fortify

Author	SHA1	Message	Date
Ophestra	3df344828f	proc/priv/shim: seccomp bpf filter via libseccomp All checks were successful Build / Create distribution (push) Successful in 1m59s Details Test / Run NixOS test (push) Successful in 4m11s Details Rulesets adapted from Flatpak for compatibility. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-20 23:39:47 +09:00
Ophestra	c4de450217	nix: do not force static linking on nix All checks were successful Build / Create distribution (push) Successful in 3m14s Details Test / Run NixOS test (push) Successful in 3m25s Details In a typical Nix or NixOS-based setup, the entire /nix/store directory is available to the sandbox. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 22:56:16 +09:00
Ophestra	b60c01f440	fortify: switch to static linking All checks were successful Build / Create distribution (push) Successful in 1m43s Details Test / Run NixOS test (push) Successful in 4m32s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-16 17:32:52 +09:00
Ophestra	5416b07daa	nix: remove unused argument 'self' All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 2m36s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 14:49:55 +09:00
Ophestra	e57a0e9bf2	nix: rename fortifyBundle to buildPackage All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 2m35s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 14:35:37 +09:00
Ophestra	5125e96ecf	nix: generate application package build script All checks were successful Tests / Go tests (push) Successful in 55s Details Nix / NixOS tests (push) Successful in 4m24s Details This takes some metadata, sandbox options, a launch script and a list of home-manager modules. The result needs to be executed in an environment with nix daemon access, and it produces the final package file. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 00:42:21 +09:00
Ophestra Umiker	7b6052a473	nix: run Go tests in nixos All checks were successful Tests / Go tests (push) Successful in 41s Details Nix / NixOS tests (push) Successful in 9m56s Details Nix build environment does not support ACLs in any filesystem. This allows acl tests to run. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 21:16:55 +09:00
Ophestra Umiker	3f993021f8	nix: permissive defaults nixos test All checks were successful test / test (push) Successful in 37s Details Adapted from nixos sway integration tests. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 22:56:10 +09:00
Ophestra Umiker	4d3bd5338f	nix: implement flake checks All checks were successful test / test (push) Successful in 36s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 20:54:28 +09:00
Ophestra Umiker	6b8ddca7b4	nix: track nixos stable 24.11 All checks were successful test / test (push) Successful in 25s Details Reduce rebuilds during development on my system. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-06 00:44:04 +09:00
Ophestra Umiker	0a546885e3	nix: update options doc All checks were successful test / test (push) Successful in 22s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-19 18:12:35 +09:00
Ophestra Umiker	d9cb2a9f2b	fsu: implement simple setuid user switcher Contains path to fortify, set at compile time, authenticates based on a simple uid range assignment file which also acts as the allow list. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-28 00:02:34 +09:00
Ophestra Umiker	40161c5938	nix: remove fortify package from default devShell This change makes it possible to start a devShell when tests aren't passing. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-10-17 20:35:10 +09:00
Ophestra Umiker	1038af98f0	dbus: add tests Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-28 00:06:16 +09:00
Ophestra Umiker	61628dabb7	nix: remove obnoxious shell hook Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-22 16:08:11 +09:00
Ophestra Umiker	3d963b9f67	nix: include package buildInputs in devShells Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-17 23:15:33 +09:00
Ophestra Umiker	945cce2f5e	nix: implement nixos module Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-04 17:03:21 +09:00
Ophestra Umiker	d8f76f3b25	rename to fortify and restructure More sandbox features will be added and this will no longer track ego's features and behaviour. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-09-04 01:20:12 +09:00
Ophestra Umiker	7e6eb82195	license: embed license in executable Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-07-16 22:07:40 +09:00
Ophestra Umiker	09507a541b	nix: build directly with buildGoModules Since we have no dependencies, we don't need a vendor hash, so doing this actually makes sense. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-07-16 21:54:44 +09:00
Ophestra Umiker	190eb088bc	nix: add libxcb package to dev shell Since we link libxcb as well now this is needed in the dev shell for it to build properly without impure. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-07-15 00:38:11 +09:00
Ophestra Umiker	94c69806ef	nix: set up devShell Since we're using cgo to call into libacl a few dependencies other than go are required to build. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-07-11 01:10:35 +09:00

22 Commits