2a4e2724a3
release: 0.3.1
...
Release / Create release (push) Successful in 35s
Test / Create distribution (push) Successful in 19s
Test / Fpkg (push) Successful in 33s
Test / Fortify (push) Successful in 39s
Test / Data race detector (push) Successful in 39s
Test / Flake checks (push) Successful in 55s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-26 07:48:50 +09:00
92852d8235
release: 0.3.0
...
Test / Create distribution (push) Successful in 20s
Release / Create release (push) Successful in 35s
Test / Fortify (push) Successful in 2m45s
Test / Fpkg (push) Successful in 3m27s
Test / Data race detector (push) Successful in 4m20s
Test / Flake checks (push) Successful in 1m1s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-26 02:18:59 +09:00
b39f3aeb59
helper: remove bubblewrap wrapper
...
Test / Create distribution (push) Successful in 19s
Test / Fortify (push) Successful in 2m12s
Test / Fpkg (push) Successful in 3m34s
Test / Data race detector (push) Successful in 4m19s
Test / Flake checks (push) Successful in 57s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-25 05:35:02 +09:00
0eb1bc6301
test/sandbox: verify outcome via mountinfo
...
Test / Fpkg (push) Successful in 36s
Test / Create distribution (push) Successful in 4m56s
Test / Fortify (push) Successful in 6m33s
Test / Data race detector (push) Successful in 7m3s
Test / Flake checks (push) Successful in 54s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-24 01:42:38 +09:00
0a4e633db2
nix: filter test from source
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m42s
Test / Fpkg (push) Successful in 3m52s
Test / Data race detector (push) Successful in 4m19s
Test / Flake checks (push) Successful in 54s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-23 22:20:19 +09:00
3385538142
nix: clean up flake outputs
...
Test / Create distribution (push) Successful in 25s
Test / Fpkg (push) Successful in 32s
Test / Fortify (push) Successful in 2m0s
Test / Data race detector (push) Successful in 2m32s
Test / Flake checks (push) Successful in 48s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-17 12:26:19 +09:00
4bb5d9780f
ldd: run in native sandbox
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m27s
Test / Fpkg (push) Successful in 3m22s
Test / Data race detector (push) Successful in 3m43s
Test / Flake checks (push) Successful in 48s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-14 17:55:55 +09:00
9b1a60b5c9
sandbox: native container tooling
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m28s
Test / Fpkg (push) Successful in 3m23s
Test / Data race detector (push) Successful in 3m35s
Test / Flake checks (push) Successful in 48s
This should eventually replace bwrap.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-13 21:36:26 +09:00
2d4cabe786
nix: increase nixfmt max width
...
Test / Create distribution (push) Successful in 30s
Test / Fpkg (push) Successful in 36s
Test / Data race detector (push) Successful in 35s
Test / Fortify (push) Successful in 39s
Test / Flake checks (push) Successful in 50s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-28 14:43:46 +09:00
673b648bd3
cmd/fpkg: call app in-process
...
Test / Create distribution (push) Successful in 28s
Test / Fortify (push) Successful in 2m31s
Test / Data race detector (push) Successful in 3m25s
Test / Fpkg (push) Successful in 3m29s
Test / Flake checks (push) Successful in 55s
Wrapping fortify is slow, painful and error-prone. Start apps in-process instead.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-26 19:51:44 +09:00
c21a4cff14
nix: wrap fpkg
...
Test / Create distribution (push) Successful in 26s
Test / Data race detector (push) Successful in 2m11s
Test / Fortify (push) Successful in 2m24s
Test / Flake checks (push) Successful in 42s
This is usable on nixos now due to the static build.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-26 12:24:04 +09:00
6d4ac3d9fd
internal: store fortify path in internal
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m33s
Test / Data race detector (push) Successful in 3m20s
Test / Flake checks (push) Successful in 42s
This now makes more sense due to the changes in build system.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-26 12:03:25 +09:00
751aa350ee
nix: exclude files ending in ".py"
...
