cat
1e6a059668
helper/seccomp: benchmark exporter
...
Test / Create distribution (push) Successful in 1m44s
Test / Run NixOS test (push) Successful in 4m32s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-13 22:37:51 +09:00
cat
318df0f7e1
nix: test syscall filter
...
Test / Create distribution (push) Successful in 1m30s
Test / Run NixOS test (push) Successful in 4m17s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-13 22:01:16 +09:00
cat
58eb8f971d
proc/pipe: implement args and stat file
...
Test / Create distribution (push) Successful in 1m30s
Test / Run NixOS test (push) Successful in 4m11s
This is a generic implementation of helper/pipe.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-13 19:57:24 +09:00
cat
0a1d7c01cd
helper/proc: count dispatched errs
...
Test / Create distribution (push) Successful in 1m28s
Test / Run NixOS test (push) Successful in 3m59s
This helps debug implementation errors of [proc.File].
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-13 19:55:37 +09:00
cat
60ca1c6c55
helper/proc: store file addresses in linked list
...
Test / Create distribution (push) Successful in 1m28s
Test / Run NixOS test (push) Successful in 4m5s
Storing extra files as a slice requires the caller to allocate a large enough slice before initialising any file and never grow the slice.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-13 17:42:12 +09:00
cat
099da78af5
helper/seccomp: eliminate data race on pfd
...
Test / Create distribution (push) Successful in 2m10s
Test / Run NixOS test (push) Successful in 4m50s
Turns out the doc comment on os.File was lying about its methods being safe for concurrent use. The race detector picked up a data race from concurrent use of Fd and Close.
This change eliminates that by calling Fd in the prepare routine.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-13 10:40:51 +09:00
cat
18466cfd02
helper/proc: declare generic extra files interface
...
Test / Create distribution (push) Successful in 1m29s
Test / Run NixOS test (push) Successful in 4m4s
Helpers use extra files for various purposes. This provides a generic interface for implementing the fulfillment of these extra files without having to specifically handle them in the process creation code.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-11 16:34:47 +09:00
cat
e14923ae53
helper/proc: move package out of internal
...
Test / Create distribution (push) Successful in 1m32s
Test / Run NixOS test (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-08 13:03:45 +09:00
cat
7aff3ead3a
nix: vm test remove unnecessary setup
...
Test / Create distribution (push) Successful in 1m27s
Test / Run NixOS test (push) Successful in 4m10s
This step is no longer required as the NixOS module is responsible for home directory creation.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-07 22:29:56 +09:00
cat
72fb13dccc
dbus: lock for read in public args interface
...
Test / Create distribution (push) Successful in 1m27s
Test / Run NixOS test (push) Successful in 4m2s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-07 13:42:29 +09:00
cat
a48386bd56
system/dbus: dump messages on early fault
...
Test / Create distribution (push) Successful in 1m27s
Test / Run NixOS test (push) Successful in 4m14s
In the current app implementation this gets dumped in the wait method after resuming output. Wait is never called in an early fault condition, so any error messages get lost.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-07 13:20:56 +09:00
cat
2e52191404
system/dbus: dump method prints msgbuf
...
Test / Create distribution (push) Successful in 1m27s
Test / Run NixOS test (push) Successful in 4m1s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-07 13:16:54 +09:00
cat
568d7758d5
helper/seccomp: panic on invalid closeWrite use
...
Test / Create distribution (push) Successful in 1m46s
Test / Run NixOS test (push) Successful in 4m39s
Returning an error here puts exporter in an invalid state. The caller should guard against this condition instead.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-07 12:58:20 +09:00
cat
5b7b3fa9a4
helper/seccomp: implement reader interface via pipe
...
Test / Create distribution (push) Successful in 1m6s
Test / Run NixOS test (push) Successful in 2m44s
This also does not require the libc tmpfile call.
BPF programs emitted by libseccomp seems to be deterministic. The tests would catch regressions as it verifies the program against known good output backed by manual testing.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-03 19:43:03 +09:00
cat
d58fb8c6ee
workflows: fix nix store cache
...
