maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
597 Commits 2 Branches 12 Tags
f9bf20a3c75d01cf597477231f9bbb61f15cd4fd
Commit Graph

17 Commits

Author SHA1 Message Date
Ophestra
4bb5d9780f ldd: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 17:55:55 +09:00
Ophestra
d22145a392 ldd: handle musl static behaviour 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-12 23:29:43 +09:00
Ophestra
39dc8e7bd8 dbus: set process group id 
This stops signals sent by the TTY driver from propagating to the xdg-dbus-proxy process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-25 18:12:41 +09:00
Ophestra
dccb366608 ldd: handle behaviour on static executable 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 18:02:33 +09:00
Ophestra
83c8f0488b ldd: pass absolute path to bwrap 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 17:46:22 +09:00
Ophestra
fe7d208cf7 helper: use generic extra files interface 
This replaces the pipes object and integrates context into helper process lifecycle.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 23:34:15 +09:00
Ophestra
5a64cdaf4f ldd: enable syscall filter 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-22 02:00:49 +09:00
Ophestra
9a239fa1a5 helper/bwrap: integrate seccomp into helper interface 
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-22 01:52:57 +09:00
Ophestra
2f70506865 helper/bwrap: move sync to helper state 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-19 18:38:13 +09:00
Ophestra
b956ce4052 ldd: trim leading and trailing white spaces from name 
Glibc emits ldd output with \t prefix for formatting. Remove that here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-26 16:53:01 +09:00
Ophestra
ade57c39af ldd: add fhs glibc test case 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-26 16:33:02 +09:00
Ophestra Umiker
df6fc298f6 migrate to git.gensokyo.uk/security/fortify 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-12-20 00:20:02 +09:00
Ophestra Umiker
4b7b899bb3 add package doc comments 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-28 20:57:59 +09:00
Ophestra Umiker
65af1684e3 migrate to git.ophivana.moe/security/fortify 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-20 19:50:13 +09:00
Ophestra Umiker
73a698c7cb ldd: run ldd with read-only filesystem and unshared net 
This is only called on trusted programs, however extra hardening is never a bad idea.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 15:37:27 +09:00
Ophestra Umiker
d41b9d2d9c ldd: separate Parse from Exec and trim space 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-09 23:51:15 +09:00
Ophestra Umiker
6232291cae ldd: implement strict ldd output parser 
Fortify needs to internally resolve helper program sandbox config. They are considered trusted and runs under the privileged UID so ldd output is used to determine libraries they need inside the sandbox environment.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-09 20:39:27 +09:00