20 Commits

Author	SHA1	Message	Date
Ophestra	37780456a7	helper: block more unusual/privileged syscalls ... These are toggled by F_EXT and exposed as SyscallPolicy.Compat in the Go interface. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-25 12:35:47 +09:00
Ophestra	9a239fa1a5	helper/bwrap: integrate seccomp into helper interface ... This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 01:52:57 +09:00
Ophestra	2f70506865	helper/bwrap: move sync to helper state ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:38:13 +09:00
Ophestra	3e11ce6868	helper/bwrap: separate sequential/static args ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 13:07:06 +09:00
Ophestra	7d99e45b88	helper/bwrap: register OverlayConfig with gob ... This is required for copying bwrap configurations across processes. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-14 12:25:10 +09:00
Ophestra	e2489059c1	helper/bwrap: implement overlayfs builder ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-05 20:09:35 +09:00
Ophestra	2e3f6a4c51	helper/bwrap: move test out of bwrap package ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-05 19:45:24 +09:00
Ophestra	2162029f46	helper/bwrap: add json struct tag to filesystem ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-05 19:41:04 +09:00
Ophestra	aef847b5ae	helper/bwrap: fix typo in --dir config builder ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-27 15:34:43 +09:00
Ophestra Umiker	8d0573405a	helper/bwrap: implement sync fd ... This is required by wayland security-context-v1. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-06 04:21:37 +09:00
Ophestra Umiker	050ffceb27	helper/bwrap: register generic PermConfig types with gob ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-25 13:26:01 +09:00
Ophestra Umiker	184a5f29fa	helper/bwrap: add fortify permissive default test case ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-15 02:56:13 +09:00
Ophestra Umiker	3015266e5a	helper/bwrap: sort SetEnv arguments ... This guarantees consistency of resulting args. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-15 02:55:48 +09:00
Ophestra Umiker	2faf510146	helper/bwrap: ordered filesystem args ... The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-15 02:15:55 +09:00
Ophestra Umiker	a0db19b9ad	helper/bwrap: format mode in octal ... Bubblewrap expects an octal representation of mode. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-14 13:47:50 +09:00
Ophestra Umiker	aee96b0fdf	helper/bwrap: allow pushing generic arguments to the end of argument stream ... Bwrap argument order determines the order their corresponding actions are performed. This allows generic arguments like tmpfs to the end of the stream to override bind mounts. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-13 02:26:01 +09:00
Ophestra Umiker	713872a5cd	helper/bwrap: move interfaceArgs before stringArgs ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-11 04:12:47 +09:00
Ophestra Umiker	101e49a48b	helper/bwrap: proc, dev and mqueue as string arguments ... These flags do not support --chmod. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-11 01:30:11 +09:00
Ophestra Umiker	b99ed94386	helper/bwrap: pass --unshare-user when unshare everything ... Bubblewrap apparently requires --unshare-user even when --unshare-all is set to apply --disable-userns. This behaviour is not clearly documented. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-09 00:22:48 +09:00
Ophestra Umiker	6a2802cf30	helper: move bwrap into helper ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-07 14:40:35 +09:00