hakurei

Author	SHA1	Message	Date
Ophestra	7f2c0af5ad	fst: set multiarch bit Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 22:55:00 +09:00
Ophestra	297b444dfb	test: separate app and sandbox Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 22:09:46 +09:00
Ophestra	89a05909a4	test: move test program to sandbox directory This prepares for the separation of app and sandbox tests. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 21:09:16 +09:00
Ophestra	f772940768	test/sandbox: treat ESRCH as temporary failure This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 03:50:59 +09:00
Ophestra	8886c40974	test/sandbox: separate check filter Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 02:15:08 +09:00
Ophestra	8b62e08b44	test: build test program in nixos config Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-29 19:33:17 +09:00
Ophestra	72c59f9229	nix: check share/applications in share package This allows share directories without share/applications/ to build correctly. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-29 19:28:20 +09:00
Ophestra	ff3cfbb437	test/sandbox: check seccomp outcome This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 02:24:27 +09:00
Ophestra	c13eb70d7d	sandbox/seccomp: add fortify default sample Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 02:02:02 +09:00
Ophestra	389402f955	test/sandbox/ptrace: generic filter block type Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 01:47:24 +09:00
Ophestra	660a2898dc	test/sandbox/ptrace: dump seccomp bpf program Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 01:35:56 +09:00
Ophestra	faf59e12c0	test/sandbox: expose test tool Some test elements implemented in the test tool might need to run outside the sandbox. This change allows that to happen. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 00:08:47 +09:00
Ophestra	d97a03c7c6	test/sandbox: separate test tool source This improves readability and allows gofmt to format the file. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 23:43:13 +09:00
Ophestra	a102178019	sys: update doc comment Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 22:43:17 +09:00
Ophestra	e400862a12	state/multi: fix backend cache population race This race is never able to happen since no caller concurrently requests the same aid yet. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 22:37:08 +09:00
Ophestra	184e9db2b2	sandbox: support privileged container Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 19:40:19 +09:00
Ophestra	605d018be2	app/seal: check for '=' in envv Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 18:25:23 +09:00
Ophestra	78aaae7ee0	helper/args: copy args on wt creation Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 18:22:07 +09:00
Ophestra	5c82f1ed3e	helper/stub: output to stdout Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 17:25:10 +09:00
Ophestra	f8502c3ece	test/sandbox: check environment Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:16:33 +09:00
Ophestra	996b42634d	test/sandbox: invoke check program directly Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:11:50 +09:00
Ophestra	300571af47	app: pass through $SHELL Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 01:22:40 +09:00
Ophestra	32c90ef4e7	nix: pass through exec arguments This is useful for when a wrapper script is unnecessary. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:04:46 +09:00
Ophestra	2a4e2724a3	release: 0.3.1 Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 07:48:50 +09:00
Ophestra	d613257841	sandbox/init: clear inheritable set Inheritable should not be able to affect anything regardless of its value, due to no_new_privs. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 07:46:13 +09:00
Ophestra	18644d90be	sandbox: wrap capset syscall Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 07:44:07 +09:00
Ophestra	52fcc48ac1	sandbox/init: drop capabilities During development the syscall filter caused me to make an incorrect assumption about SysProcAttr. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 06:32:08 +09:00
Ophestra	8b69bcd215	sandbox: cache kernel.cap_last_cap value Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 06:19:19 +09:00
Ophestra	2dd49c437c	app: create XDG_RUNTIME_DIR with perm 0700 Many programs complain about this. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 02:49:37 +09:00
Ophestra	92852d8235	release: 0.3.0 Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 02:18:59 +09:00
Ophestra	371dd5b938	nix: create current-system symlink This is copied at runtime because it appears to be impossible to obtain this path in nix. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 02:06:11 +09:00
Ophestra	4836d570ae	test: raise long timeout to 15 seconds The race detector really slows down container tooling. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 01:59:05 +09:00
Ophestra	985f9442e6	sandbox: copy symlink with magic prefix This does not dereference the symlink, but only reads one level of it. This is useful for symlink targets that are not yet known at the time the configuration is emitted. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 01:42:39 +09:00
Ophestra	67eb28466d	nix: create opengl-driver symlink Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 20:52:20 +09:00
Ophestra	c326c3f97d	fst/sandbox: do not create /etc in advance This is now handled by the setup op. This also gets rid of the hardcoded /etc path. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 20:00:34 +09:00
Ophestra	971c79bb80	sandbox: remove hardcoded parent perm Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 19:49:51 +09:00
Ophestra	f86d868274	sandbox: wrap error with its own text message PathError has a pretty good text message, many of them are wrapped with its own text message. This change adds a function to do just that to improve readability. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 19:42:20 +09:00
Ophestra	33940265a6	sandbox: do not ensure symlink target This masks EEXIST on target and might clobber filesystems and lead to other confusing behaviour. Create its parent instead. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 19:30:53 +09:00
Ophestra	b39f3aeb59	helper: remove bubblewrap wrapper Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 05:35:02 +09:00
Ophestra	61dbfeffe7	sandbox/wl: move into sandbox Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 05:26:37 +09:00
Ophestra	532feb4bfa	app: merge shim into app package Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 05:21:47 +09:00
Ophestra	ec5e91b8c9	system: optimise string formatting Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 04:42:30 +09:00
Ophestra	ee51320abf	test: check revert type selection Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 04:37:58 +09:00
Ophestra	5c4058d5ac	app: run in native sandbox Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 01:52:49 +09:00
Ophestra	e732dca762	wl: fix sync pipe keepalive Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 01:33:37 +09:00
Ophestra	a9adcd914b	fortify/parse: omit try fd fallthrough message This reduces noise in verbose output. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 01:21:11 +09:00
Ophestra	3dd4ff29c8	test/sandbox: check mount table length Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 16:36:53 +09:00
Ophestra	61d86c5e10	test/sandbox: fix stdout tty check Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 16:23:50 +09:00
Ophestra	d097eaa28f	test/sandbox: unquote fail messages Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 16:03:53 +09:00
Ophestra	ad3576c164	sandbox: resolve tty name Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 16:03:07 +09:00

1 2 3 4 5 ...

807 Commits