|
|
5a64cdaf4f
|
ldd: enable syscall filter
Build / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
|
2025-01-22 02:00:49 +09:00 |
|
|
|
9a239fa1a5
|
helper/bwrap: integrate seccomp into helper interface
Build / Create distribution (push) Successful in 1m36s
Test / Run NixOS test (push) Successful in 3m40s
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.
Signed-off-by: Ophestra <cat@gensokyo.uk>
|
2025-01-22 01:52:57 +09:00 |
|
|
|
2f70506865
|
helper/bwrap: move sync to helper state
Build / Create distribution (push) Successful in 1m25s
Test / Run NixOS test (push) Successful in 3m33s
Signed-off-by: Ophestra <cat@gensokyo.uk>
|
2025-01-19 18:38:13 +09:00 |
|
|
|
df6fc298f6
|
migrate to git.gensokyo.uk/security/fortify
Tests / Go tests (push) Successful in 2m55s
Nix / NixOS tests (push) Successful in 5m10s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
|
2024-12-20 00:20:02 +09:00 |
|
|
|
65af1684e3
|
migrate to git.ophivana.moe/security/fortify
test / test (push) Successful in 14s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
|
2024-10-20 19:50:13 +09:00 |
|
|
|
73a698c7cb
|
ldd: run ldd with read-only filesystem and unshared net
This is only called on trusted programs, however extra hardening is never a bad idea.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
|
2024-10-17 15:37:27 +09:00 |
|
|
|
d41b9d2d9c
|
ldd: separate Parse from Exec and trim space
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
|
2024-10-09 23:51:15 +09:00 |
|
