security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases36 Wiki Activity
635 Commits 5 Branches 36 Tags 5 MiB
5098b12e4a
Commit Graph

635 Commits

Author SHA1 Message Date
Ophestra
7e69893264
acl: rename UpdatePerms to Update 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 20:33:18 +09:00
Ophestra
38a3e6af03
system: make xcb internal 
This package is hauntingly ugly. Move this to internal until it is removed or replaced.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 19:07:53 +09:00
Ophestra
90cb01b274
system: move out of internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 19:00:43 +09:00
Ophestra
b1e1d5627e
system: wrap console output functions 
This eliminates all fmsg imports from internal/system.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 18:17:55 +09:00
Ophestra
3ae2ab652e
system/wayland: sync file at caller specified address 
Storing this in sys is incredibly ugly: sys should be stateless and Ops must keep track of their state.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 13:24:17 +09:00
Ophestra
db71fbe22b
system/tmpfiles: fail gracefully in API misuse 
Panicking here leaves garbage behind. Not ideal if this package is going to be exported.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 12:17:01 +09:00
Ophestra
83e72c2b59
release: 0.2.15 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 00:13:04 +09:00
Ophestra
82a072f641
system/tmpfiles: implement private tmpfiles 
These are only available within the mount namespace and should significantly reduce attack surface.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-17 00:07:52 +09:00
Ophestra
60c10c3f4a
nix: run integration tests with race detector 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 20:58:08 +09:00
Ophestra
468696f611
internal: beforeExit before reachable fatal calls 
These are the only two calls to log.Fatal* reachable during suspended output. Call fmsg.BeforeExit here to catch that.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 19:03:34 +09:00
Ophestra
29c38caac8
app/shim/manager: return error on bad fsu path 
This results in a graceful failure that does not leave garbage behind.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 18:59:45 +09:00
Ophestra
e599b5583d
fmsg: implement suspend in writer 
This removes the requirement to call fmsg.Exit on every exit path, and enables direct use of the "log" package. However, fmsg.BeforeExit is still encouraged when possible to catch exit on suspended output.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 18:51:53 +09:00
Ophestra
33a4ab11c2
internal: move shim and init into app 
This structure makes more sense, as both processes are part of an app's lifecycle.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 16:28:46 +09:00
Ophestra
1fa5e992e4
helper/bwrap: expose address of DataConfig 
This allows the caller to defer fulfilling its payload.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 12:33:59 +09:00
Ophestra
c667b13a00
system: separate link Op implementation 
This Op would still be useful after replacing the Tmpfiles interface, so isolate it here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 12:15:26 +09:00
Ophestra
90b86a5531
release: 0.2.14 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 23:05:02 +09:00
Ophestra
f545e154f0
workflows: use native nix runner 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 22:58:04 +09:00
Ophestra
268a90f1a5
app: improve WAYLAND_DISPLAY correctness 
This now has identical behaviour as wayland C library.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 14:45:09 +09:00
Ophestra
3054527ca5
fortify: prevent exit status 0 on app failure 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 14:40:19 +09:00
Ophestra
ddb2f9c11b
app: remove wayland socket hard link 
This Op was not doing anything useful.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 10:54:00 +09:00
Ophestra
6ae02e72fa
nix: test direct_wayland behaviour 
This should never be used outside tests unless you absolutely know what you're doing or are using GNOME.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 10:45:27 +09:00
Ophestra
989fb5395f
nix: remove unused configuration 
User setup no longer depends on userdb.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 10:10:42 +09:00
Ophestra
f955b15b84
system: remove write mode tmpfiles 
This interface is ugly and bug-prone. This change removes its write mode which has been obsoleted by CopyBind.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 03:22:20 +09:00
Ophestra
0340c67995
app: port passwd and group files to copy 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 03:19:06 +09:00
Ophestra
72b0160aad
helper/bwrap: implement file copy flags 
These are significantly more efficient and less error-prone than mounting an external tmpfile. This should also reduce attack surface as the resulting files are private to its specific sandbox.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 03:13:15 +09:00
Ophestra
ea8d1c07df
priv/shim: move /sbin/init setup to app 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 03:06:10 +09:00
Ophestra
a0062d8275
fmsg: resume on exit 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 02:22:09 +09:00
Ophestra
43d2e4f5d7
nix: sway increase resolution 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 02:21:24 +09:00
Ophestra
be7d944b39
helper/bwrap: PositionalArg implement fmt.Stringer 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 00:11:48 +09:00
Ophestra
ace97952cc
helper/bwrap: merge Args and FDArgs 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 18:13:06 +09:00
Ophestra
73146ea7fa
dbus: remove BwrapStatic method 
This method does not do anything and is not called from anywhere. It also does not make any sense as a public interface since the argument builder is no longer stateless.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 18:09:59 +09:00
Ophestra
88040504b2
helper/bwrap: remove fmsg import 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 18:05:00 +09:00
Ophestra
1fd571d561
cmd/fsu: check parse behaviour 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 16:43:55 +09:00
Ophestra
be30e2f11e
cmd/fsu: revert offset in error message 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 15:31:39 +09:00
Ophestra
aaebb8f3ab
fortify: check print behaviour 
These output are supposed to be deterministic, so checking them is a good way to catch regressions.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 14:44:28 +09:00
Ophestra
1f74b636d3
state/join: use Join method when available 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 14:11:02 +09:00
Ophestra
e431ab3c24
app: check username length against LOGIN_NAME_MAX 
This limit is arbitrary, but it's good to enforce it anyway.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 12:44:55 +09:00
Ophestra
3fba33687b
fortify: print line after ps output 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-14 12:23:20 +09:00
Ophestra
820f48ef94
release: 0.2.13 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 23:45:54 +09:00
Ophestra
fe7d208cf7
helper: use generic extra files interface 
This replaces the pipes object and integrates context into helper process lifecycle.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 23:34:15 +09:00
Ophestra
60c2873750
helper/proc: cancel ec on parent ctx 
This allows errors written during a timeout to be received and handled.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 23:08:28 +09:00
Ophestra
d1d20c06fb
helper/seccomp: use sync.Once for closeWrite 
This makes the code much cleaner, and eliminates the intermittent ErrInvalid errors.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 22:49:16 +09:00
Ophestra
1e6a059668
helper/seccomp: benchmark exporter 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 22:37:51 +09:00
Ophestra
318df0f7e1
nix: test syscall filter 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 22:01:16 +09:00
Ophestra
58eb8f971d
proc/pipe: implement args and stat file 
This is a generic implementation of helper/pipe.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 19:57:24 +09:00
Ophestra
0a1d7c01cd
helper/proc: count dispatched errs 
This helps debug implementation errors of [proc.File].

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 19:55:37 +09:00
Ophestra
60ca1c6c55
helper/proc: store file addresses in linked list 
Storing extra files as a slice requires the caller to allocate a large enough slice before initialising any file and never grow the slice.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 17:42:12 +09:00
Ophestra
099da78af5
helper/seccomp: eliminate data race on pfd 
Turns out the doc comment on os.File was lying about its methods being safe for concurrent use. The race detector picked up a data race from concurrent use of Fd and Close.

This change eliminates that by calling Fd in the prepare routine.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-13 10:40:51 +09:00
Ophestra
18466cfd02
helper/proc: declare generic extra files interface 
Helpers use extra files for various purposes. This provides a generic interface for implementing the fulfillment of these extra files without having to specifically handle them in the process creation code.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-11 16:34:47 +09:00
Ophestra
e14923ae53
helper/proc: move package out of internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-08 13:03:45 +09:00