cat
7f2c0af5ad
fst: set multiarch bit
...
Test / Create distribution (push) Successful in 26s
Test / Sandbox (push) Successful in 1m57s
Test / Fortify (push) Successful in 2m45s
Test / Sandbox (race detector) (push) Successful in 2m55s
Test / Fpkg (push) Successful in 3m41s
Test / Fortify (race detector) (push) Successful in 4m10s
Test / Flake checks (push) Successful in 1m8s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 22:55:00 +09:00
cat
297b444dfb
test: separate app and sandbox
...
Test / Create distribution (push) Successful in 26s
Test / Sandbox (push) Successful in 1m42s
Test / Fortify (push) Successful in 2m39s
Test / Sandbox (race detector) (push) Successful in 2m52s
Test / Fpkg (push) Successful in 3m37s
Test / Fortify (race detector) (push) Successful in 4m17s
Test / Flake checks (push) Successful in 1m6s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 22:09:46 +09:00
cat
89a05909a4
test: move test program to sandbox directory
...
Test / Create distribution (push) Successful in 27s
Test / Fpkg (push) Successful in 39s
Test / Fortify (push) Successful in 2m38s
Test / Data race detector (push) Successful in 3m22s
Test / Flake checks (push) Successful in 1m1s
This prepares for the separation of app and sandbox tests.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 21:09:16 +09:00
cat
f772940768
test/sandbox: treat ESRCH as temporary failure
...
Test / Create distribution (push) Successful in 25s
Test / Fpkg (push) Successful in 33s
Test / Fortify (push) Successful in 2m30s
Test / Data race detector (push) Successful in 3m13s
Test / Flake checks (push) Successful in 52s
This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 03:50:59 +09:00
cat
8886c40974
test/sandbox: separate check filter
...
Test / Create distribution (push) Successful in 26s
Test / Fpkg (push) Successful in 34s
Test / Fortify (push) Successful in 2m29s
Test / Data race detector (push) Successful in 3m12s
Test / Flake checks (push) Successful in 54s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 02:15:08 +09:00
cat
8b62e08b44
test: build test program in nixos config
...
Test / Create distribution (push) Successful in 26s
Test / Fpkg (push) Successful in 34s
Test / Data race detector (push) Successful in 3m18s
Test / Fortify (push) Successful in 1m53s
Test / Flake checks (push) Successful in 57s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-29 19:33:17 +09:00
cat
72c59f9229
nix: check share/applications in share package
...
Test / Create distribution (push) Successful in 27s
Test / Fpkg (push) Successful in 37s
Test / Data race detector (push) Successful in 3m9s
Test / Fortify (push) Successful in 2m2s
Test / Flake checks (push) Successful in 56s
This allows share directories without share/applications/ to build correctly.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-29 19:28:20 +09:00
cat
ff3cfbb437
test/sandbox: check seccomp outcome
...
Test / Create distribution (push) Successful in 25s
Test / Fpkg (push) Successful in 33s
Test / Fortify (push) Successful in 2m27s
Test / Data race detector (push) Successful in 3m15s
Test / Flake checks (push) Successful in 56s
This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 02:24:27 +09:00
cat
c13eb70d7d
sandbox/seccomp: add fortify default sample
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m39s
Test / Fpkg (push) Successful in 3m29s
Test / Data race detector (push) Successful in 4m34s
Test / Flake checks (push) Successful in 57s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 02:02:02 +09:00
cat
389402f955
test/sandbox/ptrace: generic filter block type
...
Test / Create distribution (push) Successful in 26s
Test / Fpkg (push) Successful in 34s
Test / Fortify (push) Successful in 2m28s
Test / Data race detector (push) Successful in 3m12s
Test / Flake checks (push) Successful in 59s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 01:47:24 +09:00
cat
660a2898dc
test/sandbox/ptrace: dump seccomp bpf program
...
Test / Create distribution (push) Successful in 26s
Test / Fpkg (push) Successful in 34s
Test / Fortify (push) Successful in 2m21s
Test / Data race detector (push) Successful in 3m4s
Test / Flake checks (push) Successful in 55s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 01:35:56 +09:00
cat
faf59e12c0
test/sandbox: expose test tool
...
