fortify

Author	SHA1	Message	Date
Ophestra	e599b5583d	fmsg: implement suspend in writer All checks were successful Test / Create distribution (push) Successful in 24s Details Test / Run NixOS test (push) Successful in 2m18s Details This removes the requirement to call fmsg.Exit on every exit path, and enables direct use of the "log" package. However, fmsg.BeforeExit is still encouraged when possible to catch exit on suspended output. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-16 18:51:53 +09:00
Ophestra	cc1efa22e2	fst: add missing fields to template All checks were successful Build / Create distribution (push) Successful in 1m28s Details Test / Run NixOS test (push) Successful in 3m43s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 12:09:25 +09:00
Ophestra	9a239fa1a5	helper/bwrap: integrate seccomp into helper interface All checks were successful Build / Create distribution (push) Successful in 1m36s Details Test / Run NixOS test (push) Successful in 3m40s Details This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-22 01:52:57 +09:00
Ophestra	dfcdc5ce20	state: store config in separate gob stream All checks were successful Build / Create distribution (push) Successful in 1m37s Details Test / Run NixOS test (push) Successful in 3m38s Details This enables early serialisation of config. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-21 12:10:58 +09:00
Ophestra	27f5922d5c	fst: include syscall filter configuration All checks were successful Build / Create distribution (push) Successful in 3m0s Details Test / Run NixOS test (push) Successful in 5m19s Details This value is passed through to shim. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-20 21:12:39 +09:00
Ophestra	562f5ed797	fst: hide sockets exposed via Filesystem All checks were successful Tests / Go tests (push) Successful in 40s Details Nix / NixOS tests (push) Successful in 2m49s Details This is mostly useful for permissive defaults. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 10:13:18 +09:00
Ophestra	db03565614	fst: move sandbox struct to separate file All checks were successful Tests / Go tests (push) Successful in 1m0s Details Nix / NixOS tests (push) Successful in 3m9s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 09:42:44 +09:00
Ophestra	a1148edd00	fst/config: allocate filesystem slice All checks were successful Tests / Go tests (push) Successful in 32s Details Nix / NixOS tests (push) Successful in 4m5s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-04 00:16:41 +09:00
Ophestra	35b7142317	fortify: show system info when instance is not specified All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 4m32s Details This contains useful information not obtainable by external tools. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-01 19:35:50 +09:00
Ophestra	b9e2003d5b	app: ensure extra paths All checks were successful Tests / Go tests (push) Successful in 36s Details Nix / NixOS tests (push) Successful in 3m37s Details The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app). Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:07:49 +09:00
Ophestra	847b667489	app: extra acl entries from configuration Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 13:23:27 +09:00
Ophestra	85e5b097fd	fst/config: add template etc entry All checks were successful Tests / Go tests (push) Successful in 31s Details Nix / NixOS tests (push) Successful in 3m21s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 12:05:32 +09:00
Ophestra	fc26659ea1	fst/config: autoetc read custom path All checks were successful Tests / Go tests (push) Successful in 43s Details Nix / NixOS tests (push) Successful in 3m40s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-27 18:57:44 +09:00
Ophestra	2fdbd6a4dd	fst/config: alternative /etc directory All checks were successful Tests / Go tests (push) Successful in 32s Details Nix / NixOS tests (push) Successful in 3m41s Details This is useful for static /etc directories provided by self-contained application packages, or in cases where autoetc is useful for paths other than /etc. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-27 18:06:26 +09:00
Ophestra	c67b8ab9ac	fst/config: improve correctness of comments All checks were successful Tests / Go tests (push) Successful in 33s Details Nix / NixOS tests (push) Successful in 3m26s Details The meanings of many of these fields have changed since they were added. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 00:45:29 +09:00
Ophestra	7a8b625a57	app: rename /fortify to /.fortify All checks were successful Tests / Go tests (push) Successful in 35s Details Nix / NixOS tests (push) Successful in 2m57s Details Also removed the inner share tmpfs mount. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-21 18:11:32 +09:00
Ophestra Umiker	df6fc298f6	migrate to git.gensokyo.uk/security/fortify All checks were successful Tests / Go tests (push) Successful in 2m55s Details Nix / NixOS tests (push) Successful in 5m10s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-20 00:20:02 +09:00
Ophestra Umiker	5ea7333431	fst: implement app id parser All checks were successful Tests / Go tests (push) Successful in 40s Details Nix / NixOS tests (push) Successful in 3m8s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 18:19:47 +09:00
Ophestra Umiker	2f676c9d6e	fst: rename from fipc All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 5m48s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 15:50:46 +09:00

19 Commits