7baca66a56
proc: remove duplicate compile-time fortify reference
...
Build / Create distribution (push) Successful in 1m46s
Test / Run NixOS test (push) Successful in 3m44s
This is no longer needed since shim and init are now part of the main program.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:59:33 +09:00
27d2914286
proc/priv/init: merge init into main program
...
Build / Create distribution (push) Successful in 1m47s
Test / Run NixOS test (push) Successful in 3m46s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:47:01 +09:00
ea8f228af3
proc/priv/shim: merge shim into main program
...
Build / Create distribution (push) Successful in 2m15s
Test / Run NixOS test (push) Successful in 2m53s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 23:43:32 +09:00
16db3dabe2
internal: do PR_SET_PDEATHSIG once
...
Build / Create distribution (push) Successful in 3m7s
Test / Run NixOS test (push) Successful in 4m40s
This prctl affects the entire process, doing it on every OS thread is pointless.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 23:08:46 +09:00
124743ffd3
app: expose single run method
...
Tests / Go tests (push) Successful in 1m1s
Nix / NixOS tests (push) Successful in 3m20s
App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 23:39:51 +09:00
562f5ed797
fst: hide sockets exposed via Filesystem
...
Tests / Go tests (push) Successful in 40s
Nix / NixOS tests (push) Successful in 2m49s
This is mostly useful for permissive defaults.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 10:13:18 +09:00
6acd0d4e88
linux/std: handle fsu exit status 1
...
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 2m27s
Printing "exit status 1" is confusing. This handles the ExitError and returns EACCES instead.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-01 21:34:57 +09:00
c4d6651cae
update reverse-DNS style identifiers
...
Tests / Go tests (push) Successful in 1m6s
Nix / NixOS tests (push) Successful in 4m11s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-31 16:16:38 +09:00
bf8094c6ca
internal: include path to fortify main program
...
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-26 12:48:48 +09:00
9b206072fa
cmd/fshim: ensure data directory
...
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 3m33s
Ensuring home directory in shim causes the directory to be owned by the target user.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:39:01 +09:00
b9e2003d5b
app: ensure extra paths
...
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 3m37s
The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app).
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:07:49 +09:00
847b667489
app: extra acl entries from configuration
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 13:23:27 +09:00
0107620d8c
app: merge share methods
...
Tests / Go tests (push) Successful in 32s
Nix / NixOS tests (push) Successful in 3m25s
This significantly increases readability and makes order of ops more obvious.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 11:12:35 +09:00
1f173a469c
system/dbus: fix inverted system bus state
...
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 3m38s
Debug message and socket cleanup gets missed due to this value being inverted.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 18:38:11 +09:00
f608f28a6a
app: mount /dev/kvm in permissive defaults
...
Tests / Go tests (push) Successful in 35s
Nix / NixOS tests (push) Successful in 3m21s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-22 12:37:24 +09:00
cb98baa19d
fortify: clean up ps formatting code
...
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 3m1s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 20:34:40 +09:00
7a8b625a57
app: rename /fortify to /.fortify
...
Tests / Go tests (push) Successful in 35s
Nix / NixOS tests (push) Successful in 2m57s
Also removed the inner share tmpfs mount.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 18:11:32 +09:00
74fe74e6b5
app: do not fail on missing cookie
...
Tests / Go tests (push) Successful in 40s
Nix / NixOS tests (push) Successful in 2m55s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 17:56:21 +09:00
b9cc318314
system: implement Enablements String method
...
Tests / Go tests (push) Successful in 40s
Nix / NixOS tests (push) Successful in 3m9s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-20 23:21:19 +09:00
ed10574dea
state: store join util
...
Tests / Go tests (push) Successful in 39s
Nix / NixOS tests (push) Successful in 3m5s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-20 19:05:39 +09:00
df6fc298f6
migrate to git.gensokyo.uk/security/fortify
...
Tests / Go tests (push) Successful in 2m55s
Nix / NixOS tests (push) Successful in 5m10s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-20 00:20:02 +09:00
eae3034260
state: expose aids and use instance id as key
...
Tests / Go tests (push) Successful in 39s
Nix / NixOS tests (push) Successful in 3m26s
Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 21:36:17 +09:00
f796622c35
state: rename simple store implementation
...
Tests / Go tests (push) Successful in 42s
Nix / NixOS tests (push) Successful in 3m4s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 11:48:48 +09:00
5d25bee786
fortify: remove systemd check
...
