72b0160aad
helper/bwrap: implement file copy flags
...
Test / Create distribution (push) Successful in 49s
Test / Run NixOS test (push) Successful in 3m42s
These are significantly more efficient and less error-prone than mounting an external tmpfile. This should also reduce attack surface as the resulting files are private to its specific sandbox.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-15 03:13:15 +09:00
be7d944b39
helper/bwrap: PositionalArg implement fmt.Stringer
...
Test / Create distribution (push) Successful in 49s
Test / Run NixOS test (push) Successful in 3m28s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-15 00:11:48 +09:00
ace97952cc
helper/bwrap: merge Args and FDArgs
...
Test / Create distribution (push) Successful in 1m13s
Test / Run NixOS test (push) Successful in 4m34s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-14 18:13:06 +09:00
88040504b2
helper/bwrap: remove fmsg import
...
Test / Create distribution (push) Successful in 57s
Test / Run NixOS test (push) Successful in 8m13s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-14 18:05:00 +09:00
fe7d208cf7
helper: use generic extra files interface
...
Test / Create distribution (push) Successful in 1m38s
Test / Run NixOS test (push) Successful in 4m36s
This replaces the pipes object and integrates context into helper process lifecycle.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-13 23:34:15 +09:00
60c2873750
helper/proc: cancel ec on parent ctx
...
Test / Create distribution (push) Successful in 1m31s
Test / Run NixOS test (push) Successful in 4m13s
This allows errors written during a timeout to be received and handled.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-13 23:08:28 +09:00
d1d20c06fb
helper/seccomp: use sync.Once for closeWrite
...
Test / Create distribution (push) Successful in 1m29s
Test / Run NixOS test (push) Successful in 4m13s
This makes the code much cleaner, and eliminates the intermittent ErrInvalid errors.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-13 22:49:16 +09:00
1e6a059668
helper/seccomp: benchmark exporter
...
Test / Create distribution (push) Successful in 1m44s
Test / Run NixOS test (push) Successful in 4m32s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-13 22:37:51 +09:00
58eb8f971d
proc/pipe: implement args and stat file
...
Test / Create distribution (push) Successful in 1m30s
Test / Run NixOS test (push) Successful in 4m11s
This is a generic implementation of helper/pipe.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-13 19:57:24 +09:00
0a1d7c01cd
helper/proc: count dispatched errs
...
Test / Create distribution (push) Successful in 1m28s
Test / Run NixOS test (push) Successful in 3m59s
This helps debug implementation errors of [proc.File].
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-13 19:55:37 +09:00
60ca1c6c55
helper/proc: store file addresses in linked list
...
Test / Create distribution (push) Successful in 1m28s
Test / Run NixOS test (push) Successful in 4m5s
Storing extra files as a slice requires the caller to allocate a large enough slice before initialising any file and never grow the slice.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-13 17:42:12 +09:00
099da78af5
helper/seccomp: eliminate data race on pfd
...
Test / Create distribution (push) Successful in 2m10s
Test / Run NixOS test (push) Successful in 4m50s
Turns out the doc comment on os.File was lying about its methods being safe for concurrent use. The race detector picked up a data race from concurrent use of Fd and Close.
This change eliminates that by calling Fd in the prepare routine.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-13 10:40:51 +09:00
18466cfd02
helper/proc: declare generic extra files interface
...
Test / Create distribution (push) Successful in 1m29s
Test / Run NixOS test (push) Successful in 4m4s
Helpers use extra files for various purposes. This provides a generic interface for implementing the fulfillment of these extra files without having to specifically handle them in the process creation code.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-11 16:34:47 +09:00
e14923ae53
helper/proc: move package out of internal
...
Test / Create distribution (push) Successful in 1m32s
Test / Run NixOS test (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-08 13:03:45 +09:00
568d7758d5
helper/seccomp: panic on invalid closeWrite use
...
Test / Create distribution (push) Successful in 1m46s
Test / Run NixOS test (push) Successful in 4m39s
Returning an error here puts exporter in an invalid state. The caller should guard against this condition instead.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-07 12:58:20 +09:00
5b7b3fa9a4
helper/seccomp: implement reader interface via pipe
...
Test / Create distribution (push) Successful in 1m6s
Test / Run NixOS test (push) Successful in 2m44s
This also does not require the libc tmpfile call.
BPF programs emitted by libseccomp seems to be deterministic. The tests would catch regressions as it verifies the program against known good output backed by manual testing.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-03 19:43:03 +09:00
7b96cd6ded
helper/seccomp: do not call F_println if not verbose
...
Test / Create distribution (push) Successful in 1m42s
Test / Run NixOS test (push) Successful in 3m34s
This (slightly) improves performance.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 13:19:38 +09:00
163f15e93f
helper/seccomp: separate seccomp package
...
Test / Create distribution (push) Successful in 1m39s
Test / Run NixOS test (push) Successful in 3m31s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 12:59:11 +09:00
37780456a7
helper: block more unusual/privileged syscalls
...
Test / Create distribution (push) Successful in 1m44s
Test / Run NixOS test (push) Successful in 3m35s
These are toggled by F_EXT and exposed as SyscallPolicy.Compat in the Go interface.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 12:35:47 +09:00
9a239fa1a5
helper/bwrap: integrate seccomp into helper interface
...
