cat
39dc8e7bd8
dbus: set process group id
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m18s
Test / Data race detector (push) Successful in 3m11s
Test / Flake checks (push) Successful in 40s
This stops signals sent by the TTY driver from propagating to the xdg-dbus-proxy process.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-25 18:12:41 +09:00
cat
dccb366608
ldd: handle behaviour on static executable
...
Test / Create distribution (push) Successful in 25s
Test / Run NixOS test (push) Successful in 3m27s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-23 18:02:33 +09:00
cat
83c8f0488b
ldd: pass absolute path to bwrap
...
Test / Create distribution (push) Successful in 27s
Test / Run NixOS test (push) Successful in 3m31s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-23 17:46:22 +09:00
cat
fe7d208cf7
helper: use generic extra files interface
...
Test / Create distribution (push) Successful in 1m38s
Test / Run NixOS test (push) Successful in 4m36s
This replaces the pipes object and integrates context into helper process lifecycle.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-13 23:34:15 +09:00
cat
5a64cdaf4f
ldd: enable syscall filter
...
Build / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 02:00:49 +09:00
cat
9a239fa1a5
helper/bwrap: integrate seccomp into helper interface
...
Build / Create distribution (push) Successful in 1m36s
Test / Run NixOS test (push) Successful in 3m40s
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-22 01:52:57 +09:00
cat
2f70506865
helper/bwrap: move sync to helper state
...
Build / Create distribution (push) Successful in 1m25s
Test / Run NixOS test (push) Successful in 3m33s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-19 18:38:13 +09:00
cat
b956ce4052
ldd: trim leading and trailing white spaces from name
...
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 3m31s
Glibc emits ldd output with \t prefix for formatting. Remove that here.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-26 16:53:01 +09:00
cat
ade57c39af
ldd: add fhs glibc test case
...
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 3m34s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-26 16:33:02 +09:00
cat
df6fc298f6
migrate to git.gensokyo.uk/security/fortify
...
Tests / Go tests (push) Successful in 2m55s
Nix / NixOS tests (push) Successful in 5m10s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-20 00:20:02 +09:00
cat
4b7b899bb3
add package doc comments
...
test / test (push) Successful in 19s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-28 20:57:59 +09:00
cat
65af1684e3
migrate to git.ophivana.moe/security/fortify
...
test / test (push) Successful in 14s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-20 19:50:13 +09:00
cat
73a698c7cb
ldd: run ldd with read-only filesystem and unshared net
...
This is only called on trusted programs, however extra hardening is never a bad idea.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-17 15:37:27 +09:00
cat
d41b9d2d9c
ldd: separate Parse from Exec and trim space
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-09 23:51:15 +09:00
cat
6232291cae
ldd: implement strict ldd output parser
...
Fortify needs to internally resolve helper program sandbox config. They are considered trusted and runs under the privileged UID so ldd output is used to determine libraries they need inside the sandbox environment.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-09 20:39:27 +09:00
cat
