fortify

Author	SHA1	Message	Date
Ophestra	3d0bc35422	app: wayland socket in process share Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-01 00:32:17 +09:00
Ophestra	f13ee88b74	app: share path setup on demand This removes the unnecessary creation and destruction of share paths when none of the enablements making use of them are set. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-01 00:19:34 +09:00
Ophestra	4036da3b5c	fst: optional configured shell path Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-31 21:27:31 +09:00
Ophestra	605d018be2	app/seal: check for '=' in envv Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 18:25:23 +09:00
Ophestra	300571af47	app: pass through $SHELL Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 01:22:40 +09:00
Ophestra	2dd49c437c	app: create XDG_RUNTIME_DIR with perm 0700 Many programs complain about this. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 02:49:37 +09:00
Ophestra	61dbfeffe7	sandbox/wl: move into sandbox Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 05:26:37 +09:00
Ophestra	ec5e91b8c9	system: optimise string formatting Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 04:42:30 +09:00
Ophestra	5c4058d5ac	app: run in native sandbox Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 01:52:49 +09:00
Ophestra	9a1f8e129f	sandbox: wrap fmsg interface Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-17 02:44:07 +09:00
Ophestra	4133b555ba	internal/app: rename init to init0 This makes way for the new container init. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-13 21:57:54 +09:00
Ophestra	c64b8163e7	app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-21 16:06:24 +09:00
Ophestra	3c80fd2b0f	app: defer system.I revert Just returning an error after a successful call of commit will leave garbage behind with no way for the caller to clean them. This change ensures revert is always called after successful commit with at least per-process state enabled. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 21:12:11 +09:00
Ophestra	ef81828e0c	app: remove share method This is yet another implementation detail from before system.I, getting rid of this vastly cuts down on redundant seal state. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 16:20:25 +09:00
Ophestra	2978a6f046	app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 12:33:51 +09:00
Ophestra	dfd9467523	app: merge seal with sys The existence of the appSealSys struct was an implementation detail obsolete since system.I was integrated in `084cd84f36`. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 01:36:29 +09:00
Ophestra	53571f030e	app: embed appSeal in app struct Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 01:10:37 +09:00
Ophestra	aa164081e1	app/seal: improve documentation Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 01:04:14 +09:00
Ophestra	9a10eeab90	app/seal: embed enablements Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 00:41:51 +09:00
Ophestra	a748d40745	app: store values with string representation Improves code readability without changing memory layout. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 00:25:00 +09:00
Ophestra	648e1d641a	app: separate interface from implementation Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-18 23:07:28 +09:00
Ophestra	e0f321b2c4	sys: rename from linux Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-18 18:47:48 +09:00
Ophestra	2c9c7fee5b	linux: wrap fsu lookup error Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-18 17:39:53 +09:00
Ophestra	90cb01b274	system: move out of internal Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 19:00:43 +09:00
Ophestra	b1e1d5627e	system: wrap console output functions This eliminates all fmsg imports from internal/system. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 18:17:55 +09:00
Ophestra	e599b5583d	fmsg: implement suspend in writer This removes the requirement to call fmsg.Exit on every exit path, and enables direct use of the "log" package. However, fmsg.BeforeExit is still encouraged when possible to catch exit on suspended output. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-16 18:51:53 +09:00
Ophestra	e431ab3c24	app: check username length against LOGIN_NAME_MAX This limit is arbitrary, but it's good to enforce it anyway. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-14 12:44:55 +09:00
Ophestra	2e52191404	system/dbus: dump method prints msgbuf Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-07 13:16:54 +09:00
Ophestra	9a239fa1a5	helper/bwrap: integrate seccomp into helper interface This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 01:52:57 +09:00
Ophestra	dfcdc5ce20	state: store config in separate gob stream This enables early serialisation of config. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-21 12:10:58 +09:00
Ophestra	27f5922d5c	fst: include syscall filter configuration This value is passed through to shim. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-20 21:12:39 +09:00
Ophestra	562f5ed797	fst: hide sockets exposed via Filesystem This is mostly useful for permissive defaults. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 10:13:18 +09:00
Ophestra	b9e2003d5b	app: ensure extra paths The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app). Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:07:49 +09:00
Ophestra	847b667489	app: extra acl entries from configuration Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 13:23:27 +09:00
Ophestra	0107620d8c	app: merge share methods This significantly increases readability and makes order of ops more obvious. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 11:12:35 +09:00
Ophestra	f608f28a6a	app: mount /dev/kvm in permissive defaults Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-22 12:37:24 +09:00
Ophestra Umiker	df6fc298f6	migrate to git.gensokyo.uk/security/fortify Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-20 00:20:02 +09:00
Ophestra Umiker	eae3034260	state: expose aids and use instance id as key Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 21:36:17 +09:00
Ophestra Umiker	2f676c9d6e	fst: rename from fipc Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 15:50:46 +09:00
Ophestra Umiker	b752ec4468	fipc: export config struct Also store full config as part of state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 13:45:55 +09:00
Ophestra Umiker	b3ef53b193	app: integrate security-context-v1 Should be able to get rid of XDG_RUNTIME_DIR share after this. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-06 04:25:33 +09:00
Ophestra Umiker	9faf3b3596	app: validate username This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-19 21:01:41 +09:00
Ophestra Umiker	05b7dbf066	app: alternative inner home path Support binding home to an alternative path in the mount namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-18 00:18:21 +09:00
Ophestra Umiker	df33123bd7	app: integrate fsu This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-16 21:19:45 +09:00
Ophestra Umiker	9a13b311ac	app/config: rename map_real_uid from use_real_uid This option only changes mapped uid in the user namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-09 12:01:34 +09:00
Ophestra Umiker	fc25ac2523	app: separate auto etc from permissive defaults Populating /etc with symlinks is quite useful even outside the permissive defaults usage pattern. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 22:18:05 +09:00
Ophestra Umiker	af15b1c048	app: support mapping target uid as privileged uid in sandbox Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 03:15:39 +09:00
Ophestra Umiker	7962681f4a	app: format mapped uid instead of real uid Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 00:49:32 +09:00
Ophestra Umiker	bfcce3ff75	system/dbus: buffer xdg-dbus-proxy messages Pointing xdg-dbus-proxy to stdout/stderr makes a huge mess. This change enables app to neatly print out prefixed xdg-dbus-proxy messages after output is resumed. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-03 03:07:02 +09:00
Ophestra Umiker	584732f80a	cmd: shim and init into separate binaries This change also fixes a deadlock when shim fails to connect and complete the setup. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-02 03:13:57 +09:00

1 2

70 Commits