fortify

Author	SHA1	Message	Date
Ophestra	24618ab9a1	sandbox: move out of internal All checks were successful Test / Create distribution (push) Successful in 18s Details Test / Fpkg (push) Successful in 2m40s Details Test / Data race detector (push) Successful in 3m13s Details Test / Fortify (push) Successful in 3m1s Details Test / Flake checks (push) Successful in 51s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-17 02:55:36 +09:00
Ophestra	bc54db54d2	ldd: always copy stderr All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Fortify (push) Successful in 2m30s Details Test / Fpkg (push) Successful in 3m34s Details Test / Data race detector (push) Successful in 3m55s Details Test / Flake checks (push) Successful in 53s Details Dropping the buffer on success is unhelpful and could hide some useful information. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-17 00:08:00 +09:00
Ophestra	bf07b7cd9e	ldd: mount /proc in container All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Fpkg (push) Successful in 3m45s Details Test / Data race detector (push) Successful in 4m0s Details Test / Fortify (push) Successful in 1m54s Details Test / Flake checks (push) Successful in 53s Details This covers host /proc. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-17 00:01:03 +09:00
Ophestra	48feca800f	sandbox: check command function pointer All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Fortify (push) Successful in 2m37s Details Test / Fpkg (push) Successful in 3m25s Details Test / Data race detector (push) Successful in 3m59s Details Test / Flake checks (push) Successful in 55s Details Setting default CommandContext on initialisation is somewhat of a footgun. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-16 23:29:14 +09:00
Ophestra	4bb5d9780f	ldd: run in native sandbox All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Fortify (push) Successful in 2m27s Details Test / Fpkg (push) Successful in 3m22s Details Test / Data race detector (push) Successful in 3m43s Details Test / Flake checks (push) Successful in 48s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-14 17:55:55 +09:00
Ophestra	d22145a392	ldd: handle musl static behaviour All checks were successful Test / Create distribution (push) Successful in 28s Details Test / Fortify (push) Successful in 2m36s Details Test / Fpkg (push) Successful in 3m24s Details Test / Data race detector (push) Successful in 3m32s Details Test / Flake checks (push) Successful in 50s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-12 23:29:43 +09:00
Ophestra	39dc8e7bd8	dbus: set process group id All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Fortify (push) Successful in 2m18s Details Test / Data race detector (push) Successful in 3m11s Details Test / Flake checks (push) Successful in 40s Details This stops signals sent by the TTY driver from propagating to the xdg-dbus-proxy process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-25 18:12:41 +09:00
Ophestra	dccb366608	ldd: handle behaviour on static executable All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Run NixOS test (push) Successful in 3m27s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 18:02:33 +09:00
Ophestra	83c8f0488b	ldd: pass absolute path to bwrap All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Run NixOS test (push) Successful in 3m31s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 17:46:22 +09:00
Ophestra	fe7d208cf7	helper: use generic extra files interface All checks were successful Test / Create distribution (push) Successful in 1m38s Details Test / Run NixOS test (push) Successful in 4m36s Details This replaces the pipes object and integrates context into helper process lifecycle. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-13 23:34:15 +09:00
Ophestra	5a64cdaf4f	ldd: enable syscall filter All checks were successful Build / Create distribution (push) Successful in 1m55s Details Test / Run NixOS test (push) Successful in 4m6s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 02:00:49 +09:00
Ophestra	9a239fa1a5	helper/bwrap: integrate seccomp into helper interface All checks were successful Build / Create distribution (push) Successful in 1m36s Details Test / Run NixOS test (push) Successful in 3m40s Details This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 01:52:57 +09:00
Ophestra	2f70506865	helper/bwrap: move sync to helper state All checks were successful Build / Create distribution (push) Successful in 1m25s Details Test / Run NixOS test (push) Successful in 3m33s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:38:13 +09:00
Ophestra Umiker	df6fc298f6	migrate to git.gensokyo.uk/security/fortify All checks were successful Tests / Go tests (push) Successful in 2m55s Details Nix / NixOS tests (push) Successful in 5m10s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-20 00:20:02 +09:00
Ophestra Umiker	65af1684e3	migrate to git.ophivana.moe/security/fortify All checks were successful test / test (push) Successful in 14s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-20 19:50:13 +09:00
Ophestra Umiker	73a698c7cb	ldd: run ldd with read-only filesystem and unshared net This is only called on trusted programs, however extra hardening is never a bad idea. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-17 15:37:27 +09:00
Ophestra Umiker	d41b9d2d9c	ldd: separate Parse from Exec and trim space Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-09 23:51:15 +09:00

17 Commits