This is a much less useful port of the test workflow and runs much slower due to runner limitations.
Still better than nothing though.
Signed-off-by: Ophestra <cat@gensokyo.uk>
There is a strange behaviour in xdg-dbus-proxy where if any interface string when stripped of a single ".*" suffix does not contain a '.' byte anywhere, the program will exit with code 1 without any output. This checks for such conditions to make the failure less confusing.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This process runs outside the application container's pid namespace, so it is a good idea to check whether its lifecycle becomes decoupled from the application.
Signed-off-by: Ophestra <cat@gensokyo.uk>
The config struct more or less "grew" to what it is today. This change moves things around to make more sense and fixes nonsensical comments describing obsolete behaviour.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This significantly reduces setup op count and the readdir call now happens in the context of the init process.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This should never be a problem, however in case it happens printing a warning message is better than relying on the runtime to panic.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This does not necessarily reduce attack surface but does not affect functionality or introduce any side effects, so is nice to have.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This is an implementation detail that was exported for the bwrap argument builder. The removal of that package allows it to be unexported.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This ensures a signal gets delivered to the process instead of relying on parent death behaviour.
SIGCONT was chosen as it is the only signal an unprivileged process is allowed to send to processes with different credentials.
A custom signal handler is installed because the Go runtime does not expose signal information other than which signal was received, and shim must check pid to ensure reasonable behaviour.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This removes the unnecessary creation and destruction of share paths when none of the enablements making use of them are set.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This format never changed ever since it was added. It used to show everything there is in a process state but that is no longer true for a long time. This change cleans it up in favour of `fortify show` displaying extra information.
Signed-off-by: Ophestra <cat@gensokyo.uk>
