148 Commits

Author	SHA1	Message	Date
cat	2e52191404	system/dbus: dump method prints msgbuf ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-07 13:16:54 +09:00
cat	23e1152baa	app/share: clean BaseError message ... This removes trailing '\n' in the PulseAudio warning. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 11:54:16 +09:00
cat	9a239fa1a5	helper/bwrap: integrate seccomp into helper interface ... This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 01:52:57 +09:00
cat	dfcdc5ce20	state: store config in separate gob stream ... This enables early serialisation of config. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-21 12:10:58 +09:00
cat	27f5922d5c	fst: include syscall filter configuration ... This value is passed through to shim. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-20 21:12:39 +09:00
cat	2f70506865	helper/bwrap: move sync to helper state ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:38:13 +09:00
cat	cae567c109	proc/priv/shim: remove unnecessary state ... These values are only used during process creation. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:09:07 +09:00
cat	ea8f228af3	proc/priv/shim: merge shim into main program ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 23:43:32 +09:00
cat	124743ffd3	app: expose single run method ... App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 23:39:51 +09:00
cat	562f5ed797	fst: hide sockets exposed via Filesystem ... This is mostly useful for permissive defaults. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 10:13:18 +09:00
cat	c4d6651cae	update reverse-DNS style identifiers ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-31 16:16:38 +09:00
cat	9b206072fa	cmd/fshim: ensure data directory ... Ensuring home directory in shim causes the directory to be owned by the target user. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:39:01 +09:00
cat	b9e2003d5b	app: ensure extra paths ... The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app). Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:07:49 +09:00
cat	847b667489	app: extra acl entries from configuration ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 13:23:27 +09:00
cat	0107620d8c	app: merge share methods ... This significantly increases readability and makes order of ops more obvious. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 11:12:35 +09:00
cat	f608f28a6a	app: mount /dev/kvm in permissive defaults ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-22 12:37:24 +09:00
cat	7a8b625a57	app: rename /fortify to /.fortify ... Also removed the inner share tmpfs mount. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-21 18:11:32 +09:00
cat	74fe74e6b5	app: do not fail on missing cookie ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-21 17:56:21 +09:00
cat	df6fc298f6	migrate to git.gensokyo.uk/security/fortify ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-20 00:20:02 +09:00
cat	eae3034260	state: expose aids and use instance id as key ... Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 21:36:17 +09:00
cat	52f21a19f3	cmd/fshim: switch to setup pipe ... The socket-based approach is no longer necessary as fsu allows extra files and sudo compatibility is no longer relevant. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 19:39:25 +09:00
cat	2f676c9d6e	fst: rename from fipc ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 15:50:46 +09:00
cat	b752ec4468	fipc: export config struct ... Also store full config as part of state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 13:45:55 +09:00
cat	b3ef53b193	app: integrate security-context-v1 ... Should be able to get rid of XDG_RUNTIME_DIR share after this. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-06 04:25:33 +09:00
cat	b291f0b710	app: add nixos-based config test case ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-21 12:13:21 +09:00
cat	9faf3b3596	app: validate username ... This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-19 21:01:41 +09:00
cat	ae2628e57a	cmd/fshim/ipc: install signal handler on shim start ... Getting killed at this point will result in inconsistent state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-18 13:33:46 +09:00
cat	05b7dbf066	app: alternative inner home path ... Support binding home to an alternative path in the mount namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-18 00:18:21 +09:00
cat	c1fad649e8	app/start: check for cleanup and abort condition ... Dirty fix. Will rewrite after fsu integration complete. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-17 23:41:52 +09:00
cat	b5f01ef20b	app: append # for ChangeHosts message with numerical uid ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-17 23:40:37 +09:00
cat	df33123bd7	app: integrate fsu ... This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-16 21:19:45 +09:00
cat	9a13b311ac	app/config: rename map_real_uid from use_real_uid ... This option only changes mapped uid in the user namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-09 12:01:34 +09:00
cat	3dfc1fcd56	app: support full /dev access ... Also moved /dev/fortify to /fortify since it is impossible to create new directories in /dev from the init namespace and bind mounting its contents has undesirable side effects. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-06 03:49:39 +09:00
cat	69cc64ef56	linux: provide access to stdout ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 22:55:46 +09:00
cat	fc25ac2523	app: separate auto etc from permissive defaults ... Populating /etc with symlinks is quite useful even outside the permissive defaults usage pattern. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 22:18:05 +09:00
cat	d909b1190a	app/config: UseRealUID as true in template ... The template is based on a Chromium setup, which this workaround was created for. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 19:45:31 +09:00
cat	af15b1c048	app: support mapping target uid as privileged uid in sandbox ... Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 03:15:39 +09:00
cat	7962681f4a	app: format mapped uid instead of real uid ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 00:49:32 +09:00
cat	bfcce3ff75	system/dbus: buffer xdg-dbus-proxy messages ... Pointing xdg-dbus-proxy to stdout/stderr makes a huge mess. This change enables app to neatly print out prefixed xdg-dbus-proxy messages after output is resumed. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-03 03:07:02 +09:00
cat	584732f80a	cmd: shim and init into separate binaries ... This change also fixes a deadlock when shim fails to connect and complete the setup. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-02 03:13:57 +09:00
cat	431dc095e5	app/start: skip cleanup if shim is nil ... Shim is created before any system operation happens. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-28 14:21:15 +09:00
cat	60e91b9b0f	shim: expose checkPid in constructor ... This will be supported soon when launching via fsu. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-28 00:02:55 +09:00
cat	51e84ba8a5	system/dbus: compare sealed value by string ... Stringer method of dbus.Proxy returns a string representation of its args stream when sealed. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-27 12:09:34 +09:00
cat	7df9d8d01d	system: move sd_booted implementation to os abstraction ... This implements lazy loading of the systemd marker (they are not accessed in init and shim) and ensures consistent behaviour when running with a stub. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-27 12:09:34 +09:00
cat	1d6ea81205	shim: user switcher process management struct ... This change moves all user switcher and shim management to the shim package and withholds output while shim is alive. This also eliminated all exit scenarios where revert is skipped. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-27 00:46:15 +09:00
cat	093e99d062	app: separate nixos test cases from tests ... Test cases are very long, separating them improves editor performance. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-25 17:44:29 +09:00
cat	ad7e389eee	app: test app permissive defaults sealing behaviour ... This test seals App against a deterministic os stub and checks the resulting sys and bwrap values against known correct ones. The effects of sys and bwrap on the OS and sandbox is deterministic and tested in their own respective packages. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-25 17:12:13 +09:00
cat	eb767e7642	app/start: cleaner command not found message ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-25 16:12:18 +09:00
cat	8fa791a2f8	app/seal: symlink /etc entries in permissive default ... Fortify overrides /etc/passwd and /etc/group in the sandbox. Bind mounting /etc results in them being replaced when the passwd database is updated on host. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-25 13:31:57 +09:00
cat	b932ac8260	app/config: support creating symlinks within sandbox ... This is already supported by the underlying bwrap helper. This change exposes access to it in Config. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-25 13:29:01 +09:00