security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 36 Wiki Activity

Compare commits

base: security:5c73acb56f81d820fdacc4ceff4f00f869318dbc
Branches Tags
security:master
security:staging
security:develop
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1
..
compare: security:c109ac26530ba38d3713bedcb404c1ddd7452d13
Branches Tags
security:staging
security:develop
security:master
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1

8 Commits
5c73acb56f ... c109ac2653

Author SHA1 Message Date
Ophestra
c109ac2653
release: 0.2.7
All checks were successful
Tests / Go tests (push) Successful in 47s
Details
Create distribution / Release (push) Successful in 1m5s
Details
Nix / NixOS tests (push) Successful in 4m40s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-22 13:34:50 +09:00
Ophestra
58f8731b2e
nix: include fortify show output
All checks were successful
Tests / Go tests (push) Successful in 35s
Details
Nix / NixOS tests (push) Successful in 3m40s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-22 13:28:21 +09:00
Ophestra
8a9ba5e0ad
fortify: show short mode omit filesystems
All checks were successful
Tests / Go tests (push) Successful in 36s
Details
Nix / NixOS tests (push) Successful in 3m19s
Details 
Filesystem information can be quite noisy in permissive defaults.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-22 13:20:33 +09:00
Ophestra
f608f28a6a
app: mount /dev/kvm in permissive defaults
All checks were successful
Tests / Go tests (push) Successful in 35s
Details
Nix / NixOS tests (push) Successful in 3m21s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-22 12:37:24 +09:00
Ophestra
aecfae1874
fortify: sort by time of start
All checks were successful
Tests / Go tests (push) Successful in 35s
Details
Nix / NixOS tests (push) Successful in 3m14s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-22 12:06:54 +09:00
Ophestra
27f2b53d18
fortify: sort ps output
All checks were successful
Tests / Go tests (push) Successful in 37s
Details
Nix / NixOS tests (push) Successful in 3m20s
Details 
This ensures consistency between runs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-22 11:59:53 +09:00
Ophestra
5838963265
nix: test dbus via notify-send
All checks were successful
Tests / Go tests (push) Successful in 1m28s
Details
Nix / NixOS tests (push) Successful in 4m0s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-22 11:31:12 +09:00
Ophestra
e8594cf670
fortify: print short instance id in non-json short mode
All checks were successful
Tests / Go tests (push) Successful in 1m23s
Details
Nix / NixOS tests (push) Successful in 3m28s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2024-12-22 11:02:19 +09:00
7 changed files with 90 additions and 53 deletions
Show Stats Expand all files Collapse all files

2
internal/app/app_pd_test.go
View File

@ -100,6 +100,7 @@ var testCasesPd = []sealTestCase{
Bind("/run/wrappers", "/run/wrappers", false, true). Bind("/run/wrappers", "/run/wrappers", false, true).
Bind("/run/zed.pid", "/run/zed.pid", false, true). Bind("/run/zed.pid", "/run/zed.pid", false, true).
Bind("/run/zed.state", "/run/zed.state", false, true). Bind("/run/zed.state", "/run/zed.state", false, true).
Bind("/dev/kvm", "/dev/kvm", true, true, true).
Bind("/etc", fst.Tmp+"/etc"). Bind("/etc", fst.Tmp+"/etc").
Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa"). Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
@ -355,6 +356,7 @@ var testCasesPd = []sealTestCase{
Bind("/run/zed.pid", "/run/zed.pid", false, true). Bind("/run/zed.pid", "/run/zed.pid", false, true).
Bind("/run/zed.state", "/run/zed.state", false, true). Bind("/run/zed.state", "/run/zed.state", false, true).
Bind("/dev/dri", "/dev/dri", true, true, true). Bind("/dev/dri", "/dev/dri", true, true, true).
Bind("/dev/kvm", "/dev/kvm", true, true, true).
Bind("/etc", fst.Tmp+"/etc"). Bind("/etc", fst.Tmp+"/etc").
Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa"). Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").

