87e008d56d
treewide: rename to hakurei
...
Fortify makes little sense for a container tool.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-25 04:57:41 +09:00
b7e991de5b
nix: update flake lock
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-05 04:05:39 +09:00
dde2516304
dbus: handle bizarre dbus proxy behaviour
...
There is a strange behaviour in xdg-dbus-proxy where if any interface string when stripped of a single ".*" suffix does not contain a '.' byte anywhere, the program will exit with code 1 without any output. This checks for such conditions to make the failure less confusing.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-05-25 19:50:06 +09:00
5979d8b1e0
dbus: clean up wrapper implementation
...
The dbus proxy wrapper haven't been updated much ever since the helper interface was introduced.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-16 23:35:17 +09:00
584405f7cc
sandbox/seccomp: rename flag type and constants
...
The names are ambiguous. Rename them to make more sense.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-08 01:59:45 +09:00
78aaae7ee0
helper/args: copy args on wt creation
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 18:22:07 +09:00
24618ab9a1
sandbox: move out of internal
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 02:55:36 +09:00
9a1f8e129f
sandbox: wrap fmsg interface
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 02:44:07 +09:00
44277dc0f1
dbus: run in native sandbox
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 00:13:14 +09:00
273d97af85
ldd: lib paths resolve function
...
This is what always happens right after a ldd call, so implement it here.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-16 01:20:09 +09:00
6e7ddb2d2e
helper: eliminate commandContext replacement
...
This is done more cleanly by modifying Args in cmdF.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-16 00:01:25 +09:00
10a21ce3ef
helper: expose extra files to direct
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-15 02:27:40 +09:00
f9bf20a3c7
helper: rearrange initialisation args
...
This improves consistency across two different helper implementations.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-15 01:06:31 +09:00
f443d315ad
helper: clean up interface
...
The helper interface was messy due to odd context acquisition order. That has changed, so this cleans it up.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-15 00:27:44 +09:00
7c60a4d8e8
helper: embed context on creation
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-14 18:30:22 +09:00
39dc8e7bd8
dbus: set process group id
...
This stops signals sent by the TTY driver from propagating to the xdg-dbus-proxy process.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-25 18:12:41 +09:00
73146ea7fa
dbus: remove BwrapStatic method
...
This method does not do anything and is not called from anywhere. It also does not make any sense as a public interface since the argument builder is no longer stateless.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-14 18:09:59 +09:00
fe7d208cf7
helper: use generic extra files interface
...
This replaces the pipes object and integrates context into helper process lifecycle.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-13 23:34:15 +09:00
72fb13dccc
dbus: lock for read in public args interface
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-07 13:42:29 +09:00
8c51012ef5
dbus: enable syscall filter
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 11:49:23 +09:00
9a239fa1a5
helper/bwrap: integrate seccomp into helper interface
...
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 01:52:57 +09:00
2f70506865
helper/bwrap: move sync to helper state
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-19 18:38:13 +09:00
1651eb06df
dbus: implement dbus_parse_address
...
This parses D-Bus addresses according to spec. It does significantly fewer copies than dbus_parse_address.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-12 23:24:03 +09:00
ac543a1ce8
dbus: rename makeTestCases
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-12 23:21:28 +09:00
c4d6651cae
update reverse-DNS style identifiers
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-31 16:16:38 +09:00
dc579dc610
dbus/run: bind ldd entry absolute name
...
The ld.so entry has an absolute name. They are usually symlinks so binding path does not guarantee ld.so availability under its expected path in the mount namespace.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-26 16:36:03 +09:00
614ad86a5b
dbus: fail on LookPath error
...
An absolute path to xdg-dbus-proxy is required.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-26 16:08:48 +09:00
df6fc298f6
migrate to git.gensokyo.uk/security/fortify
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-20 00:20:02 +09:00
4b7b899bb3
add package doc comments
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-28 20:57:59 +09:00
65af1684e3
migrate to git.ophivana.moe/security/fortify
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-20 19:50:13 +09:00
33cf0bed54
dbus: various accessors for dbus.Proxy internal fields
...
These values are useful during sandbox setup and exporting them makes more sense than storing them twice.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-16 01:27:49 +09:00
2faf510146
helper/bwrap: ordered filesystem args
...
The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-15 02:15:55 +09:00
0f421644be
dbus: improve unsealed behaviour coverage
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-12 00:53:08 +09:00
d41b9d2d9c
ldd: separate Parse from Exec and trim space
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-09 23:51:15 +09:00
753c5191b1
dbus/run: support running xdg-dbus-proxy in a restrictive bubblewrap sandbox
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-09 20:41:42 +09:00
55a5b6f242
dbus: use name resolved by exec.Command
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-07 16:55:27 +09:00
85407dd3c0
helper: helper.Helper interface
...
For upcoming bwrap implementation of helper.Helper
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-07 15:37:52 +09:00
9647eb6a6b
helper: separate pipes from Helper
...
Upcoming bwrap helper implementation requires two sets of pipes to be managed, fd will also no longer be constant.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-07 12:48:20 +09:00
d1415305ae
dbus: test child process handling behaviour via helper stub
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-29 15:49:32 +09:00
98f9fdb7cc
dbus: configurable xdg-dbus-proxy output
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-29 15:27:29 +09:00
dc59f20d7b
dbus: toggleable xdg-dbus-proxy output
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-29 15:24:54 +09:00
0e7849fac2
dbus: add more test cases
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-28 19:19:31 +09:00
342c66aae8
dbus: replace test suffix * with +
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-28 17:47:15 +09:00
cf182d1fbe
dbus: seal test error check for correct error returned
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-28 17:00:20 +09:00
1038af98f0
dbus: add tests
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-28 00:06:16 +09:00
aa2be18f47
dbus/config: implement file loading functions
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-27 23:53:08 +09:00
84d8c27b5f
dbus: return exported error for nil config
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-27 23:52:38 +09:00
ee2f5ed6ac
dbus/config: remove unused method
...
Null checking is replaced by helper/args while string building is no longer required.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-27 12:04:28 +09:00
8492239cba
helper/args: simplify argument parsing and eliminate excess memory copies
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-25 14:00:30 +09:00
a8b4b3634b
dbus: use generalised helper.Helper for xdg-dbus-proxy
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-25 01:17:38 +09:00