Test / Create distribution (push) Successful in 26s
Test / Fortify (push) Successful in 2m12s
Test / Data race detector (push) Successful in 2m59s
Test / Flake checks (push) Successful in 44s
This reduces rebuilds when debugging nixos tests.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-24 17:41:56 +09:00
71135f339a
release: 0.2.18
...
Test / Create distribution (push) Successful in 20s
Release / Create release (push) Successful in 33s
Test / Fortify (push) Successful in 2m4s
Test / Data race detector (push) Successful in 2m33s
Test / Flake checks (push) Successful in 48s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-23 18:52:33 +09:00
8bf162820b
nix: separate fsu from package
...
Test / Create distribution (push) Successful in 26s
Test / Run NixOS test (push) Successful in 7m25s
This appears to be the only way to build them with different configuration. This enables static linking in the main package.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-23 18:13:37 +09:00
2e7e160683
release: 0.2.17
...
Release / Create release (push) Successful in 33s
Test / Create distribution (push) Successful in 20s
Test / Run NixOS test (push) Successful in 3m50s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-23 02:59:31 +09:00
9d9a165379
release: 0.2.16
...
Release / Create release (push) Successful in 35s
Test / Create distribution (push) Successful in 22s
Test / Run NixOS test (push) Successful in 2m41s
Mostly refactor and cleanup, but also contains major fix to process lifecycle management.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-19 23:39:16 +09:00
83e72c2b59
release: 0.2.15
...
Test / Create distribution (push) Successful in 19s
Release / Create release (push) Successful in 33s
Test / Run NixOS test (push) Successful in 3m12s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-17 00:13:04 +09:00
90b86a5531
release: 0.2.14
...
Release / Create release (push) Successful in 24s
Test / Create distribution (push) Successful in 18s
Test / Run NixOS test (push) Successful in 50s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-15 23:05:02 +09:00
820f48ef94
release: 0.2.13
...
Test / Create distribution (push) Successful in 1m56s
Release / Create release (push) Successful in 2m9s
Test / Run NixOS test (push) Successful in 4m38s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-13 23:45:54 +09:00
21735a8abe
release: 0.2.12
...
Test / Create distribution (push) Successful in 2m25s
Release / Create release (push) Successful in 4m6s
Test / Run NixOS test (push) Successful in 4m49s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 13:40:48 +09:00
7106b00968
release: 0.2.11
...
Build / Create distribution (push) Successful in 3m51s
Release / Create release (push) Successful in 4m12s
Test / Run NixOS test (push) Successful in 6m17s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-23 20:49:49 +09:00
3df344828f
proc/priv/shim: seccomp bpf filter via libseccomp
...
Build / Create distribution (push) Successful in 1m59s
Test / Run NixOS test (push) Successful in 4m11s
Rulesets adapted from Flatpak for compatibility.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 23:39:47 +09:00
1ec901f79e
release: 0.2.10
...
Build / Create distribution (push) Successful in 1m32s
Test / Run NixOS test (push) Successful in 3m39s
Release / Create release (push) Successful in 1m30s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 22:50:08 +09:00
7baca66a56
proc: remove duplicate compile-time fortify reference
...
Build / Create distribution (push) Successful in 1m46s
Test / Run NixOS test (push) Successful in 3m44s
This is no longer needed since shim and init are now part of the main program.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:59:33 +09:00
27d2914286
proc/priv/init: merge init into main program
...
Build / Create distribution (push) Successful in 1m47s
Test / Run NixOS test (push) Successful in 3m46s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:47:01 +09:00
ea8f228af3
proc/priv/shim: merge shim into main program
...
Build / Create distribution (push) Successful in 2m15s
Test / Run NixOS test (push) Successful in 2m53s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 23:43:32 +09:00
c4de450217
nix: do not force static linking on nix
...
Build / Create distribution (push) Successful in 3m14s
Test / Run NixOS test (push) Successful in 3m25s
In a typical Nix or NixOS-based setup, the entire /nix/store directory is available to the sandbox.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 22:56:16 +09:00
b60c01f440
fortify: switch to static linking
...
Build / Create distribution (push) Successful in 1m43s
Test / Run NixOS test (push) Successful in 4m32s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-16 17:32:52 +09:00
be4d8b6300
release: 0.2.9
...
