When starting with the permissive defaults "run" command, attempt to resolve home directory from os by default and fall back to /var/empty.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This provides user records via nss-systemd. Static drop-in entries are generated to reduce complexity and attack surface.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Despite presenting itself as a generic desktop integration interface, xdg-desktop portal is highly flatpak-centric and only supports flatpak and snap in practice. It is a significant attack surface to begin with as it is a privileged process which accepts input from unprivileged processes, and the lack of support for anything other than fortify also introduces various information leaks when exposed to fortify as it treats fortified programs as unsandboxed, privileged programs in many cases.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Zsh store path in shebang. Replace writeShellScript with writeScript since runtimeShell is not overridable.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This release significantly changes the command line interface, and updates the NixOS module to finally produce meaningful sandbox configuration.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Also moved /dev/fortify to /fortify since it is impossible to create new directories in /dev from the init namespace and bind mounting its contents has undesirable side effects.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This will be the final release before major command line interface changes. This version is tagged as it contains many fixes that still impacts the permissive defaults usage pattern.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Logging functions are not expected to block. This change fixes multiple hangs where more than 64 messages are produced during withhold.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Pointing xdg-dbus-proxy to stdout/stderr makes a huge mess. This change enables app to neatly print out prefixed xdg-dbus-proxy messages after output is resumed.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This message eventually gets returned by the app's Start method, so they should be wrapped to provide a friendly message.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Only allow main program to launch fsu. This change and further checks in the main program reduces attack surface.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Contains path to fortify, set at compile time, authenticates based on a simple uid range assignment file which also acts as the allow list.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This implements lazy loading of the systemd marker (they are not accessed in init and shim) and ensures consistent behaviour when running with a stub.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This change moves all user switcher and shim management to the shim package and withholds output while shim is alive. This also eliminated all exit scenarios where revert is skipped.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
Trying to print to a shared stdout is a terrible idea. This change makes it possible to withhold output for the lifetime of the sandbox.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
cat