Test / Create distribution (push) Successful in 1m13s
Test / Run NixOS test (push) Successful in 3m0s
Prefix does not seem to match correctly, this appears to be a Gitea implementation bug.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-01 21:16:13 +09:00
cat
5808fe61c3
nix: vm test set sway background
...
Test / Create distribution (push) Successful in 2m36s
Test / Run NixOS test (push) Successful in 6m32s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 22:28:04 +09:00
cat
f338d3bb4b
nix: update flake lock
Test / Create distribution (push) Successful in 3m6s
Test / Run NixOS test (push) Successful in 6m32s
2025-01-25 19:46:33 +09:00
cat
8d04dd72f1
nix: mount nvidia devices
...
Test / Create distribution (push) Successful in 1m43s
Test / Run NixOS test (push) Successful in 3m33s
These non-standard paths are required in the sandbox for nvidia drivers to work.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 18:05:18 +09:00
cat
21735a8abe
release: 0.2.12
...
Test / Create distribution (push) Successful in 2m25s
Release / Create release (push) Successful in 4m6s
Test / Run NixOS test (push) Successful in 4m49s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 13:40:48 +09:00
cat
34272672b1
nix: verify silent output when not running with -v
...
Test / Create distribution (push) Successful in 1m51s
Test / Run NixOS test (push) Successful in 4m40s
This checks behaviour of fmsg and seccomp.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 13:38:18 +09:00
cat
7b96cd6ded
helper/seccomp: do not call F_println if not verbose
...
Test / Create distribution (push) Successful in 1m42s
Test / Run NixOS test (push) Successful in 3m34s
This (slightly) improves performance.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 13:19:38 +09:00
cat
163f15e93f
helper/seccomp: separate seccomp package
...
Test / Create distribution (push) Successful in 1m39s
Test / Run NixOS test (push) Successful in 3m31s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 12:59:11 +09:00
cat
016da20443
nix: expose compat flag in nixos module
...
Test / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 12:42:48 +09:00
cat
37780456a7
helper: block more unusual/privileged syscalls
...
Test / Create distribution (push) Successful in 1m44s
Test / Run NixOS test (push) Successful in 3m35s
These are toggled by F_EXT and exposed as SyscallPolicy.Compat in the Go interface.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 12:35:47 +09:00
cat
efacaa40fa
nix: set deny_devel correctly
...
Test / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 3m51s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-24 00:50:35 +09:00
cat
ad6d0ee55f
workflows: rename integration test artifact
...
Test / Create distribution (push) Successful in 1m53s
Test / Run NixOS test (push) Successful in 3m45s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-24 00:30:39 +09:00
cat
cf791469d8
workflows: gc store and purge old caches
...
Test / Create distribution (push) Successful in 1m39s
Test / Run NixOS test (push) Successful in 3m32s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-24 00:25:57 +09:00
cat
be14421775
workflows: merge test build job into test
...
Test / Create distribution (push) Successful in 2m8s
Test / Run NixOS test (push) Successful in 3m57s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-24 00:22:44 +09:00
cat
045983d7f4
wl: separate inline C
...
Build / Create distribution (push) Successful in 1m41s
Test / Run NixOS test (push) Successful in 3m29s
Having a huge blurb of inline C hurts readability on web pages and some text editors.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-23 22:06:29 +09:00
cat
7106b00968
release: 0.2.11
...
Build / Create distribution (push) Successful in 3m51s
Release / Create release (push) Successful in 4m12s
Test / Run NixOS test (push) Successful in 6m17s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-23 20:49:49 +09:00
cat
96d5d8a396
nix: apply shared home config to reserved aid
...
Build / Create distribution (push) Successful in 2m16s
Test / Run NixOS test (push) Successful in 5m43s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-23 20:48:04 +09:00
cat
8a00a83c71
nix: expose syscall filter policy
...
Build / Create distribution (push) Successful in 1m31s
Test / Run NixOS test (push) Successful in 1m52s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-23 17:24:42 +09:00
cat
134247b57d
nix: configure target users via nixos
...