Create distribution / Release (push) Successful in 1m21s
Tests / Go tests (push) Successful in 46s
Nix / NixOS tests (push) Successful in 3m6s
This release mostly contains permissive defaults fixes and optimisations. It also contains a proof of concept version of fpkg.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 13:14:43 +09:00
bf8094c6ca
internal: include path to fortify main program
...
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-26 12:48:48 +09:00
2e3bb1893e
release: 0.2.8
...
Tests / Go tests (push) Successful in 42s
Create distribution / Release (push) Successful in 1m0s
Nix / NixOS tests (push) Successful in 3m53s
This release mostly fixes bugs uncovered when running fortify on a generic linux distribution.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 01:09:47 +09:00
c109ac2653
release: 0.2.7
...
Tests / Go tests (push) Successful in 47s
Create distribution / Release (push) Successful in 1m5s
Nix / NixOS tests (push) Successful in 4m40s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-22 13:34:50 +09:00
5c73acb56f
release: 0.2.6
...
Tests / Go tests (push) Successful in 48s
Create distribution / Release (push) Successful in 1m12s
Nix / NixOS tests (push) Successful in 3m59s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-22 01:18:21 +09:00
ed8ee5eb4b
nix: filter nix files from src
...
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 3m7s
This prevents constant rebuilds when debugging integration tests.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 17:39:42 +09:00
195b717e01
release: 0.2.5
...
Tests / Go tests (push) Successful in 49s
Create distribution / Release (push) Successful in 1m6s
Nix / NixOS tests (push) Successful in 1m23s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-20 00:28:48 +09:00
df6fc298f6
migrate to git.gensokyo.uk/security/fortify
...
Tests / Go tests (push) Successful in 2m55s
Nix / NixOS tests (push) Successful in 5m10s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-20 00:20:02 +09:00
9f95f60400
release: 0.2.4
...
Tests / Go tests (push) Successful in 52s
Create distribution / Release (push) Successful in 1m9s
Nix / NixOS tests (push) Successful in 1m23s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 23:52:52 +09:00
38653c6ab5
release: 0.2.3
...
Tests / Go tests (push) Successful in 55s
Create distribution / Release (push) Successful in 1m1s
Nix / NixOS tests (push) Successful in 5m5s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-17 14:06:17 +09:00
138666d753
nix: skip acl test
...
test / test (push) Successful in 39s
The nix build environment does not support ACLs.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-16 19:29:01 +09:00
e3f1d7ba60
release: 0.2.2
...
release / release (push) Successful in 44s
test / test (push) Successful in 35s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-07 21:47:22 +09:00
2d606b1f4b
wl: implement security-context-v1
...
test / test (push) Successful in 38s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:15:13 +09:00
30b8bce90a
fortify: zsh completion
...
test / test (push) Successful in 22s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-20 01:25:19 +09:00
de0d78daae
release: 0.2.1
...
release / release (push) Successful in 1m4s
test / test (push) Successful in 20s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 21:03:50 +09:00
d99c8b1fb4
release: 0.2.0
...
release / release (push) Successful in 44s
test / test (push) Successful in 22s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 18:15:09 +09:00
748a0ae2c8
nix: wrap program from libexec
...
test / test (push) Successful in 24s
This avoids renaming the fortify binary.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 12:58:47 +09:00
6a6d30af1f
cmd/fuserdb: systemd userdb drop-in entries generator
...
test / test (push) Successful in 20s
This provides user records via nss-systemd. Static drop-in entries are generated to reduce complexity and attack surface.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 02:16:02 +09:00
df33123bd7
app: integrate fsu
...
test / test (push) Successful in 21s
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-16 21:19:45 +09:00
3962705126
nix: keep fshim and finit names
...
test / test (push) Successful in 22s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 14:59:28 +09:00
f831948bca
release: 0.1.0
...
release / release (push) Successful in 28s
test / test (push) Successful in 21s
This release significantly changes the command line interface, and updates the NixOS module to finally produce meaningful sandbox configuration.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 04:37:43 +09:00
