_path.display()
            );
        } else {
            install::refuse_distro_owned(&args.install_path)?;
            match install::install_to(&source, &args.install_path)? {
                install::Outcome::Installed => info!(
                    "refreshed `{}` from `{}`",
                    args.install_path.display(),
                    source.display(),
                ),
                install::Outcome::AlreadyCurrent => {
                    info!(
                        "`{}` already matches `{}` — nothing to do",
                        args.install_path.display(),
                        source.display(),
                    );
                    changed = false;
                }
            }
        }
    }
    check_exec_start_matches(&args.unit_file, &args.install_path)?;
    if !changed {
        info!("skipping systemctl restart (no new bytes installed)");
        return Ok(());
    }
    systemctl(&args.unit, args.dry_run)
}

/// Pick the binary to copy *from*. Priority:
///   1. `--source <path>` (explicit override)
///   2. Heuristic chain in [`install::cargo_install_source`] —
///      sudo / doas / pkexec / logname / euid home / unique-match
///      scan
///   3. The currently-running binary
///
/// If none give us a path that differs from `install_path`, surface a
/// hard error — silently bouncing the daemon when the user thinks
/// they're upgrading is the worst outcome.
fn resolve_source(explicit: Option<&Path>, install_path: &Path) -> Result<PathBuf> {
    if let Some(p) = explicit {
        return Ok(p.to_path_buf());
    }
    if let Some(p) = install::cargo_install_source() {
        info!(
            "found a freshly-installed binary at `{}`; using it as the upgrade source",
            p.display()
        );
        return Ok(p);
    }
    let current = install::current_exe()?;
    if same_path(&current, install_path) {
        return Err(anyhow!(
            "no upgrade source: the running binary IS `{}`, and we couldn't \
             auto-detect a `~/.cargo/bin/linprov` anywhere on this host. \
             Either run `cargo install --force linprov` as a normal user, \
             or point at the new binary explicitly:\n\n  \
             sudo linprov upgrade --source /path/to/new/linprov\n",
            install_path.display()
        ));
    }
    Ok(current)
}

fn same_path(a: &Path, b: &Path) -> bool {
    fs::canonicalize(a)
        .and_then(|ac| fs::canonicalize(b).map(|bc| ac == bc))
        .unwrap_or(false)
}

fn check_exec_start_matches(unit_file: &Path, install_path: &Path) -> Result<()> {
    let unit = match fs::read_to_string(unit_file) {
        Ok(s) => s,
        Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
            warn!(
                "systemd unit `{}` not found — `linprov setup` hasn't run \
                 on this host, or it wrote a unit somewhere else. Skipping \
                 the ExecStart drift check.",
                unit_file.display()
            );
            return Ok(());
        }
        Err(e) => {
            return Err(e).with_context(|| format!("reading `{}`", unit_file.display()));
        }
    };

    let exec_start = unit
        .lines()
        .find_map(|l| l.strip_prefix("ExecStart="))
        .map(str::trim);
    let Some(exec_line) = exec_start else {
        warn!(
            "unit `{}` has no ExecStart= line; can't verify the binary path matches.",
            unit_file.display()
        );
        return Ok(());
    };

    let unit_binary = exec_line.split_whitespace().next().unwrap_or("");
    if Path::new(unit_binary) != install_path {
        warn!(
            "unit ExecStart points at `{unit_binary}` but the install \
             path is `{}`. The unit will keep running the old binary \
             until you re-run `linprov setup --force` to rewrite it.",
            install_path.display(),
        );
    } else {
        info!(
            "ExecStart matches the install path ({})",
            install_path.display()
        );
    }
    Ok(())
}

fn systemctl(unit: &str, dry_run: bool) -> Result<()> {
    let cmds: &[&[&str]] = &[
        &["systemctl", "daemon-reload"],
        &["systemctl", "restart", unit],
    ];
    for cmd in cmds {
        if dry_run {
            println!("would run: {}", cmd.join(" "));
            continue;
        }
        info!("running: {}", cmd.join(" "));
        let status = Command::new(cmd[0])
            .args(&cmd[1..])
            .status()
            .with_context(|| format!("invoking `{}`", cmd.join(" ")))?;
        if !status.success() {
            return Err(anyhow!("`{}` exited {:?}", cmd.join(" "), status.code()));
        }
    }
    if !dry_run {
        info!("linprov restarted. Tail with: journalctl -u {unit} -f");
    }
    Ok(())
}