fortify

Author	SHA1	Message	Date
Ophestra	61e58aa14d	helper/proc: expose setup file Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-09 17:22:31 +09:00
Ophestra	9e15898c8f	internal/prctl: rename prctl wrappers Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-07 22:56:35 +09:00
Ophestra	80f9b62d25	app: print comp values early Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-26 22:27:55 +09:00
Ophestra	673b648bd3	cmd/fpkg: call app in-process Wrapping fortify is slow, painful and error-prone. Start apps in-process instead. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-26 19:51:44 +09:00
Ophestra	840ceb615a	app: handle RunState errors Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-26 17:36:14 +09:00
Ophestra	d050b3de25	app: define errors in a separate file Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-26 17:12:02 +09:00
Ophestra	39dc8e7bd8	dbus: set process group id This stops signals sent by the TTY driver from propagating to the xdg-dbus-proxy process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-25 18:12:41 +09:00
Ophestra	f0a082ec84	fortify: improve handling of RevertErr All this error wrapping is getting a bit ridiculous and I might want to do something about that somewhere down the line. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-25 00:45:00 +09:00
Ophestra	c64b8163e7	app: separate instance from process state This works better for the implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-21 16:06:24 +09:00
Ophestra	3c80fd2b0f	app: defer system.I revert Just returning an error after a successful call of commit will leave garbage behind with no way for the caller to clean them. This change ensures revert is always called after successful commit with at least per-process state enabled. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 21:12:11 +09:00
Ophestra	ef81828e0c	app: remove share method This is yet another implementation detail from before system.I, getting rid of this vastly cuts down on redundant seal state. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 16:20:25 +09:00
Ophestra	2978a6f046	app: separate appSeal finalise method Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 12:33:51 +09:00
Ophestra	dfd9467523	app: merge seal with sys The existence of the appSealSys struct was an implementation detail obsolete since system.I was integrated in `084cd84f36`. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 01:36:29 +09:00
Ophestra	53571f030e	app: embed appSeal in app struct Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 01:10:37 +09:00
Ophestra	aa164081e1	app/seal: improve documentation Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 01:04:14 +09:00
Ophestra	9a10eeab90	app/seal: embed enablements Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 00:41:51 +09:00
Ophestra	a748d40745	app: store values with string representation Improves code readability without changing memory layout. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-19 00:25:00 +09:00
Ophestra	648e1d641a	app: separate interface from implementation Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-18 23:07:28 +09:00
Ophestra	ffaa12b9d8	sys: wrap log methods Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-18 22:52:09 +09:00
Ophestra	e0f321b2c4	sys: rename from linux Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-18 18:47:48 +09:00
Ophestra	2c9c7fee5b	linux: wrap fsu lookup error Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-18 17:39:53 +09:00
Ophestra	90cb01b274	system: move out of internal Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 19:00:43 +09:00
Ophestra	b1e1d5627e	system: wrap console output functions This eliminates all fmsg imports from internal/system. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 18:17:55 +09:00
Ophestra	3ae2ab652e	system/wayland: sync file at caller specified address Storing this in sys is incredibly ugly: sys should be stateless and Ops must keep track of their state. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 13:24:17 +09:00
Ophestra	82a072f641	system/tmpfiles: implement private tmpfiles These are only available within the mount namespace and should significantly reduce attack surface. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 00:07:52 +09:00
Ophestra	29c38caac8	app/shim/manager: return error on bad fsu path This results in a graceful failure that does not leave garbage behind. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-16 18:59:45 +09:00
Ophestra	e599b5583d	fmsg: implement suspend in writer This removes the requirement to call fmsg.Exit on every exit path, and enables direct use of the "log" package. However, fmsg.BeforeExit is still encouraged when possible to catch exit on suspended output. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-16 18:51:53 +09:00
Ophestra	33a4ab11c2	internal: move shim and init into app This structure makes more sense, as both processes are part of an app's lifecycle. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-16 16:28:46 +09:00
Ophestra	268a90f1a5	app: improve WAYLAND_DISPLAY correctness This now has identical behaviour as wayland C library. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-15 14:45:09 +09:00
Ophestra	ddb2f9c11b	app: remove wayland socket hard link This Op was not doing anything useful. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-15 10:54:00 +09:00
Ophestra	0340c67995	app: port passwd and group files to copy Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-15 03:19:06 +09:00
Ophestra	ea8d1c07df	priv/shim: move /sbin/init setup to app Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-15 03:06:10 +09:00
Ophestra	e431ab3c24	app: check username length against LOGIN_NAME_MAX This limit is arbitrary, but it's good to enforce it anyway. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-14 12:44:55 +09:00
Ophestra	fe7d208cf7	helper: use generic extra files interface This replaces the pipes object and integrates context into helper process lifecycle. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-13 23:34:15 +09:00
Ophestra	e14923ae53	helper/proc: move package out of internal Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-08 13:03:45 +09:00
Ophestra	2e52191404	system/dbus: dump method prints msgbuf Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-07 13:16:54 +09:00
Ophestra	23e1152baa	app/share: clean BaseError message This removes trailing '\n' in the PulseAudio warning. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 11:54:16 +09:00
Ophestra	9a239fa1a5	helper/bwrap: integrate seccomp into helper interface This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 01:52:57 +09:00
Ophestra	dfcdc5ce20	state: store config in separate gob stream This enables early serialisation of config. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-21 12:10:58 +09:00
Ophestra	27f5922d5c	fst: include syscall filter configuration This value is passed through to shim. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-20 21:12:39 +09:00
Ophestra	2f70506865	helper/bwrap: move sync to helper state Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:38:13 +09:00
Ophestra	cae567c109	proc/priv/shim: remove unnecessary state These values are only used during process creation. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:09:07 +09:00
Ophestra	ea8f228af3	proc/priv/shim: merge shim into main program Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 23:43:32 +09:00
Ophestra	124743ffd3	app: expose single run method App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 23:39:51 +09:00
Ophestra	562f5ed797	fst: hide sockets exposed via Filesystem This is mostly useful for permissive defaults. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 10:13:18 +09:00
Ophestra	c4d6651cae	update reverse-DNS style identifiers Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-31 16:16:38 +09:00
Ophestra	9b206072fa	cmd/fshim: ensure data directory Ensuring home directory in shim causes the directory to be owned by the target user. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:39:01 +09:00
Ophestra	b9e2003d5b	app: ensure extra paths The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app). Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:07:49 +09:00
Ophestra	847b667489	app: extra acl entries from configuration Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 13:23:27 +09:00
Ophestra	0107620d8c	app: merge share methods This significantly increases readability and makes order of ops more obvious. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 11:12:35 +09:00

1 2 3

133 Commits