Build / Create distribution (push) Successful in 1m36s
Test / Run NixOS test (push) Successful in 3m40s
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 01:52:57 +09:00
eb0ef2d115
helper/bwrap: generic extra file interface
...
Build / Create distribution (push) Successful in 1m32s
Test / Run NixOS test (push) Successful in 3m50s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 00:20:04 +09:00
2f70506865
helper/bwrap: move sync to helper state
...
Build / Create distribution (push) Successful in 1m25s
Test / Run NixOS test (push) Successful in 3m33s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-19 18:38:13 +09:00
715addaccd
helper/bwrap: append --sync-fd before --
...
Build / Create distribution (push) Successful in 1m26s
Test / Run NixOS test (push) Successful in 3m26s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 12:30:03 +09:00
3e11ce6868
helper/bwrap: separate sequential/static args
...
Tests / Go tests (push) Successful in 41s
Nix / NixOS tests (push) Successful in 3m59s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 13:07:06 +09:00
7d99e45b88
helper/bwrap: register OverlayConfig with gob
...
Tests / Go tests (push) Successful in 58s
Nix / NixOS tests (push) Successful in 3m5s
This is required for copying bwrap configurations across processes.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-14 12:25:10 +09:00
e2489059c1
helper/bwrap: implement overlayfs builder
...
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 4m5s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-05 20:09:35 +09:00
2e3f6a4c51
helper/bwrap: move test out of bwrap package
...
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 4m51s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-05 19:45:24 +09:00
2162029f46
helper/bwrap: add json struct tag to filesystem
...
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 4m43s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-05 19:41:04 +09:00
aef847b5ae
helper/bwrap: fix typo in --dir config builder
...
Tests / Go tests (push) Successful in 32s
Nix / NixOS tests (push) Successful in 3m33s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 15:34:43 +09:00
df6fc298f6
migrate to git.gensokyo.uk/security/fortify
...
Tests / Go tests (push) Successful in 2m55s
Nix / NixOS tests (push) Successful in 5m10s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-20 00:20:02 +09:00
cc816a1aaa
proc: cleaner extra files
...
test / test (push) Successful in 37s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 16:05:04 +09:00
8d0573405a
helper/bwrap: implement sync fd
...
test / test (push) Successful in 38s
This is required by wayland security-context-v1.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:21:37 +09:00
4b7b899bb3
add package doc comments
...
test / test (push) Successful in 19s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 20:57:59 +09:00
ae1a102882
fmsg: support temporarily withholding output
...
test / test (push) Successful in 31s
Trying to print to a shared stdout is a terrible idea. This change makes it possible to withhold output for the lifetime of the sandbox.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-26 23:09:32 +09:00
050ffceb27
helper/bwrap: register generic PermConfig types with gob
...
test / test (push) Successful in 21s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-25 13:26:01 +09:00
65af1684e3
migrate to git.ophivana.moe/security/fortify
...
test / test (push) Successful in 14s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-20 19:50:13 +09:00
184a5f29fa
helper/bwrap: add fortify permissive default test case
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:56:13 +09:00
3015266e5a
helper/bwrap: sort SetEnv arguments
...
This guarantees consistency of resulting args.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:55:48 +09:00
2faf510146
helper/bwrap: ordered filesystem args
...
The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:15:55 +09:00
a0db19b9ad
helper/bwrap: format mode in octal
...
Bubblewrap expects an octal representation of mode.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-14 13:47:50 +09:00
aee96b0fdf
helper/bwrap: allow pushing generic arguments to the end of argument stream
...
Bwrap argument order determines the order their corresponding actions are performed. This allows generic arguments like tmpfs to the end of the stream to override bind mounts.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 02:26:01 +09:00
8d82446d97
helper: remove unused bwrap config field
...
This configuration is not saved anywhere, and does not need to be saved. Bwrap configuration information is already saved into p.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 00:55:14 +09:00
713872a5cd
helper/bwrap: move interfaceArgs before stringArgs
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-11 04:12:47 +09:00
101e49a48b
helper/bwrap: proc, dev and mqueue as string arguments
...
These flags do not support --chmod.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-11 01:30:11 +09:00
b99ed94386
helper/bwrap: pass --unshare-user when unshare everything
...
Bubblewrap apparently requires --unshare-user even when --unshare-all is set to apply --disable-userns. This behaviour is not clearly documented.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-09 00:22:48 +09:00
c201c30c7f
helper/bwrap: check args only for internal tests
...
Tests internal to the helper package sets crash-test-dummy as the command whenever a launch is expected to go through, and the hardcoded args are only valid for internal tests, so this characteristic is used here to exclude external tests that pass real program names and custom bwrap configurations.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-09 00:21:31 +09:00
7c7999e9e5
helper: implementation of helper.Helper using bwrap
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-08 18:02:38 +09:00
c6223771db
helper: generalise helper.Helper test
...
For testing the upcoming bwrap implementation of helper.Helper as it must have identical behaviour.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-08 14:02:54 +09:00
3c5185d770
helper: move test sample data out of direct
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-07 22:51:08 +09:00
85407dd3c0
helper: helper.Helper interface
...
For upcoming bwrap implementation of helper.Helper
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-07 15:37:52 +09:00
