dfcdc5ce20
state: store config in separate gob stream
...
Build / Create distribution (push) Successful in 1m37s
Test / Run NixOS test (push) Successful in 3m38s
This enables early serialisation of config.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-21 12:10:58 +09:00
27f5922d5c
fst: include syscall filter configuration
...
Build / Create distribution (push) Successful in 3m0s
Test / Run NixOS test (push) Successful in 5m19s
This value is passed through to shim.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 21:12:39 +09:00
562f5ed797
fst: hide sockets exposed via Filesystem
...
Tests / Go tests (push) Successful in 40s
Nix / NixOS tests (push) Successful in 2m49s
This is mostly useful for permissive defaults.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 10:13:18 +09:00
db03565614
fst: move sandbox struct to separate file
...
Tests / Go tests (push) Successful in 1m0s
Nix / NixOS tests (push) Successful in 3m9s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 09:42:44 +09:00
a1148edd00
fst/config: allocate filesystem slice
...
Tests / Go tests (push) Successful in 32s
Nix / NixOS tests (push) Successful in 4m5s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-04 00:16:41 +09:00
35b7142317
fortify: show system info when instance is not specified
...
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 4m32s
This contains useful information not obtainable by external tools.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-01 19:35:50 +09:00
b9e2003d5b
app: ensure extra paths
...
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 3m37s
The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app).
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:07:49 +09:00
847b667489
app: extra acl entries from configuration
...
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 13:23:27 +09:00
85e5b097fd
fst/config: add template etc entry
...
Tests / Go tests (push) Successful in 31s
Nix / NixOS tests (push) Successful in 3m21s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 12:05:32 +09:00
fc26659ea1
fst/config: autoetc read custom path
...
Tests / Go tests (push) Successful in 43s
Nix / NixOS tests (push) Successful in 3m40s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 18:57:44 +09:00
2fdbd6a4dd
fst/config: alternative /etc directory
...
Tests / Go tests (push) Successful in 32s
Nix / NixOS tests (push) Successful in 3m41s
This is useful for static /etc directories provided by self-contained application packages, or in cases where autoetc is useful for paths other than /etc.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 18:06:26 +09:00
c67b8ab9ac
fst/config: improve correctness of comments
...
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 3m26s
The meanings of many of these fields have changed since they were added.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-26 00:45:29 +09:00
7a8b625a57
app: rename /fortify to /.fortify
...
Tests / Go tests (push) Successful in 35s
Nix / NixOS tests (push) Successful in 2m57s
Also removed the inner share tmpfs mount.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-21 18:11:32 +09:00
df6fc298f6
migrate to git.gensokyo.uk/security/fortify
...
Tests / Go tests (push) Successful in 2m55s
Nix / NixOS tests (push) Successful in 5m10s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-20 00:20:02 +09:00
5ea7333431
fst: implement app id parser
...
Tests / Go tests (push) Successful in 40s
Nix / NixOS tests (push) Successful in 3m8s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 18:19:47 +09:00
2f676c9d6e
fst: rename from fipc
...
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 5m48s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 15:50:46 +09:00
