hakurei

Author	SHA1	Message	Date
Ophestra	31aef905fa	sandbox: expose seccomp interface There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 04:47:13 +09:00
Ophestra	1a8840bebc	sandbox/seccomp: resolve rules natively This enables loading syscall filter policies from external cross-platform config files. This also removes a significant amount of C code. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-01 22:11:32 +09:00
Ophestra	87e008d56d	treewide: rename to hakurei Fortify makes little sense for a container tool. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 04:57:41 +09:00
Ophestra	b7e991de5b	nix: update flake lock Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-05 04:05:39 +09:00
Ophestra	5979d8b1e0	dbus: clean up wrapper implementation The dbus proxy wrapper haven't been updated much ever since the helper interface was introduced. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-16 23:35:17 +09:00
Ophestra	78aaae7ee0	helper/args: copy args on wt creation Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 18:22:07 +09:00
Ophestra	24618ab9a1	sandbox: move out of internal Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-17 02:55:36 +09:00
Ophestra	9a1f8e129f	sandbox: wrap fmsg interface Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-17 02:44:07 +09:00
Ophestra	44277dc0f1	dbus: run in native sandbox Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-17 00:13:14 +09:00
Ophestra	6e7ddb2d2e	helper: eliminate commandContext replacement This is done more cleanly by modifying Args in cmdF. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-16 00:01:25 +09:00
Ophestra	fe7d208cf7	helper: use generic extra files interface This replaces the pipes object and integrates context into helper process lifecycle. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-13 23:34:15 +09:00
Ophestra	8c51012ef5	dbus: enable syscall filter Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 11:49:23 +09:00
Ophestra	614ad86a5b	dbus: fail on LookPath error An absolute path to xdg-dbus-proxy is required. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 16:08:48 +09:00
Ophestra Umiker	df6fc298f6	migrate to git.gensokyo.uk/security/fortify Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-20 00:20:02 +09:00
Ophestra Umiker	65af1684e3	migrate to git.ophivana.moe/security/fortify Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-20 19:50:13 +09:00
Ophestra Umiker	0f421644be	dbus: improve unsealed behaviour coverage Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-12 00:53:08 +09:00
Ophestra Umiker	753c5191b1	dbus/run: support running xdg-dbus-proxy in a restrictive bubblewrap sandbox Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-09 20:41:42 +09:00
Ophestra Umiker	55a5b6f242	dbus: use name resolved by exec.Command Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-07 16:55:27 +09:00
Ophestra Umiker	9647eb6a6b	helper: separate pipes from Helper Upcoming bwrap helper implementation requires two sets of pipes to be managed, fd will also no longer be constant. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-07 12:48:20 +09:00
Ophestra Umiker	d1415305ae	dbus: test child process handling behaviour via helper stub Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-29 15:49:32 +09:00
Ophestra Umiker	cf182d1fbe	dbus: seal test error check for correct error returned Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-28 17:00:20 +09:00
Ophestra Umiker	1038af98f0	dbus: add tests Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-28 00:06:16 +09:00

22 Commits