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 3m3s
This is no longer necessary as fortify no longer integrates with external user switchers.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 11:14:31 +09:00
52f21a19f3
cmd/fshim: switch to setup pipe
...
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 5m43s
The socket-based approach is no longer necessary as fsu allows extra files and sudo compatibility is no longer relevant.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 19:39:25 +09:00
7f29b37a32
proc: setup payload send
...
Generic setup payload encoder adapted from fshim.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 17:20:01 +09:00
ef8fd37e9d
proc: setup payload receive
...
Generic implementation of setup payload receiver adapted from finit.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 16:48:41 +09:00
2f676c9d6e
fst: rename from fipc
...
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 5m48s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 15:50:46 +09:00
b752ec4468
fipc: export config struct
...
Tests / Go tests (push) Successful in 1m12s
Nix / NixOS tests (push) Successful in 10m51s
Also store full config as part of state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 13:45:55 +09:00
f773c92411
system: prevent duplicate Wayland op
...
test / test (push) Successful in 36s
Wayland is implemented as an Op to enforce dependency and cleanup, its implementation does not allow multiple instances on a single sys object, nor would doing that make any sense.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-07 19:45:37 +09:00
cc816a1aaa
proc: cleaner extra files
...
test / test (push) Successful in 37s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 16:05:04 +09:00
b3ef53b193
app: integrate security-context-v1
...
test / test (push) Successful in 37s
Should be able to get rid of XDG_RUNTIME_DIR share after this.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:25:33 +09:00
38e92edb8e
system/wayland: integrate security-context-v1
...
test / test (push) Successful in 37s
Had to pass the sync fd through sys. The rest are just part of a standard Op.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:20:15 +09:00
b291f0b710
app: add nixos-based config test case
...
test / test (push) Successful in 20s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-21 12:13:21 +09:00
9faf3b3596
app: validate username
...
test / test (push) Successful in 23s
This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 21:01:41 +09:00
ae2628e57a
cmd/fshim/ipc: install signal handler on shim start
...
test / test (push) Successful in 20s
Getting killed at this point will result in inconsistent state.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 13:33:46 +09:00
05b7dbf066
app: alternative inner home path
...
test / test (push) Successful in 24s
Support binding home to an alternative path in the mount namespace.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 00:18:21 +09:00
866270ff05
fmsg: add to wg prior to enqueue
...
test / test (push) Successful in 27s
Adding after channel write is racy.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 23:50:02 +09:00
c1fad649e8
app/start: check for cleanup and abort condition
...
test / test (push) Successful in 21s
Dirty fix. Will rewrite after fsu integration complete.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 23:41:52 +09:00
b5f01ef20b
app: append # for ChangeHosts message with numerical uid
...
test / test (push) Successful in 21s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 23:40:37 +09:00
df33123bd7
app: integrate fsu
...
test / test (push) Successful in 21s
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-16 21:19:45 +09:00
9a13b311ac
app/config: rename map_real_uid from use_real_uid
...
test / test (push) Successful in 19s
This option only changes mapped uid in the user namespace.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-09 12:01:34 +09:00
3dfc1fcd56
app: support full /dev access
...
test / test (push) Successful in 22s
Also moved /dev/fortify to /fortify since it is impossible to create new directories in /dev from the init namespace and bind mounting its contents has undesirable side effects.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 03:49:39 +09:00
69cc64ef56
linux: provide access to stdout
...
test / test (push) Successful in 22s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 22:55:46 +09:00
fc25ac2523
app: separate auto etc from permissive defaults
...
test / test (push) Successful in 23s
Populating /etc with symlinks is quite useful even outside the permissive defaults usage pattern.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 22:18:05 +09:00
d909b1190a
app/config: UseRealUID as true in template
...
test / test (push) Successful in 24s
The template is based on a Chromium setup, which this workaround was created for.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 19:45:31 +09:00
d7df24c999
fmsg: drop messages when msgbuf is full during withhold
...
test / test (push) Successful in 20s
Logging functions are not expected to block. This change fixes multiple hangs where more than 64 messages are produced during withhold.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 12:56:19 +09:00
88abcbe0b2
cmd/fsu: remove import of internal package
...
test / test (push) Successful in 24s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 12:32:14 +09:00
af15b1c048
app: support mapping target uid as privileged uid in sandbox
...
test / test (push) Successful in 40s
Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 03:15:39 +09:00
7962681f4a
app: format mapped uid instead of real uid
...
test / test (push) Successful in 19s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 00:49:32 +09:00