2
internal/app/seal.go
View File

@ -201,6 +201,8 @@ func (a *app) Seal(config *fst.Config) error {
if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) { if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true}) conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
} }
// opportunistically bind kvm
conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})
config.Confinement.Sandbox = conf config.Confinement.Sandbox = conf
} }

25
main.go
View File

@ -122,14 +122,21 @@ func main() {
printPs(short) printPs(short)
fmsg.Exit(0) fmsg.Exit(0)
case "show": // pretty-print app info case "show": // pretty-print app info
if len(args) != 2 { set := flag.NewFlagSet("show", flag.ExitOnError)
var short bool
set.BoolVar(&short, "short", false, "Omit filesystem information")
// Ignore errors; set is set for ExitOnError.
_ = set.Parse(args[1:])
if len(set.Args()) != 1 {
fmsg.Fatal("show requires 1 argument") fmsg.Fatal("show requires 1 argument")
} }
likePrefix := false likePrefix := false
if len(args[1]) <= 32 { if len(set.Args()[0]) <= 32 {
likePrefix = true likePrefix = true
for _, c := range args[1] { for _, c := range set.Args()[0] {
if c >= '0' && c <= '9' { if c >= '0' && c <= '9' {
continue continue
} }
@ -147,7 +154,7 @@ func main() {
) )
// try to match from state store // try to match from state store
if likePrefix && len(args[1]) >= 8 { if likePrefix && len(set.Args()[0]) >= 8 {
fmsg.VPrintln("argument looks like prefix") fmsg.VPrintln("argument looks like prefix")
s := state.NewMulti(os.Paths().RunDirPath) s := state.NewMulti(os.Paths().RunDirPath)
@ -157,7 +164,7 @@ func main() {
} else { } else {
for id := range entries { for id := range entries {
v := id.String() v := id.String()
if strings.HasPrefix(v, args[1]) { if strings.HasPrefix(v, set.Args()[0]) {
// match, use config from this state entry // match, use config from this state entry
instance = entries[id] instance = entries[id]
config = instance.Config config = instance.Config
@ -173,16 +180,16 @@ func main() {
fmsg.VPrintf("reading from file") fmsg.VPrintf("reading from file")
config = new(fst.Config) config = new(fst.Config)
if f, err := os.Open(args[1]); err != nil { if f, err := os.Open(set.Args()[0]); err != nil {
fmsg.Fatalf("cannot access config file %q: %s", args[1], err) fmsg.Fatalf("cannot access config file %q: %s", set.Args()[0], err)
panic("unreachable") panic("unreachable")
} else if err = json.NewDecoder(f).Decode(&config); err != nil { } else if err = json.NewDecoder(f).Decode(&config); err != nil {
fmsg.Fatalf("cannot parse config file %q: %s", args[1], err) fmsg.Fatalf("cannot parse config file %q: %s", set.Args()[0], err)
panic("unreachable") panic("unreachable")
} }
} }
printShow(instance, config) printShow(instance, config, short)
fmsg.Exit(0) fmsg.Exit(0)
case "app": // launch app from configuration file case "app": // launch app from configuration file
if len(args) < 2 { if len(args) < 2 {

2
options.md
View File

@ -36,7 +36,7 @@ package
*Default:* *Default:*
` <derivation fortify-0.2.6> ` ` <derivation fortify-0.2.7> `

2
package.nix
View File

@ -14,7 +14,7 @@
buildGoModule rec { buildGoModule rec {
pname = "fortify"; pname = "fortify";
version = "0.2.6"; version = "0.2.7";
src = builtins.path { src = builtins.path {
name = "fortify-src"; name = "fortify-src";

