fortify

Author	SHA1	Message	Date
Ophestra	e0f321b2c4	sys: rename from linux Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-18 18:47:48 +09:00
Ophestra	2c9c7fee5b	linux: wrap fsu lookup error Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-18 17:39:53 +09:00
Ophestra	90cb01b274	system: move out of internal Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 19:00:43 +09:00
Ophestra	b1e1d5627e	system: wrap console output functions This eliminates all fmsg imports from internal/system. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 18:17:55 +09:00
Ophestra	3ae2ab652e	system/wayland: sync file at caller specified address Storing this in sys is incredibly ugly: sys should be stateless and Ops must keep track of their state. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 13:24:17 +09:00
Ophestra	82a072f641	system/tmpfiles: implement private tmpfiles These are only available within the mount namespace and should significantly reduce attack surface. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-17 00:07:52 +09:00
Ophestra	29c38caac8	app/shim/manager: return error on bad fsu path This results in a graceful failure that does not leave garbage behind. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-16 18:59:45 +09:00
Ophestra	e599b5583d	fmsg: implement suspend in writer This removes the requirement to call fmsg.Exit on every exit path, and enables direct use of the "log" package. However, fmsg.BeforeExit is still encouraged when possible to catch exit on suspended output. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-16 18:51:53 +09:00
Ophestra	33a4ab11c2	internal: move shim and init into app This structure makes more sense, as both processes are part of an app's lifecycle. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-16 16:28:46 +09:00
Ophestra	268a90f1a5	app: improve WAYLAND_DISPLAY correctness This now has identical behaviour as wayland C library. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-15 14:45:09 +09:00
Ophestra	ddb2f9c11b	app: remove wayland socket hard link This Op was not doing anything useful. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-15 10:54:00 +09:00
Ophestra	0340c67995	app: port passwd and group files to copy Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-15 03:19:06 +09:00
Ophestra	ea8d1c07df	priv/shim: move /sbin/init setup to app Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-15 03:06:10 +09:00
Ophestra	e431ab3c24	app: check username length against LOGIN_NAME_MAX This limit is arbitrary, but it's good to enforce it anyway. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-14 12:44:55 +09:00
Ophestra	fe7d208cf7	helper: use generic extra files interface This replaces the pipes object and integrates context into helper process lifecycle. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-13 23:34:15 +09:00
Ophestra	e14923ae53	helper/proc: move package out of internal Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-08 13:03:45 +09:00
Ophestra	2e52191404	system/dbus: dump method prints msgbuf Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-07 13:16:54 +09:00
Ophestra	23e1152baa	app/share: clean BaseError message This removes trailing '\n' in the PulseAudio warning. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 11:54:16 +09:00
Ophestra	9a239fa1a5	helper/bwrap: integrate seccomp into helper interface This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 01:52:57 +09:00
Ophestra	dfcdc5ce20	state: store config in separate gob stream This enables early serialisation of config. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-21 12:10:58 +09:00
Ophestra	27f5922d5c	fst: include syscall filter configuration This value is passed through to shim. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-20 21:12:39 +09:00
Ophestra	2f70506865	helper/bwrap: move sync to helper state Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:38:13 +09:00
Ophestra	cae567c109	proc/priv/shim: remove unnecessary state These values are only used during process creation. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:09:07 +09:00
Ophestra	ea8f228af3	proc/priv/shim: merge shim into main program Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 23:43:32 +09:00
Ophestra	124743ffd3	app: expose single run method App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 23:39:51 +09:00
Ophestra	562f5ed797	fst: hide sockets exposed via Filesystem This is mostly useful for permissive defaults. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 10:13:18 +09:00
Ophestra	c4d6651cae	update reverse-DNS style identifiers Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-31 16:16:38 +09:00
Ophestra	9b206072fa	cmd/fshim: ensure data directory Ensuring home directory in shim causes the directory to be owned by the target user. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:39:01 +09:00
Ophestra	b9e2003d5b	app: ensure extra paths The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app). Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:07:49 +09:00
Ophestra	847b667489	app: extra acl entries from configuration Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 13:23:27 +09:00
Ophestra	0107620d8c	app: merge share methods This significantly increases readability and makes order of ops more obvious. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 11:12:35 +09:00
Ophestra	f608f28a6a	app: mount /dev/kvm in permissive defaults Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-22 12:37:24 +09:00
Ophestra	7a8b625a57	app: rename /fortify to /.fortify Also removed the inner share tmpfs mount. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-21 18:11:32 +09:00
Ophestra	74fe74e6b5	app: do not fail on missing cookie Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-21 17:56:21 +09:00
Ophestra Umiker	df6fc298f6	migrate to git.gensokyo.uk/security/fortify Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-20 00:20:02 +09:00
Ophestra Umiker	eae3034260	state: expose aids and use instance id as key Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 21:36:17 +09:00
Ophestra Umiker	52f21a19f3	cmd/fshim: switch to setup pipe The socket-based approach is no longer necessary as fsu allows extra files and sudo compatibility is no longer relevant. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 19:39:25 +09:00
Ophestra Umiker	2f676c9d6e	fst: rename from fipc Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 15:50:46 +09:00
Ophestra Umiker	b752ec4468	fipc: export config struct Also store full config as part of state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 13:45:55 +09:00
Ophestra Umiker	b3ef53b193	app: integrate security-context-v1 Should be able to get rid of XDG_RUNTIME_DIR share after this. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-06 04:25:33 +09:00
Ophestra Umiker	b291f0b710	app: add nixos-based config test case Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-21 12:13:21 +09:00
Ophestra Umiker	9faf3b3596	app: validate username This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-19 21:01:41 +09:00
Ophestra Umiker	ae2628e57a	cmd/fshim/ipc: install signal handler on shim start Getting killed at this point will result in inconsistent state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-18 13:33:46 +09:00
Ophestra Umiker	05b7dbf066	app: alternative inner home path Support binding home to an alternative path in the mount namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-18 00:18:21 +09:00
Ophestra Umiker	c1fad649e8	app/start: check for cleanup and abort condition Dirty fix. Will rewrite after fsu integration complete. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-17 23:41:52 +09:00
Ophestra Umiker	b5f01ef20b	app: append # for ChangeHosts message with numerical uid Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-17 23:40:37 +09:00
Ophestra Umiker	df33123bd7	app: integrate fsu This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-16 21:19:45 +09:00
Ophestra Umiker	9a13b311ac	app/config: rename map_real_uid from use_real_uid This option only changes mapped uid in the user namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-09 12:01:34 +09:00
Ophestra Umiker	3dfc1fcd56	app: support full /dev access Also moved /dev/fortify to /fortify since it is impossible to create new directories in /dev from the init namespace and bind mounting its contents has undesirable side effects. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-06 03:49:39 +09:00
Ophestra Umiker	69cc64ef56	linux: provide access to stdout Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 22:55:46 +09:00

1 2 3

114 Commits