security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 18 Wiki Activity
255 Commits 3 Branches 18 Tags 1.3 MiB
cc816a1aaa
Commit Graph

12 Commits

Author SHA1 Message Date
Ophestra Umiker
cc816a1aaa
proc: cleaner extra files
All checks were successful
test / test (push) Successful in 37s
Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-12-06 16:05:04 +09:00
Ophestra Umiker
b3ef53b193
app: integrate security-context-v1
All checks were successful
test / test (push) Successful in 37s
Details 
Should be able to get rid of XDG_RUNTIME_DIR share after this.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-12-06 04:25:33 +09:00
Ophestra Umiker
ae2628e57a
cmd/fshim/ipc: install signal handler on shim start
All checks were successful
test / test (push) Successful in 20s
Details 
Getting killed at this point will result in inconsistent state.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-18 13:33:46 +09:00
Ophestra Umiker
2e23cef7bb
cmd/fuserdb: generate group entries 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-17 23:31:06 +09:00
Ophestra Umiker
6a6d30af1f
cmd/fuserdb: systemd userdb drop-in entries generator
All checks were successful
test / test (push) Successful in 20s
Details 
This provides user records via nss-systemd. Static drop-in entries are generated to reduce complexity and attack surface.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-17 02:16:02 +09:00
Ophestra Umiker
df33123bd7
app: integrate fsu
All checks were successful
test / test (push) Successful in 21s
Details 
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-16 21:19:45 +09:00
Ophestra Umiker
45fead18c3
cmd/fshim: set no_new_privs flag 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-09 11:50:56 +09:00
Ophestra Umiker
88abcbe0b2
cmd/fsu: remove import of internal package
All checks were successful
test / test (push) Successful in 24s
Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-04 12:32:14 +09:00
Ophestra Umiker
8cd3651bb6
cmd/fshim/ipc: friendly setup timeout message
All checks were successful
test / test (push) Successful in 22s
Details 
This message eventually gets returned by the app's Start method, so they should be wrapped to provide a friendly message.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-03 02:03:30 +09:00
Ophestra Umiker
584732f80a
cmd: shim and init into separate binaries
All checks were successful
test / test (push) Successful in 19s
Details 
This change also fixes a deadlock when shim fails to connect and complete the setup.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-02 03:13:57 +09:00
Ophestra Umiker
aa1f96eeeb
fsu: check parent executable path
All checks were successful
test / test (push) Successful in 19s
Details 
Only allow main program to launch fsu. This change and further checks in the main program reduces attack surface.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-28 18:52:23 +09:00
Ophestra Umiker
d9cb2a9f2b
fsu: implement simple setuid user switcher 
Contains path to fortify, set at compile time, authenticates based on a simple uid range assignment file which also acts as the allow list.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-28 00:02:34 +09:00