hakurei

Author	SHA1	Message	Date
Ophestra	67e453f5c4	dist: run tests This used to be impossible due to nix jank which has been addressed. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-01-27 07:00:39 +09:00
Ophestra	e42ea32dbe	nix: configure sharefs via fileSystems Turns out this did not work because in the vm test harness, virtualisation.fileSystems completely and silently overrides fileSystems, causing its contents to not even be evaluated anymore. This is not documented as far as I can tell, and is not obvious by any stretch of the imagination. The current hack is cargo culted from nix-community/impermanence and hopefully lasts until this project fully replaces nix. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-27 23:14:08 +09:00
Ophestra	7bfbd59810	cmd/sharefs: implement shared filesystem This is for passing files between applications, similar to android /sdcard. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-25 05:13:02 +09:00
Ophestra	ea815a59e8	nix: disable source fortification in devShell This generates warnings when compiling without optimisation. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-21 02:22:28 +09:00
Ophestra	ebc67bb8ad	nix: update flake lock NixOS 25.11 introduces a crash in cage and an intermittent crash in foot. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-12 08:39:55 +09:00
Ophestra	c761e1de4d	nix: build with clang Clang is better than gcc in various ways. This also pulls in clang-format which is very helpful. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-11-15 16:36:36 +09:00
Ophestra	5c2b63a7f1	container: add 386 constants While it is unlikely a use case for hakurei on i686 exists, it does not hurt to have this support. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-11-05 20:21:14 +09:00
Ophestra	a4f7e92e1c	test/interactive: helper scripts for tracing The vm state is discarded often, and it is quite cumbersome to set everything up again when the shell history is gone. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-08 00:56:25 +09:00
Ophestra	72a931a71a	nix: interactive nixos vm This is useful for quickly spinning up an ephemeral hakurei environment for testing changes or reproducing vm test failures. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-07 02:46:04 +09:00
Ophestra	a8a79a8664	cmd/hpkg: rename from planterette Planterette is now developed in another repository, so rename this proof of concept to avoid confusion. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-31 23:57:11 +09:00
Ophestra	72c2b66fc0	nix: cross-platform syscall wrapper Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 04:22:55 +09:00
Ophestra	e03d702d08	sandbox/seccomp: implement syscall lookup This uses the Go map and is verified against libseccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-01 00:35:27 +09:00
Ophestra	9a8a047908	sandbox/seccomp: syscall name lookup table The script is from Go source of same name. The result is checked against libseccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-26 03:49:07 +09:00
Ophestra	aa454b158f	cmd/planterette: remove hsu special case Remove special case and invoke hakurei out of process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 20:50:24 +09:00
Ophestra	87e008d56d	treewide: rename to hakurei Fortify makes little sense for a container tool. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 04:57:41 +09:00
Ophestra	b7e991de5b	nix: update flake lock Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-05 04:05:39 +09:00
Ophestra	297b444dfb	test: separate app and sandbox Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 22:09:46 +09:00
Ophestra	b39f3aeb59	helper: remove bubblewrap wrapper Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 05:35:02 +09:00
Ophestra	3385538142	nix: clean up flake outputs Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-17 12:26:19 +09:00
Ophestra	4bb5d9780f	ldd: run in native sandbox Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-14 17:55:55 +09:00
Ophestra	9b1a60b5c9	sandbox: native container tooling This should eventually replace bwrap. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-13 21:36:26 +09:00
Ophestra	c8ed7aae6e	nix: update flake lock Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-10 18:38:14 +09:00
Ophestra	2d4cabe786	nix: increase nixfmt max width Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-28 14:43:46 +09:00
Ophestra	12c6d66bfd	cmd/fpkg/test: nixos test fpkg install/start Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-26 13:12:16 +09:00
Ophestra	c21a4cff14	nix: wrap fpkg This is usable on nixos now due to the static build. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-26 12:24:04 +09:00
Ophestra	5a732d153e	nix: include fsu sources in dist build Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-25 01:32:47 +09:00
Ophestra	b6af8caffe	nix: clean up directory structure Tests for fpkg is going to be in ./cmd/fpkg, so this central tests directory is no longer necessary. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 18:48:01 +09:00
Ophestra	8bf162820b	nix: separate fsu from package This appears to be the only way to build them with different configuration. This enables static linking in the main package. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 18:13:37 +09:00
Ophestra	eb0c16dd8c	cmd/fpkg: rename buildPackage file Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-21 18:13:34 +09:00
Ophestra	64b6dc41ba	nix: split integration test For adding tests for fpkg. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-21 17:05:17 +09:00
Ophestra	60c10c3f4a	nix: run integration tests with race detector Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-16 20:58:08 +09:00
Ophestra	3df344828f	proc/priv/shim: seccomp bpf filter via libseccomp Rulesets adapted from Flatpak for compatibility. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-20 23:39:47 +09:00
Ophestra	c4de450217	nix: do not force static linking on nix In a typical Nix or NixOS-based setup, the entire /nix/store directory is available to the sandbox. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 22:56:16 +09:00
Ophestra	b60c01f440	fortify: switch to static linking Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-16 17:32:52 +09:00
Ophestra	5416b07daa	nix: remove unused argument 'self' Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 14:49:55 +09:00
Ophestra	e57a0e9bf2	nix: rename fortifyBundle to buildPackage Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 14:35:37 +09:00
Ophestra	5125e96ecf	nix: generate application package build script This takes some metadata, sandbox options, a launch script and a list of home-manager modules. The result needs to be executed in an environment with nix daemon access, and it produces the final package file. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 00:42:21 +09:00
Ophestra Umiker	7b6052a473	nix: run Go tests in nixos Nix build environment does not support ACLs in any filesystem. This allows acl tests to run. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 21:16:55 +09:00
Ophestra Umiker	3f993021f8	nix: permissive defaults nixos test Adapted from nixos sway integration tests. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 22:56:10 +09:00
Ophestra Umiker	4d3bd5338f	nix: implement flake checks Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 20:54:28 +09:00
Ophestra Umiker	6b8ddca7b4	nix: track nixos stable 24.11 Reduce rebuilds during development on my system. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-06 00:44:04 +09:00
Ophestra Umiker	0a546885e3	nix: update options doc Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-19 18:12:35 +09:00
Ophestra Umiker	d9cb2a9f2b	fsu: implement simple setuid user switcher Contains path to fortify, set at compile time, authenticates based on a simple uid range assignment file which also acts as the allow list. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-28 00:02:34 +09:00
Ophestra Umiker	40161c5938	nix: remove fortify package from default devShell This change makes it possible to start a devShell when tests aren't passing. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-17 20:35:10 +09:00
Ophestra Umiker	1038af98f0	dbus: add tests Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-28 00:06:16 +09:00
Ophestra Umiker	61628dabb7	nix: remove obnoxious shell hook Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-22 16:08:11 +09:00
Ophestra Umiker	3d963b9f67	nix: include package buildInputs in devShells Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-17 23:15:33 +09:00
Ophestra Umiker	945cce2f5e	nix: implement nixos module Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-04 17:03:21 +09:00
Ophestra Umiker	d8f76f3b25	rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-04 01:20:12 +09:00
Ophestra Umiker	7e6eb82195	license: embed license in executable Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-07-16 22:07:40 +09:00

1 2

53 Commits