Commit Graph

134 Commits

Author SHA1 Message Date
7baca66a56
proc: remove duplicate compile-time fortify reference
This is no longer needed since shim and init are now part of the main program.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:59:33 +09:00
27d2914286
proc/priv/init: merge init into main program
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:47:01 +09:00
ea8f228af3
proc/priv/shim: merge shim into main program
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 23:43:32 +09:00
16db3dabe2
internal: do PR_SET_PDEATHSIG once
This prctl affects the entire process, doing it on every OS thread is pointless.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 23:08:46 +09:00
124743ffd3
app: expose single run method
App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 23:39:51 +09:00
562f5ed797
fst: hide sockets exposed via Filesystem
This is mostly useful for permissive defaults.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 10:13:18 +09:00
6acd0d4e88
linux/std: handle fsu exit status 1
Printing "exit status 1" is confusing. This handles the ExitError and returns EACCES instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-01 21:34:57 +09:00
c4d6651cae
update reverse-DNS style identifiers
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-31 16:16:38 +09:00
bf8094c6ca
internal: include path to fortify main program
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-26 12:48:48 +09:00
9b206072fa
cmd/fshim: ensure data directory
Ensuring home directory in shim causes the directory to be owned by the target user.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:39:01 +09:00
b9e2003d5b
app: ensure extra paths
The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app).

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:07:49 +09:00
847b667489
app: extra acl entries from configuration
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 13:23:27 +09:00
0107620d8c
app: merge share methods
This significantly increases readability and makes order of ops more obvious.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 11:12:35 +09:00
1f173a469c
system/dbus: fix inverted system bus state
Debug message and socket cleanup gets missed due to this value being inverted.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 18:38:11 +09:00
f608f28a6a
app: mount /dev/kvm in permissive defaults
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-22 12:37:24 +09:00
cb98baa19d
fortify: clean up ps formatting code
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 20:34:40 +09:00
7a8b625a57
app: rename /fortify to /.fortify
Also removed the inner share tmpfs mount.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 18:11:32 +09:00
74fe74e6b5
app: do not fail on missing cookie
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 17:56:21 +09:00
b9cc318314
system: implement Enablements String method
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-20 23:21:19 +09:00
ed10574dea
state: store join util
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-20 19:05:39 +09:00
df6fc298f6
migrate to git.gensokyo.uk/security/fortify
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-20 00:20:02 +09:00
eae3034260
state: expose aids and use instance id as key
Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 21:36:17 +09:00
f796622c35
state: rename simple store implementation
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 11:48:48 +09:00
5d25bee786
fortify: remove systemd check
This is no longer necessary as fortify no longer integrates with external user switchers.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 11:14:31 +09:00
52f21a19f3
cmd/fshim: switch to setup pipe
The socket-based approach is no longer necessary as fsu allows extra files and sudo compatibility is no longer relevant.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 19:39:25 +09:00
7f29b37a32
proc: setup payload send
Generic setup payload encoder adapted from fshim.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 17:20:01 +09:00
ef8fd37e9d
proc: setup payload receive
Generic implementation of setup payload receiver adapted from finit.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 16:48:41 +09:00
2f676c9d6e
fst: rename from fipc
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 15:50:46 +09:00
b752ec4468
fipc: export config struct
Also store full config as part of state.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 13:45:55 +09:00
f773c92411
system: prevent duplicate Wayland op
Wayland is implemented as an Op to enforce dependency and cleanup, its implementation does not allow multiple instances on a single sys object, nor would doing that make any sense.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-07 19:45:37 +09:00
cc816a1aaa
proc: cleaner extra files
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 16:05:04 +09:00
b3ef53b193
app: integrate security-context-v1
Should be able to get rid of XDG_RUNTIME_DIR share after this.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:25:33 +09:00
38e92edb8e
system/wayland: integrate security-context-v1
Had to pass the sync fd through sys. The rest are just part of a standard Op.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:20:15 +09:00
b291f0b710
app: add nixos-based config test case
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-21 12:13:21 +09:00
9faf3b3596
app: validate username
This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 21:01:41 +09:00
ae2628e57a
cmd/fshim/ipc: install signal handler on shim start
Getting killed at this point will result in inconsistent state.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 13:33:46 +09:00
05b7dbf066
app: alternative inner home path
Support binding home to an alternative path in the mount namespace.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 00:18:21 +09:00
866270ff05
fmsg: add to wg prior to enqueue
Adding after channel write is racy.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 23:50:02 +09:00
c1fad649e8
app/start: check for cleanup and abort condition
Dirty fix. Will rewrite after fsu integration complete.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 23:41:52 +09:00
b5f01ef20b
app: append # for ChangeHosts message with numerical uid
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 23:40:37 +09:00
df33123bd7
app: integrate fsu
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-16 21:19:45 +09:00
9a13b311ac
app/config: rename map_real_uid from use_real_uid
This option only changes mapped uid in the user namespace.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-09 12:01:34 +09:00
3dfc1fcd56
app: support full /dev access
Also moved /dev/fortify to /fortify since it is impossible to create new directories in /dev from the init namespace and bind mounting its contents has undesirable side effects.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 03:49:39 +09:00
69cc64ef56
linux: provide access to stdout
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 22:55:46 +09:00
fc25ac2523
app: separate auto etc from permissive defaults
Populating /etc with symlinks is quite useful even outside the permissive defaults usage pattern.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 22:18:05 +09:00
d909b1190a
app/config: UseRealUID as true in template
The template is based on a Chromium setup, which this workaround was created for.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 19:45:31 +09:00
d7df24c999
fmsg: drop messages when msgbuf is full during withhold
Logging functions are not expected to block. This change fixes multiple hangs where more than 64 messages are produced during withhold.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 12:56:19 +09:00
88abcbe0b2
cmd/fsu: remove import of internal package
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 12:32:14 +09:00
af15b1c048
app: support mapping target uid as privileged uid in sandbox
Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 03:15:39 +09:00
7962681f4a
app: format mapped uid instead of real uid
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 00:49:32 +09:00