Test / Create distribution (push) Successful in 27s
Test / Fpkg (push) Successful in 34s
Test / Fortify (push) Successful in 2m22s
Test / Data race detector (push) Successful in 3m11s
Test / Flake checks (push) Successful in 56s
Some test elements implemented in the test tool might need to run outside the sandbox. This change allows that to happen.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 00:08:47 +09:00
cat
d97a03c7c6
test/sandbox: separate test tool source
...
Test / Create distribution (push) Successful in 26s
Test / Fpkg (push) Successful in 34s
Test / Fortify (push) Successful in 2m27s
Test / Data race detector (push) Successful in 3m11s
Test / Flake checks (push) Successful in 59s
This improves readability and allows gofmt to format the file.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 23:43:13 +09:00
cat
a102178019
sys: update doc comment
...
Test / Create distribution (push) Successful in 28s
Test / Fortify (push) Successful in 2m45s
Test / Fpkg (push) Successful in 3m36s
Test / Data race detector (push) Successful in 4m32s
Test / Flake checks (push) Successful in 58s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 22:43:17 +09:00
cat
e400862a12
state/multi: fix backend cache population race
...
Test / Create distribution (push) Successful in 27s
Test / Fortify (push) Successful in 2m46s
Test / Fpkg (push) Successful in 3m33s
Test / Data race detector (push) Successful in 4m37s
Test / Flake checks (push) Successful in 57s
This race is never able to happen since no caller concurrently requests the same aid yet.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 22:37:08 +09:00
cat
184e9db2b2
sandbox: support privileged container
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m34s
Test / Fpkg (push) Successful in 3m25s
Test / Data race detector (push) Successful in 4m27s
Test / Flake checks (push) Successful in 53s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 19:40:19 +09:00
cat
605d018be2
app/seal: check for '=' in envv
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m58s
Test / Fpkg (push) Successful in 3m50s
Test / Data race detector (push) Successful in 4m40s
Test / Flake checks (push) Successful in 55s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 18:25:23 +09:00
cat
78aaae7ee0
helper/args: copy args on wt creation
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m49s
Test / Data race detector (push) Successful in 3m4s
Test / Fpkg (push) Successful in 3m15s
Test / Flake checks (push) Successful in 1m1s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 18:22:07 +09:00
cat
5c82f1ed3e
helper/stub: output to stdout
...
Test / Create distribution (push) Successful in 19s
Test / Fortify (push) Successful in 43s
Test / Fpkg (push) Successful in 1m26s
Test / Data race detector (push) Successful in 2m28s
Test / Flake checks (push) Successful in 1m0s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 17:25:10 +09:00
cat
f8502c3ece
test/sandbox: check environment
...
Test / Create distribution (push) Successful in 19s
Test / Fpkg (push) Successful in 34s
Test / Fortify (push) Successful in 41s
Test / Data race detector (push) Successful in 41s
Test / Flake checks (push) Successful in 56s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 03:16:33 +09:00
cat
996b42634d
test/sandbox: invoke check program directly
...
Test / Create distribution (push) Successful in 26s
Test / Fpkg (push) Successful in 34s
Test / Fortify (push) Successful in 40s
Test / Data race detector (push) Successful in 2m47s
Test / Flake checks (push) Successful in 1m4s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 03:11:50 +09:00
cat
300571af47
app: pass through $SHELL
...
Test / Create distribution (push) Successful in 25s
Test / Fpkg (push) Successful in 33s
Test / Fortify (push) Successful in 39s
Test / Data race detector (push) Successful in 39s
Test / Flake checks (push) Successful in 55s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 01:22:40 +09:00
cat
32c90ef4e7
nix: pass through exec arguments
...
Test / Create distribution (push) Successful in 19s
Test / Fpkg (push) Successful in 34s
Test / Fortify (push) Successful in 41s
Test / Data race detector (push) Successful in 41s
Test / Flake checks (push) Successful in 56s
This is useful for when a wrapper script is unnecessary.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 03:04:46 +09:00
cat
2a4e2724a3
release: 0.3.1
...
Release / Create release (push) Successful in 35s
Test / Create distribution (push) Successful in 19s
Test / Fpkg (push) Successful in 33s
Test / Fortify (push) Successful in 39s
Test / Data race detector (push) Successful in 39s
Test / Flake checks (push) Successful in 55s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 07:48:50 +09:00
cat
d613257841
sandbox/init: clear inheritable set
...
