Commit Graph

275 Commits

Author SHA1 Message Date
1906853382
clean up setup/launcher code and enable better control over shares
In the past Wayland, X and PulseAudio are shared unconditionally. This can unnecessarily increase attack surface as some of these resources might not be needed at all. This commit moves all environment preparation code to the internal app package and selectively call them based on flags.

An "enablements" bitfield is introduced tracking all enabled shares. This value is registered after successful child process launch and stored in launcher states.

Code responsible for running the child process is isolated to its own app/run file and cleaned up. Launch method selection is also extensively cleaned up.

The internal state/track readLaunchers function now takes uid as an argument. Launcher state is now printed using text/tabwriter and argv is only emitted when verbose.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-08 02:24:01 +09:00
58d3a1fbc7
release: 1.0.4
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 19:57:47 +09:00
1b5fce5ccb
update README document
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 19:54:35 +09:00
945cce2f5e
nix: implement nixos module
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 17:03:21 +09:00
5c3e7cf664
app/launch: set argv when launching shell
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 11:04:16 +09:00
743b6afbbb
workflows: rename binary to fortify
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 01:27:04 +09:00
d8f76f3b25
rename to fortify and restructure
More sandbox features will be added and this will no longer track ego's features and behaviour.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 01:20:12 +09:00
7e6eb82195
license: embed license in executable
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-16 22:07:40 +09:00
09507a541b
nix: build directly with buildGoModules
Since we have no dependencies, we don't need a vendor hash, so doing this actually makes sense.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-16 21:54:44 +09:00
1f72c30033
adapt README document
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-16 21:33:31 +09:00
e1a96ded34
apply MIT license
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-16 20:49:00 +09:00
18db464bd5
apply X11 license
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-16 14:20:17 +09:00
a3c2916c1a
state: track launcher states in runDir and clean up before exit
X11 hosts and ACL rules are no longer necessary after all launcher processes exit. This reverts all changes to the system made during setup when no launchers remain. State information is also saved in runDir which can be tracked externally.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-16 14:19:43 +09:00
392717c6dc
workflows: add release workflow
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-15 23:47:08 +09:00
da7e404bcf
main: implement sudo and machinectl launcher methods
This does almost exactly what github:intgr/ego does, with some minor optimisations and corrections.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-15 23:29:21 +09:00
1cd0846dc9
launcher: implement launcher wrapper
There is no way to have machinectl pass part of its argv to the child, and formatting the string for a shell is highly error-prone and complex, so the argv slice is encoded and passed to a launcher process launched by machinectl which then calls execve(2) to start the final process.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-15 22:56:50 +09:00
0bd452ad9b
util: PulseAudio cookie discovery
This appears to be how a regular PulseAudio client discovers the PulseAudio cookie.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-15 16:25:44 +09:00
7d96b0bf35
acl: fix memory leak in removeEntry
According to manpage acl_get_qualifier(3) the void * returned by this function could be allocated on the heap.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-15 12:40:29 +09:00
289e681c41
util: file copy and exec.LookPath wrapper
Add convenience functions for copying files to owner readable targets and LookPath comma ok wrapper.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-15 01:20:52 +09:00
190eb088bc
nix: add libxcb package to dev shell
Since we link libxcb as well now this is needed in the dev shell for it to build properly without impure.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-15 00:38:11 +09:00
518fd54ff3
x11: wrap libxcb ChangeHosts request
Even though many pure Go libxcb implementations exist, it is at least as complex and unreadable as libxcb, if not more. Since well known libraries like SDL, qt and gtk uses libxcb, and they somehow understand how to use it, I can only assume these people have read enough code to make sure it's correct enough. Call it wishful thinking. I don't care anymore.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-14 18:31:53 +09:00
65c02b540d
util: port sd_booted function
Manpage provided by systemd states that the sd_booted function internally "checks whether the directory /run/systemd/system/ exists", as well as that "a simple check like this can also be implemented trivially in shell or any other language". This implies the behaviour of this function can be expected to be stable.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-11 01:13:41 +09:00
94c69806ef
nix: set up devShell
Since we're using cgo to call into libacl a few dependencies other than go are required to build.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-11 01:10:35 +09:00
2ef29ab52e
acl: implement acl utils via libacl
The library is simple and should be easy to port to Go, however correctness matters more in this case and overhead from cgo is negligible for our usage scenario.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-11 00:38:21 +09:00
491cc16d53
cli: parse and resolve flags
Copy all flags from upstream. The machinectl flag is dropped as it does nothing. the flag package is used to reduce complexity since we do not care about compatibility with upstream.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-09 15:39:40 +09:00