Build / Create distribution (push) Successful in 2m0s
Test / Run NixOS test (push) Successful in 3m46s
This makes patching home-manager no longer necessary.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-23 17:04:19 +09:00
cat
b5bb7654da
nix: redirect sway output to journal
...
Build / Create distribution (push) Successful in 2m8s
Test / Run NixOS test (push) Successful in 3m58s
This makes swaymsg exec output appear in test output.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-23 16:08:22 +09:00
cat
cc1efa22e2
fst: add missing fields to template
...
Build / Create distribution (push) Successful in 1m28s
Test / Run NixOS test (push) Successful in 3m43s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 12:09:25 +09:00
cat
580128922b
cmd/fpkg: expose syscall policy options
...
Build / Create distribution (push) Successful in 1m34s
Test / Run NixOS test (push) Successful in 3m44s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 12:01:30 +09:00
cat
23e1152baa
app/share: clean BaseError message
...
Build / Create distribution (push) Successful in 1m35s
Test / Run NixOS test (push) Successful in 3m42s
This removes trailing '\n' in the PulseAudio warning.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 11:54:16 +09:00
cat
8c51012ef5
dbus: enable syscall filter
...
Build / Create distribution (push) Successful in 1m33s
Test / Run NixOS test (push) Successful in 3m42s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 11:49:23 +09:00
cat
5a64cdaf4f
ldd: enable syscall filter
...
Build / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 02:00:49 +09:00
cat
a30f5e1226
fortify: set up seccomp verbose logging early
...
Build / Create distribution (push) Successful in 1m34s
Test / Run NixOS test (push) Successful in 4m4s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 01:58:54 +09:00
cat
9a239fa1a5
helper/bwrap: integrate seccomp into helper interface
...
Build / Create distribution (push) Successful in 1m36s
Test / Run NixOS test (push) Successful in 3m40s
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 01:52:57 +09:00
cat
82029948e6
proc: append to ExtraFiles slice pointer
...
Build / Create distribution (push) Successful in 1m30s
Test / Run NixOS test (push) Successful in 4m4s
This is useful for initialising extra files before command.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-21 12:51:39 +09:00
cat
dfcdc5ce20
state: store config in separate gob stream
...
Build / Create distribution (push) Successful in 1m37s
Test / Run NixOS test (push) Successful in 3m38s
This enables early serialisation of config.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-21 12:10:58 +09:00
cat
fa0616b274
fortify: print permissive defaults warning early
...
Build / Create distribution (push) Successful in 1m47s
Test / Run NixOS test (push) Successful in 4m1s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-21 12:05:31 +09:00
cat
20a3d4c458
proc/priv/shim: resolve and load seccomp rules
...
Build / Create distribution (push) Successful in 1m33s
Test / Run NixOS test (push) Successful in 3m36s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-20 23:52:56 +09:00
cat
3df344828f
proc/priv/shim: seccomp bpf filter via libseccomp
...
Build / Create distribution (push) Successful in 1m59s
Test / Run NixOS test (push) Successful in 4m11s
Rulesets adapted from Flatpak for compatibility.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-20 23:39:47 +09:00
cat
27f5922d5c
fst: include syscall filter configuration
...
Build / Create distribution (push) Successful in 3m0s
Test / Run NixOS test (push) Successful in 5m19s
This value is passed through to shim.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-20 21:12:39 +09:00
cat
2cf1f46ea2
nix: test show without --short
...
Build / Create distribution (push) Successful in 3m36s
Test / Run NixOS test (push) Successful in 6m45s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-20 21:10:24 +09:00
cat
3c55fc8e86
proc/priv/shim: do not log bwrap args
...
Build / Create distribution (push) Successful in 1m22s
Test / Run NixOS test (push) Successful in 3m30s
This message is very long and does not serve much real purpose. Remove it to de-clutter verbose messages.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-20 19:51:28 +09:00
cat
eb0ef2d115
helper/bwrap: generic extra file interface
...
Build / Create distribution (push) Successful in 1m32s
Test / Run NixOS test (push) Successful in 3m50s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-20 00:20:04 +09:00
cat