Test / Create distribution (push) Successful in 28s
Test / Fpkg (push) Successful in 3m52s
Test / Data race detector (push) Successful in 4m47s
Test / Fortify (push) Successful in 2m4s
Test / Flake checks (push) Successful in 57s
Inheritable should not be able to affect anything regardless of its value, due to no_new_privs.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 07:46:13 +09:00
cat
18644d90be
sandbox: wrap capset syscall
...
Test / Create distribution (push) Successful in 21s
Test / Fortify (push) Successful in 2m25s
Test / Data race detector (push) Successful in 3m10s
Test / Fpkg (push) Successful in 2m59s
Test / Flake checks (push) Successful in 1m4s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 07:44:07 +09:00
cat
52fcc48ac1
sandbox/init: drop capabilities
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m39s
Test / Fpkg (push) Successful in 3m31s
Test / Data race detector (push) Successful in 4m32s
Test / Flake checks (push) Successful in 58s
During development the syscall filter caused me to make an incorrect assumption about SysProcAttr.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 06:32:08 +09:00
cat
8b69bcd215
sandbox: cache kernel.cap_last_cap value
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m37s
Test / Fpkg (push) Successful in 3m33s
Test / Data race detector (push) Successful in 4m27s
Test / Flake checks (push) Successful in 59s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 06:19:19 +09:00
cat
2dd49c437c
app: create XDG_RUNTIME_DIR with perm 0700
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m41s
Test / Fpkg (push) Successful in 3m31s
Test / Data race detector (push) Successful in 4m30s
Test / Flake checks (push) Successful in 59s
Many programs complain about this.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 02:49:37 +09:00
cat
92852d8235
release: 0.3.0
...
Test / Create distribution (push) Successful in 20s
Release / Create release (push) Successful in 35s
Test / Fortify (push) Successful in 2m45s
Test / Fpkg (push) Successful in 3m27s
Test / Data race detector (push) Successful in 4m20s
Test / Flake checks (push) Successful in 1m1s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 02:18:59 +09:00
cat
371dd5b938
nix: create current-system symlink
...
Test / Create distribution (push) Successful in 20s
Release / Create release (push) Successful in 27s
Test / Fpkg (push) Successful in 35s
Test / Fortify (push) Successful in 40s
Test / Data race detector (push) Successful in 40s
Test / Flake checks (push) Successful in 58s
This is copied at runtime because it appears to be impossible to obtain this path in nix.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 02:06:11 +09:00
cat
4836d570ae
test: raise long timeout to 15 seconds
...
Test / Create distribution (push) Successful in 26s
Test / Fpkg (push) Successful in 34s
Test / Fortify (push) Successful in 2m20s
Test / Data race detector (push) Successful in 3m4s
Test / Flake checks (push) Successful in 57s
The race detector really slows down container tooling.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 01:59:05 +09:00
cat
985f9442e6
sandbox: copy symlink with magic prefix
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m39s
Test / Fpkg (push) Successful in 3m31s
Test / Data race detector (push) Successful in 2m40s
Test / Flake checks (push) Successful in 59s
This does not dereference the symlink, but only reads one level of it. This is useful for symlink targets that are not yet known at the time the configuration is emitted.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 01:42:39 +09:00
cat
67eb28466d
nix: create opengl-driver symlink
...
Test / Create distribution (push) Successful in 25s
Test / Fpkg (push) Successful in 33s
Test / Fortify (push) Successful in 2m18s
Test / Data race detector (push) Successful in 3m3s
Test / Flake checks (push) Successful in 53s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 20:52:20 +09:00
cat
c326c3f97d
fst/sandbox: do not create /etc in advance
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m43s
Test / Fpkg (push) Successful in 3m36s
Test / Data race detector (push) Successful in 4m31s
Test / Flake checks (push) Successful in 56s
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 20:00:34 +09:00
cat
971c79bb80
sandbox: remove hardcoded parent perm
...
