562f5ed797
fst: hide sockets exposed via Filesystem
...
This is mostly useful for permissive defaults.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-15 10:13:18 +09:00
6acd0d4e88
linux/std: handle fsu exit status 1
...
Printing "exit status 1" is confusing. This handles the ExitError and returns EACCES instead.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-01 21:34:57 +09:00
c4d6651cae
update reverse-DNS style identifiers
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-31 16:16:38 +09:00
bf8094c6ca
internal: include path to fortify main program
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-26 12:48:48 +09:00
9b206072fa
cmd/fshim: ensure data directory
...
Ensuring home directory in shim causes the directory to be owned by the target user.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-28 14:39:01 +09:00
b9e2003d5b
app: ensure extra paths
...
The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app).
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-28 14:07:49 +09:00
847b667489
app: extra acl entries from configuration
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-28 13:23:27 +09:00
0107620d8c
app: merge share methods
...
This significantly increases readability and makes order of ops more obvious.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-28 11:12:35 +09:00
1f173a469c
system/dbus: fix inverted system bus state
...
Debug message and socket cleanup gets missed due to this value being inverted.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-27 18:38:11 +09:00
f608f28a6a
app: mount /dev/kvm in permissive defaults
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-22 12:37:24 +09:00
cb98baa19d
fortify: clean up ps formatting code
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-21 20:34:40 +09:00
7a8b625a57
app: rename /fortify to /.fortify
...
Also removed the inner share tmpfs mount.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-21 18:11:32 +09:00
74fe74e6b5
app: do not fail on missing cookie
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-21 17:56:21 +09:00
b9cc318314
system: implement Enablements String method
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-20 23:21:19 +09:00
ed10574dea
state: store join util
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-20 19:05:39 +09:00
df6fc298f6
migrate to git.gensokyo.uk/security/fortify
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-20 00:20:02 +09:00
eae3034260
state: expose aids and use instance id as key
...
Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-19 21:36:17 +09:00
f796622c35
state: rename simple store implementation
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-19 11:48:48 +09:00
5d25bee786
fortify: remove systemd check
...
This is no longer necessary as fortify no longer integrates with external user switchers.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-19 11:14:31 +09:00
52f21a19f3
cmd/fshim: switch to setup pipe
...
The socket-based approach is no longer necessary as fsu allows extra files and sudo compatibility is no longer relevant.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-18 19:39:25 +09:00
7f29b37a32
proc: setup payload send
...
Generic setup payload encoder adapted from fshim.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-18 17:20:01 +09:00
ef8fd37e9d
proc: setup payload receive
...
Generic implementation of setup payload receiver adapted from finit.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-18 16:48:41 +09:00
2f676c9d6e
fst: rename from fipc
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-18 15:50:46 +09:00
b752ec4468
fipc: export config struct
...
Also store full config as part of state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-18 13:45:55 +09:00
f773c92411
system: prevent duplicate Wayland op
...
Wayland is implemented as an Op to enforce dependency and cleanup, its implementation does not allow multiple instances on a single sys object, nor would doing that make any sense.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-07 19:45:37 +09:00
cc816a1aaa
proc: cleaner extra files
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-06 16:05:04 +09:00
b3ef53b193
app: integrate security-context-v1
...
Should be able to get rid of XDG_RUNTIME_DIR share after this.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-06 04:25:33 +09:00
38e92edb8e
system/wayland: integrate security-context-v1
...
Had to pass the sync fd through sys. The rest are just part of a standard Op.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-06 04:20:15 +09:00
b291f0b710
app: add nixos-based config test case
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-21 12:13:21 +09:00
9faf3b3596
app: validate username
...
This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-19 21:01:41 +09:00
ae2628e57a
cmd/fshim/ipc: install signal handler on shim start
...
Getting killed at this point will result in inconsistent state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-18 13:33:46 +09:00
05b7dbf066
app: alternative inner home path
...
Support binding home to an alternative path in the mount namespace.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-18 00:18:21 +09:00
866270ff05
fmsg: add to wg prior to enqueue
...
Adding after channel write is racy.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-17 23:50:02 +09:00
c1fad649e8
app/start: check for cleanup and abort condition
...
Dirty fix. Will rewrite after fsu integration complete.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-17 23:41:52 +09:00
b5f01ef20b
app: append # for ChangeHosts message with numerical uid
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-17 23:40:37 +09:00
df33123bd7
app: integrate fsu
...
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-16 21:19:45 +09:00
9a13b311ac
app/config: rename map_real_uid from use_real_uid
...
This option only changes mapped uid in the user namespace.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-09 12:01:34 +09:00
3dfc1fcd56
app: support full /dev access
...
Also moved /dev/fortify to /fortify since it is impossible to create new directories in /dev from the init namespace and bind mounting its contents has undesirable side effects.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-06 03:49:39 +09:00
69cc64ef56
linux: provide access to stdout
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-04 22:55:46 +09:00
fc25ac2523
app: separate auto etc from permissive defaults
...
Populating /etc with symlinks is quite useful even outside the permissive defaults usage pattern.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-04 22:18:05 +09:00
d909b1190a
app/config: UseRealUID as true in template
...
The template is based on a Chromium setup, which this workaround was created for.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-04 19:45:31 +09:00
d7df24c999
fmsg: drop messages when msgbuf is full during withhold
...
Logging functions are not expected to block. This change fixes multiple hangs where more than 64 messages are produced during withhold.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-04 12:56:19 +09:00
88abcbe0b2
cmd/fsu: remove import of internal package
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-04 12:32:14 +09:00
af15b1c048
app: support mapping target uid as privileged uid in sandbox
...
Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-04 03:15:39 +09:00
7962681f4a
app: format mapped uid instead of real uid
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-04 00:49:32 +09:00
bfcce3ff75
system/dbus: buffer xdg-dbus-proxy messages
...
Pointing xdg-dbus-proxy to stdout/stderr makes a huge mess. This change enables app to neatly print out prefixed xdg-dbus-proxy messages after output is resumed.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-03 03:07:02 +09:00
584732f80a
cmd: shim and init into separate binaries
...
This change also fixes a deadlock when shim fails to connect and complete the setup.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-02 03:13:57 +09:00
431dc095e5
app/start: skip cleanup if shim is nil
...
Shim is created before any system operation happens.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-28 14:21:15 +09:00
60e91b9b0f
shim: expose checkPid in constructor
...
This will be supported soon when launching via fsu.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-28 00:02:55 +09:00
51e84ba8a5
system/dbus: compare sealed value by string
...
Stringer method of dbus.Proxy returns a string representation of its args stream when sealed.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-27 12:09:34 +09:00
