Commit Graph

195 Commits

Author SHA1 Message Date
33cf0bed54
dbus: various accessors for dbus.Proxy internal fields
These values are useful during sandbox setup and exporting them makes more sense than storing them twice.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-16 01:27:49 +09:00
689f5bed57
release: 0.0.4
All checks were successful
release / release (push) Successful in 1m32s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:56:49 +09:00
184a5f29fa
helper/bwrap: add fortify permissive default test case
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:56:13 +09:00
3015266e5a
helper/bwrap: sort SetEnv arguments
This guarantees consistency of resulting args.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:55:48 +09:00
aa5dd2313c
app: filter /tmp from permissive default
Tmpdir is bind mounted over further along in execution so there is no point sharing it here.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:54:50 +09:00
2faf510146
helper/bwrap: ordered filesystem args
The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:15:55 +09:00
a0db19b9ad
helper/bwrap: format mode in octal
Bubblewrap expects an octal representation of mode.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-14 13:47:50 +09:00
aaed5080f4
fortify: move PR_SET_DUMPABLE to the beginning of main
This call does need flag values.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-14 02:48:37 +09:00
41a7eb567e
release: 0.0.3
All checks were successful
release / release (push) Successful in 2m38s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-14 02:31:11 +09:00
1302bcede0
init: custom init process inside sandbox
Bubblewrap as init is a bit awkward and don't support a few setup actions fortify will need, such as starting/supervising nscd.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-14 02:27:02 +09:00
315c9b8849
fortify: refuse to run as root
There is no good reason to run fortify as root and desktop environments typically do not like that either. This check prevents confusion for new users who might mistakenly run it as root or set the setuid bit.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 20:06:47 +09:00
3739b56504
shim: update payload comment
Generating permissive default no longer happens in shim.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 17:19:50 +09:00
77f2c320a6
shim: re-exec self on startup
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 16:56:10 +09:00
b470941911
shim: get rid of insane launch condition
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 12:09:38 +09:00
e4536b87ad
app: generate and replace passwd and group files
This ensures libc functions get correct user information.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 02:43:00 +09:00
65a5f8fb08
app/config: map bwrap tmpfs in app config
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 02:39:27 +09:00
aee96b0fdf
helper/bwrap: allow pushing generic arguments to the end of argument stream
Bwrap argument order determines the order their corresponding actions are performed. This allows generic arguments like tmpfs to the end of the stream to override bind mounts.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 02:26:01 +09:00
655020eb5d
app/config: always use nobody UID within sandbox
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 00:50:24 +09:00
f320dfc2ee
fortify: set SUID_DUMP_DISABLE after flag parse
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 00:09:14 +09:00
c818ea649a
app/seal: skip /mnt in permissive default
This directory usually contains temporarily mounted stuff and shouldn't get into the sandbox.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 00:07:48 +09:00
b091260fd3
update README document
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 00:07:10 +09:00
b9d5fe49cb
nix: pass $SHELL for shell interpreter
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 23:01:06 +09:00
d37dcff2fc
app/seal: allow GPU access in permissive default when either X11/Wayland is enabled
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 22:55:53 +09:00
805ef99f9b
app: filesystem struct that maps to all bwrap bind options
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 22:33:04 +09:00
283bcba05b
fortify/config: flag to print template config serialised as JSON
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 19:46:40 +09:00
2e019e48c1
app: supply template config
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 19:46:07 +09:00
d5c26ae593
fortify: move error handling to separate file
Error handling here is way too monstrous due to terrible design of the internal/app package. Since rewriting internal/app will take a while, error handling is moved out of main to improve readability.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 02:11:43 +09:00
61b473a06f
fortify: clean up config loading
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 01:51:06 +09:00
d2575b6708
fortify: move flag handling to separate files
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 01:28:22 +09:00
8d82446d97
helper: remove unused bwrap config field
This configuration is not saved anywhere, and does not need to be saved. Bwrap configuration information is already saved into p.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 00:55:14 +09:00
0f421644be
dbus: improve unsealed behaviour coverage
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 00:53:08 +09:00
662f2a9d2c
app: integrate bwrap into environment setup
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-11 04:18:15 +09:00
3ddfd76cdf
shim: use bwrap config as it is
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-11 04:13:56 +09:00
713872a5cd
helper/bwrap: move interfaceArgs before stringArgs
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-11 04:12:47 +09:00
6220f7e197
app: migrate to new shim implementation
Both machinectl and sudo launch methods launch shim as shim is now responsible for setting up the sandbox. Various app structures are adapted to accommodate bwrap configuration and mediated wayland access.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-11 02:01:03 +09:00
b86fa6b4c9
shim: new shim implementation
This implementation of shim accepts configuration as a gob stream over a unix socket, with support for mediating access to wayland via WAYLAND_SOCKET fd. All configuration is now included in the payload, and child is started inside bwrap configured with supplied bwrap.Config.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-11 01:55:33 +09:00
6eb712aec7
verbose: overridable prefix
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-11 01:49:11 +09:00
101e49a48b
helper/bwrap: proc, dev and mqueue as string arguments
These flags do not support --chmod.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-11 01:30:11 +09:00
a3aadd4146
app: tag ACL operations for revert
ACL operations are now tagged with the enablement causing them. At the end of child process's life, enablements of all remaining launchers are resolved and inverted. This allows Wait to only revert operations targeting resources no longer required by other launchers.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-10 14:33:58 +09:00
86cb5ac1db
app: hardlink sockets to process-specific share local to XDG_RUNTIME_DIR
This avoids adding ACLs to the PulseAudio directory.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-10 12:44:08 +09:00
2220055e26
state/simple: prefix store path
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-10 11:03:31 +09:00
f4c44a9441
release: 0.0.2
All checks were successful
release / release (push) Successful in 2m15s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-10 00:13:06 +09:00
8f03ddc3fa
app: remove bubblewrap launch method
Launch methods serve the primary purpose of setting UID in the init namespace, which bubblewrap does not do. Furthermore, all applications will start within a bubblewrap sandbox once it has been implemented.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-10 00:11:04 +09:00
d41b9d2d9c
ldd: separate Parse from Exec and trim space
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-09 23:51:15 +09:00
22dfa73efe
release: 0.0.1
All checks were successful
release / release (push) Successful in 1m51s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-09 20:48:38 +09:00
753c5191b1
dbus/run: support running xdg-dbus-proxy in a restrictive bubblewrap sandbox
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-09 20:41:42 +09:00
6232291cae
ldd: implement strict ldd output parser
Fortify needs to internally resolve helper program sandbox config. They are considered trusted and runs under the privileged UID so ldd output is used to determine libraries they need inside the sandbox environment.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-09 20:39:27 +09:00
b99ed94386
helper/bwrap: pass --unshare-user when unshare everything
Bubblewrap apparently requires --unshare-user even when --unshare-all is set to apply --disable-userns. This behaviour is not clearly documented.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-09 00:22:48 +09:00
c201c30c7f
helper/bwrap: check args only for internal tests
Tests internal to the helper package sets crash-test-dummy as the command whenever a launch is expected to go through, and the hardcoded args are only valid for internal tests, so this characteristic is used here to exclude external tests that pass real program names and custom bwrap configurations.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-09 00:21:31 +09:00
7c7999e9e5
helper: implementation of helper.Helper using bwrap
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-08 18:02:38 +09:00