maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
557 Commits 1 Branch 12 Tags
673b648bd35285a1dbfc0348716dd6bdd8064a51
Commit Graph

191 Commits

Author SHA1 Message Date
Ophestra
673b648bd3 cmd/fpkg: call app in-process 
Wrapping fortify is slow, painful and error-prone. Start apps in-process instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-26 19:51:44 +09:00
Ophestra
840ceb615a app: handle RunState errors 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-26 17:36:14 +09:00
Ophestra
d050b3de25 app: define errors in a separate file 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-26 17:12:02 +09:00
Ophestra
6d4ac3d9fd internal: store fortify path in internal 
This now makes more sense due to the changes in build system.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-26 12:03:25 +09:00
Ophestra
39dc8e7bd8 dbus: set process group id 
This stops signals sent by the TTY driver from propagating to the xdg-dbus-proxy process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-25 18:12:41 +09:00
Ophestra
f0a082ec84 fortify: improve handling of RevertErr 
All this error wrapping is getting a bit ridiculous and I might want to do something about that somewhere down the line.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-25 00:45:00 +09:00
Ophestra
c64b8163e7 app: separate instance from process state 
This works better for the implementation.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-21 16:06:24 +09:00
Ophestra
3c80fd2b0f app: defer system.I revert 
Just returning an error after a successful call of commit will leave garbage behind with no way for the caller to clean them. This change ensures revert is always called after successful commit with at least per-process state enabled.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-19 21:12:11 +09:00
Ophestra
ef81828e0c app: remove share method 
This is yet another implementation detail from before system.I, getting rid of this vastly cuts down on redundant seal state.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-19 16:20:25 +09:00
Ophestra
2978a6f046 app: separate appSeal finalise method 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-19 12:33:51 +09:00
Ophestra
dfd9467523 app: merge seal with sys 
The existence of the appSealSys struct was an implementation detail obsolete since system.I was integrated in 084cd84f36.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-19 01:36:29 +09:00
Ophestra
53571f030e app: embed appSeal in app struct 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-19 01:10:37 +09:00
Ophestra
aa164081e1 app/seal: improve documentation 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-19 01:04:14 +09:00
Ophestra
9a10eeab90 app/seal: embed enablements 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-19 00:41:51 +09:00
Ophestra
a748d40745 app: store values with string representation 
Improves code readability without changing memory layout.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-19 00:25:00 +09:00
Ophestra
648e1d641a app: separate interface from implementation 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-18 23:07:28 +09:00
Ophestra
ffaa12b9d8 sys: wrap log methods 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-18 22:52:09 +09:00
Ophestra
e0f321b2c4 sys: rename from linux 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-18 18:47:48 +09:00
Ophestra
2c9c7fee5b linux: wrap fsu lookup error 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-18 17:39:53 +09:00
Ophestra
d0400f3c81 fmsg: PrintBaseError skip empty message 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-18 17:01:26 +09:00
Ophestra
e9b0f9faef fmsg: export logBaseError function 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-18 13:02:51 +09:00
Ophestra
90cb01b274 system: move out of internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 19:00:43 +09:00
Ophestra
b1e1d5627e system: wrap console output functions 
This eliminates all fmsg imports from internal/system.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 18:17:55 +09:00
Ophestra
3ae2ab652e system/wayland: sync file at caller specified address 
Storing this in sys is incredibly ugly: sys should be stateless and Ops must keep track of their state.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 13:24:17 +09:00
Ophestra
db71fbe22b system/tmpfiles: fail gracefully in API misuse 
Panicking here leaves garbage behind. Not ideal if this package is going to be exported.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 12:17:01 +09:00
Ophestra
82a072f641 system/tmpfiles: implement private tmpfiles 
These are only available within the mount namespace and should significantly reduce attack surface.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 00:07:52 +09:00
Ophestra
468696f611 internal: beforeExit before reachable fatal calls 
These are the only two calls to log.Fatal* reachable during suspended output. Call fmsg.BeforeExit here to catch that.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 19:03:34 +09:00
Ophestra
29c38caac8 app/shim/manager: return error on bad fsu path 
This results in a graceful failure that does not leave garbage behind.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 18:59:45 +09:00
Ophestra
e599b5583d fmsg: implement suspend in writer 
This removes the requirement to call fmsg.Exit on every exit path, and enables direct use of the "log" package. However, fmsg.BeforeExit is still encouraged when possible to catch exit on suspended output.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 18:51:53 +09:00
Ophestra
33a4ab11c2 internal: move shim and init into app 
This structure makes more sense, as both processes are part of an app's lifecycle.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 16:28:46 +09:00
Ophestra
c667b13a00 system: separate link Op implementation 
This Op would still be useful after replacing the Tmpfiles interface, so isolate it here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 12:15:26 +09:00
Ophestra
268a90f1a5 app: improve WAYLAND_DISPLAY correctness 
This now has identical behaviour as wayland C library.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 14:45:09 +09:00
Ophestra
ddb2f9c11b app: remove wayland socket hard link 
This Op was not doing anything useful.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 10:54:00 +09:00
Ophestra
f955b15b84 system: remove write mode tmpfiles 
This interface is ugly and bug-prone. This change removes its write mode which has been obsoleted by CopyBind.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 03:22:20 +09:00
Ophestra
0340c67995 app: port passwd and group files to copy 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 03:19:06 +09:00
Ophestra
ea8d1c07df priv/shim: move /sbin/init setup to app 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 03:06:10 +09:00
Ophestra
a0062d8275 fmsg: resume on exit 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 02:22:09 +09:00
Ophestra
1f74b636d3 state/join: use Join method when available 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 14:11:02 +09:00
Ophestra
e431ab3c24 app: check username length against LOGIN_NAME_MAX 
This limit is arbitrary, but it's good to enforce it anyway.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 12:44:55 +09:00
Ophestra
fe7d208cf7 helper: use generic extra files interface 
This replaces the pipes object and integrates context into helper process lifecycle.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 23:34:15 +09:00
Ophestra
e14923ae53 helper/proc: move package out of internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-08 13:03:45 +09:00
Ophestra
a48386bd56 system/dbus: dump messages on early fault 
In the current app implementation this gets dumped in the wait method after resuming output. Wait is never called in an early fault condition, so any error messages get lost.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-07 13:20:56 +09:00
Ophestra
2e52191404 system/dbus: dump method prints msgbuf 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-07 13:16:54 +09:00
Ophestra
163f15e93f helper/seccomp: separate seccomp package 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-25 12:59:11 +09:00
Ophestra
23e1152baa app/share: clean BaseError message 
This removes trailing '\n' in the PulseAudio warning.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-22 11:54:16 +09:00
Ophestra
8c51012ef5 dbus: enable syscall filter 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-22 11:49:23 +09:00
Ophestra
9a239fa1a5 helper/bwrap: integrate seccomp into helper interface 
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-22 01:52:57 +09:00
Ophestra
82029948e6 proc: append to ExtraFiles slice pointer 
This is useful for initialising extra files before command.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-21 12:51:39 +09:00
Ophestra
dfcdc5ce20 state: store config in separate gob stream 
This enables early serialisation of config.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-21 12:10:58 +09:00
Ophestra
20a3d4c458 proc/priv/shim: resolve and load seccomp rules 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-20 23:52:56 +09:00