security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 36 Wiki Activity
606 Commits 5 Branches 36 Tags 5 MiB
273d97af85
Commit Graph

17 Commits

Author SHA1 Message Date
Ophestra
273d97af85
ldd: lib paths resolve function
All checks were successful
Test / Create distribution (push) Successful in 24s
Details
Test / Fortify (push) Successful in 2m37s
Details
Test / Fpkg (push) Successful in 3m37s
Details
Test / Data race detector (push) Successful in 3m50s
Details
Test / Flake checks (push) Successful in 56s
Details 
This is what always happens right after a ldd call, so implement it here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 01:20:09 +09:00
Ophestra
9f5dad1998
sandbox: return on zero length ops
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m30s
Details
Test / Fpkg (push) Successful in 3m24s
Details
Test / Data race detector (push) Successful in 3m53s
Details
Test / Flake checks (push) Successful in 52s
Details 
This dodges potentially confusing behaviour where init fails due to Ops being clobbered during transfer.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 00:32:36 +09:00
Ophestra
bac4e67867
sandbox/init: early params nil check
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m31s
Details
Test / Fpkg (push) Successful in 3m48s
Details
Test / Data race detector (push) Successful in 3m53s
Details
Test / Flake checks (push) Successful in 51s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 04:03:10 +09:00
Ophestra
4230281194
sandbox: return error on doubled start
All checks were successful
Test / Create distribution (push) Successful in 18s
Details
Test / Fpkg (push) Successful in 35s
Details
Test / Fortify (push) Successful in 38s
Details
Test / Data race detector (push) Successful in 36s
Details
Test / Flake checks (push) Successful in 58s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 03:30:14 +09:00
Ophestra
e64e7608ca
sandbox: expose cancel behaviour
All checks were successful
Test / Create distribution (push) Successful in 40s
Details
Test / Fpkg (push) Successful in 11m53s
Details
Test / Fortify (push) Successful in 1m57s
Details
Test / Data race detector (push) Successful in 2m33s
Details
Test / Flake checks (push) Successful in 58s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 03:04:27 +09:00
Ophestra
2647a71be1
seccomp: move out of helper
All checks were successful
Test / Create distribution (push) Successful in 29s
Details
Test / Fortify (push) Successful in 2m53s
Details
Test / Fpkg (push) Successful in 4m0s
Details
Test / Data race detector (push) Successful in 4m9s
Details
Test / Flake checks (push) Successful in 59s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 22:42:40 +09:00
Ophestra
4bb5d9780f
ldd: run in native sandbox
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m27s
Details
Test / Fpkg (push) Successful in 3m22s
Details
Test / Data race detector (push) Successful in 3m43s
Details
Test / Flake checks (push) Successful in 48s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 17:55:55 +09:00
Ophestra
f41fd94628
sandbox: write uid/gid map as init
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m30s
Details
Test / Fpkg (push) Successful in 3m21s
Details
Test / Data race detector (push) Successful in 3m39s
Details
Test / Flake checks (push) Successful in 48s
Details 
This avoids PR_SET_DUMPABLE in the parent process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 17:42:22 +09:00
Ophestra
94895bbacb
sandbox: invert seccomp ruleset defaults
All checks were successful
Test / Create distribution (push) Successful in 24s
Details
Test / Fortify (push) Successful in 2m31s
Details
Test / Fpkg (push) Successful in 3m20s
Details
Test / Data race detector (push) Successful in 3m35s
Details
Test / Flake checks (push) Successful in 50s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:38:32 +09:00
Ophestra
f332200ca4
sandbox: mount container /dev
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m29s
Details
Test / Fpkg (push) Successful in 3m26s
Details
Test / Data race detector (push) Successful in 3m33s
Details
Test / Flake checks (push) Successful in 51s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:18:44 +09:00
Ophestra
2eff470091
sandbox/mount: pass custom tmpfs name
All checks were successful
Test / Create distribution (push) Successful in 27s
Details
Test / Fortify (push) Successful in 2m51s
Details
Test / Data race detector (push) Successful in 3m53s
Details
Test / Fpkg (push) Successful in 3m59s
Details
Test / Flake checks (push) Successful in 55s
Details 
The tmpfs driver allows arbitrary fsname.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:12:35 +09:00
Ophestra
a092b042ab
sandbox: pass params to setup ops
All checks were successful
Test / Create distribution (push) Successful in 20s
Details
Test / Fortify (push) Successful in 2m5s
Details
Test / Fpkg (push) Successful in 3m26s
Details
Test / Data race detector (push) Successful in 3m49s
Details
Test / Flake checks (push) Successful in 55s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:11:38 +09:00
Ophestra
e94b09d337
sandbox/mount: fix source flag path
All checks were successful
Test / Create distribution (push) Successful in 20s
Details
Test / Fortify (push) Successful in 2m6s
Details
Test / Fpkg (push) Successful in 3m24s
Details
Test / Data race detector (push) Successful in 3m56s
Details
Test / Flake checks (push) Successful in 54s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:10:48 +09:00
Ophestra
5d9e669d97
sandbox: separate tmpfs function from op
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m34s
Details
Test / Fpkg (push) Successful in 3m25s
Details
Test / Data race detector (push) Successful in 3m32s
Details
Test / Flake checks (push) Successful in 52s
Details 
This is useful in the implementation of various other ops.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 00:21:20 +09:00
Ophestra
f1002157a5
sandbox: separate bind mount function from op
All checks were successful
Test / Create distribution (push) Successful in 24s
Details
Test / Fortify (push) Successful in 2m33s
Details
Test / Fpkg (push) Successful in 3m26s
Details
Test / Data race detector (push) Successful in 3m36s
Details
Test / Flake checks (push) Successful in 53s
Details 
This is useful in the implementation of various other ops.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 00:16:41 +09:00
Ophestra
9b1a60b5c9
sandbox: native container tooling
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m28s
Details
Test / Fpkg (push) Successful in 3m23s
Details
Test / Data race detector (push) Successful in 3m35s
Details
Test / Flake checks (push) Successful in 48s
Details 
This should eventually replace bwrap.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-13 21:36:26 +09:00
Ophestra
6af8b8859f
sandbox: read overflow ids
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Fortify (push) Successful in 1m53s
Details
Test / Fpkg (push) Successful in 3m7s
Details
Test / Data race detector (push) Successful in 3m33s
Details
Test / Flake checks (push) Successful in 54s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-13 00:41:37 +09:00