Test / Create distribution (push) Successful in 27s
Test / Fortify (push) Successful in 2m43s
Test / Fpkg (push) Successful in 3m41s
Test / Data race detector (push) Successful in 4m32s
Test / Flake checks (push) Successful in 59s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 19:49:51 +09:00
cat
f86d868274
sandbox: wrap error with its own text message
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m40s
Test / Fpkg (push) Successful in 3m33s
Test / Data race detector (push) Successful in 4m24s
Test / Flake checks (push) Successful in 57s
PathError has a pretty good text message, many of them are wrapped with its own text message. This change adds a function to do just that to improve readability.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 19:42:20 +09:00
cat
33940265a6
sandbox: do not ensure symlink target
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m40s
Test / Fpkg (push) Successful in 3m29s
Test / Data race detector (push) Successful in 4m31s
Test / Flake checks (push) Successful in 1m4s
This masks EEXIST on target and might clobber filesystems and lead to other confusing behaviour. Create its parent instead.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 19:30:53 +09:00
cat
b39f3aeb59
helper: remove bubblewrap wrapper
...
Test / Create distribution (push) Successful in 19s
Test / Fortify (push) Successful in 2m12s
Test / Fpkg (push) Successful in 3m34s
Test / Data race detector (push) Successful in 4m19s
Test / Flake checks (push) Successful in 57s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 05:35:02 +09:00
cat
61dbfeffe7
sandbox/wl: move into sandbox
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m49s
Test / Fpkg (push) Successful in 3m54s
Test / Data race detector (push) Successful in 4m36s
Test / Flake checks (push) Successful in 58s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 05:26:37 +09:00
cat
532feb4bfa
app: merge shim into app package
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m48s
Test / Fpkg (push) Successful in 3m39s
Test / Data race detector (push) Successful in 4m35s
Test / Flake checks (push) Successful in 56s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 05:21:47 +09:00
cat
ec5e91b8c9
system: optimise string formatting
...
Test / Create distribution (push) Successful in 20s
Test / Fpkg (push) Successful in 36s
Test / Fortify (push) Successful in 42s
Test / Data race detector (push) Successful in 43s
Test / Flake checks (push) Successful in 1m10s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 04:42:30 +09:00
cat
ee51320abf
test: check revert type selection
...
Test / Create distribution (push) Successful in 20s
Test / Fortify (push) Successful in 2m18s
Test / Fpkg (push) Successful in 3m1s
Test / Data race detector (push) Successful in 4m32s
Test / Flake checks (push) Successful in 1m4s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 04:37:58 +09:00
cat
5c4058d5ac
app: run in native sandbox
...
Test / Create distribution (push) Successful in 20s
Test / Fortify (push) Successful in 2m5s
Test / Fpkg (push) Successful in 3m0s
Test / Data race detector (push) Successful in 4m12s
Test / Flake checks (push) Successful in 1m4s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 01:52:49 +09:00
cat
e732dca762
wl: fix sync pipe keepalive
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m30s
Test / Fpkg (push) Successful in 3m36s
Test / Data race detector (push) Successful in 4m14s
Test / Flake checks (push) Successful in 59s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 01:33:37 +09:00
cat
a9adcd914b
fortify/parse: omit try fd fallthrough message
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m33s
Test / Fpkg (push) Successful in 3m28s
Test / Data race detector (push) Successful in 4m12s
Test / Flake checks (push) Successful in 57s
This reduces noise in verbose output.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 01:21:11 +09:00
cat
3dd4ff29c8
test/sandbox: check mount table length
...
Test / Create distribution (push) Successful in 26s
Test / Fpkg (push) Successful in 37s
Test / Fortify (push) Successful in 2m20s
Test / Data race detector (push) Successful in 2m51s
Test / Flake checks (push) Successful in 1m0s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-24 16:36:53 +09:00
cat
61d86c5e10
test/sandbox: fix stdout tty check
...
Test / Create distribution (push) Successful in 27s
Test / Fpkg (push) Successful in 37s
Test / Fortify (push) Successful in 2m22s
Test / Data race detector (push) Successful in 2m57s
Test / Flake checks (push) Successful in 56s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-24 16:23:50 +09:00
cat
d097eaa28f
test/sandbox: unquote fail messages
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m31s
Test / Fpkg (push) Successful in 3m22s
Test / Data race detector (push) Successful in 4m22s
Test / Flake checks (push) Successful in 57s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-24 16:03:53 +09:00
cat
ad3576c164
sandbox: resolve tty name
...
Test / Create distribution (push) Successful in 19s
Test / Fortify (push) Successful in 2m17s
Test / Fpkg (push) Successful in 3m15s
Test / Data race detector (push) Successful in 4m10s
Test / Flake checks (push) Successful in 56s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-24 16:03:07 +09:00
cat
