163f15e93f
helper/seccomp: separate seccomp package
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 12:59:11 +09:00
23e1152baa
app/share: clean BaseError message
...
This removes trailing '\n' in the PulseAudio warning.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 11:54:16 +09:00
8c51012ef5
dbus: enable syscall filter
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 11:49:23 +09:00
9a239fa1a5
helper/bwrap: integrate seccomp into helper interface
...
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 01:52:57 +09:00
82029948e6
proc: append to ExtraFiles slice pointer
...
This is useful for initialising extra files before command.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-21 12:51:39 +09:00
dfcdc5ce20
state: store config in separate gob stream
...
This enables early serialisation of config.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-21 12:10:58 +09:00
20a3d4c458
proc/priv/shim: resolve and load seccomp rules
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 23:52:56 +09:00
3df344828f
proc/priv/shim: seccomp bpf filter via libseccomp
...
Rulesets adapted from Flatpak for compatibility.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 23:39:47 +09:00
27f5922d5c
fst: include syscall filter configuration
...
This value is passed through to shim.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 21:12:39 +09:00
3c55fc8e86
proc/priv/shim: do not log bwrap args
...
This message is very long and does not serve much real purpose. Remove it to de-clutter verbose messages.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 19:51:28 +09:00
eb0ef2d115
helper/bwrap: generic extra file interface
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 00:20:04 +09:00
2f70506865
helper/bwrap: move sync to helper state
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-19 18:38:13 +09:00
cae567c109
proc/priv/shim: remove unnecessary state
...
These values are only used during process creation.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-19 18:09:07 +09:00
b31d055e20
proc/priv/init: early init check
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 12:33:33 +09:00
7baca66a56
proc: remove duplicate compile-time fortify reference
...
This is no longer needed since shim and init are now part of the main program.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:59:33 +09:00
27d2914286
proc/priv/init: merge init into main program
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:47:01 +09:00
ea8f228af3
proc/priv/shim: merge shim into main program
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 23:43:32 +09:00
16db3dabe2
internal: do PR_SET_PDEATHSIG once
...
This prctl affects the entire process, doing it on every OS thread is pointless.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 23:08:46 +09:00
124743ffd3
app: expose single run method
...
App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 23:39:51 +09:00
562f5ed797
fst: hide sockets exposed via Filesystem
...
This is mostly useful for permissive defaults.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 10:13:18 +09:00
6acd0d4e88
linux/std: handle fsu exit status 1
...
Printing "exit status 1" is confusing. This handles the ExitError and returns EACCES instead.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-01 21:34:57 +09:00
c4d6651cae
update reverse-DNS style identifiers
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-31 16:16:38 +09:00
bf8094c6ca
internal: include path to fortify main program
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-26 12:48:48 +09:00
9b206072fa
cmd/fshim: ensure data directory
...
Ensuring home directory in shim causes the directory to be owned by the target user.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:39:01 +09:00
b9e2003d5b
app: ensure extra paths
...
The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app).
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:07:49 +09:00
847b667489
app: extra acl entries from configuration
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 13:23:27 +09:00
0107620d8c
app: merge share methods
...
This significantly increases readability and makes order of ops more obvious.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 11:12:35 +09:00
1f173a469c
system/dbus: fix inverted system bus state
...
Debug message and socket cleanup gets missed due to this value being inverted.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 18:38:11 +09:00
f608f28a6a
app: mount /dev/kvm in permissive defaults
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-22 12:37:24 +09:00
cb98baa19d
fortify: clean up ps formatting code
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 20:34:40 +09:00
7a8b625a57
app: rename /fortify to /.fortify
...
Also removed the inner share tmpfs mount.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 18:11:32 +09:00
74fe74e6b5
app: do not fail on missing cookie
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 17:56:21 +09:00
b9cc318314
system: implement Enablements String method
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-20 23:21:19 +09:00
ed10574dea
state: store join util
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-20 19:05:39 +09:00
df6fc298f6
migrate to git.gensokyo.uk/security/fortify
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-20 00:20:02 +09:00
eae3034260
state: expose aids and use instance id as key
...
Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 21:36:17 +09:00
f796622c35
state: rename simple store implementation
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 11:48:48 +09:00
5d25bee786
fortify: remove systemd check
...
This is no longer necessary as fortify no longer integrates with external user switchers.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 11:14:31 +09:00
52f21a19f3
cmd/fshim: switch to setup pipe
...
The socket-based approach is no longer necessary as fsu allows extra files and sudo compatibility is no longer relevant.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 19:39:25 +09:00
7f29b37a32
proc: setup payload send
...
Generic setup payload encoder adapted from fshim.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 17:20:01 +09:00
ef8fd37e9d
proc: setup payload receive
...
Generic implementation of setup payload receiver adapted from finit.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 16:48:41 +09:00
2f676c9d6e
fst: rename from fipc
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 15:50:46 +09:00
b752ec4468
fipc: export config struct
...
Also store full config as part of state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 13:45:55 +09:00
f773c92411
system: prevent duplicate Wayland op
...
Wayland is implemented as an Op to enforce dependency and cleanup, its implementation does not allow multiple instances on a single sys object, nor would doing that make any sense.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-07 19:45:37 +09:00
cc816a1aaa
proc: cleaner extra files
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 16:05:04 +09:00
b3ef53b193
app: integrate security-context-v1
...
Should be able to get rid of XDG_RUNTIME_DIR share after this.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:25:33 +09:00
38e92edb8e
system/wayland: integrate security-context-v1
...
Had to pass the sync fd through sys. The rest are just part of a standard Op.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:20:15 +09:00
b291f0b710
app: add nixos-based config test case
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-21 12:13:21 +09:00
9faf3b3596
app: validate username
...
This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 21:01:41 +09:00
ae2628e57a
cmd/fshim/ipc: install signal handler on shim start
...
Getting killed at this point will result in inconsistent state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 13:33:46 +09:00