85
print.go
View File

@ -4,6 +4,7 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
direct "os" direct "os"
"slices"
"strconv" "strconv"
"strings" "strings"
"text/tabwriter" "text/tabwriter"
@ -15,7 +16,7 @@ import (
"git.gensokyo.uk/security/fortify/internal/state" "git.gensokyo.uk/security/fortify/internal/state"
) )
func printShow(instance *state.State, config *fst.Config) { func printShow(instance *state.State, config *fst.Config, short bool) {
if flagJSON { if flagJSON {
v := any(config) v := any(config)
if instance != nil { if instance != nil {
@ -80,7 +81,7 @@ func printShow(instance *state.State, config *fst.Config) {
fmt.Fprintf(w, " Command:\t%s\n", strings.Join(config.Command, " ")) fmt.Fprintf(w, " Command:\t%s\n", strings.Join(config.Command, " "))
fmt.Fprintf(w, "\n") fmt.Fprintf(w, "\n")
if config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 { if !short && config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
fmt.Fprintf(w, "Filesystem:\n") fmt.Fprintf(w, "Filesystem:\n")
for _, f := range config.Confinement.Sandbox.Filesystem { for _, f := range config.Confinement.Sandbox.Filesystem {
expr := new(strings.Builder) expr := new(strings.Builder)
@ -153,27 +154,6 @@ func printPs(short bool) {
fmsg.Printf("cannot close store: %v", err) fmsg.Printf("cannot close store: %v", err)
} }
if short {
var v []string
if flagJSON {
v = make([]string, 0, len(entries))
}
for _, instance := range entries {
if !flagJSON {
fmt.Println(instance.ID.String())
} else {
v = append(v, instance.ID.String())
}
}
if flagJSON {
printJSON(v)
}
return
}
if flagJSON { if flagJSON {
es := make(map[string]*state.State, len(entries)) es := make(map[string]*state.State, len(entries))
for id, instance := range entries { for id, instance := range entries {
@ -183,36 +163,69 @@ func printPs(short bool) {
return return
} }
// sort state entries by id string to ensure consistency between runs
exp := make([]*expandedStateEntry, 0, len(entries))
for id, instance := range entries {
// gracefully skip nil states
if instance == nil {
fmsg.Printf("got invalid state entry %s", id.String())
continue
}
// gracefully skip inconsistent states
if id != instance.ID {
fmt.Printf("possible store corruption: entry %s has id %s",
id.String(), instance.ID.String())
continue
}
exp = append(exp, &expandedStateEntry{s: id.String(), State: instance})
}
slices.SortFunc(exp, func(a, b *expandedStateEntry) int { return a.Time.Compare(b.Time) })
if short {
if flagJSON {
v := make([]string, len(exp))
for i, e := range exp {
v[i] = e.s
}
printJSON(v)
} else {
for _, e := range exp {
fmt.Println(e.s[:8])
}
}
return
}
// buffer output to reduce terminal activity // buffer output to reduce terminal activity
w := tabwriter.NewWriter(direct.Stdout, 0, 1, 4, ' ', 0) w := tabwriter.NewWriter(direct.Stdout, 0, 1, 4, ' ', 0)
fmt.Fprintln(w, "\tInstance\tPID\tApp\tUptime\tEnablements\tCommand") fmt.Fprintln(w, "\tInstance\tPID\tApp\tUptime\tEnablements\tCommand")
for _, instance := range entries { for _, e := range exp {
printInstance(w, instance, now) printInstance(w, e, now)
} }
if err := w.Flush(); err != nil { if err := w.Flush(); err != nil {
fmsg.Fatalf("cannot flush tabwriter: %v", err) fmsg.Fatalf("cannot flush tabwriter: %v", err)
} }
} }
func printInstance(w *tabwriter.Writer, instance *state.State, now time.Time) { type expandedStateEntry struct {
// gracefully skip nil states s string
if instance == nil { *state.State
fmsg.Println("got invalid state entry") }
return
}
func printInstance(w *tabwriter.Writer, e *expandedStateEntry, now time.Time) {
var ( var (
es = "(No confinement information)" es = "(No confinement information)"
cs = "(No command information)" cs = "(No command information)"
as = "(No configuration information)" as = "(No configuration information)"
) )
if instance.Config != nil { if e.Config != nil {
es = instance.Config.Confinement.Enablements.String() es = e.Config.Confinement.Enablements.String()
cs = fmt.Sprintf("%q", instance.Config.Command) cs = fmt.Sprintf("%q", e.Config.Command)
as = strconv.Itoa(instance.Config.Confinement.AppID) as = strconv.Itoa(e.Config.Confinement.AppID)
} }
fmt.Fprintf(w, "\t%s\t%d\t%s\t%s\t%s\t%s\n", fmt.Fprintf(w, "\t%s\t%d\t%s\t%s\t%s\t%s\n",
instance.ID.String()[:8], instance.PID, as, now.Sub(instance.Time).Round(time.Second).String(), strings.TrimPrefix(es, ", "), cs) e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String(), strings.TrimPrefix(es, ", "), cs)
} }
func printJSON(v any) { func printJSON(v any) {

25
test.nix
View File

@ -38,6 +38,10 @@ nixosTest {
wayland-utils wayland-utils
alacritty alacritty
# For D-Bus tests:
libnotify
mako
# For go tests: # For go tests:
self.devShells.${system}.fhs self.devShells.${system}.fhs
]; ];
@ -176,6 +180,10 @@ nixosTest {
if instance['config']['confinement']['enablements'] != enablements: if instance['config']['confinement']['enablements'] != enablements:
raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}") raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
def fortify(command):
swaymsg(f"exec fortify {command}")
start_all() start_all()
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
@ -198,11 +206,13 @@ nixosTest {
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare") machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare")
# Start fortify within Wayland session: # Start fortify within Wayland session:
swaymsg("exec fortify -v run --wayland --dbus touch /tmp/success-session") fortify('-v run --wayland --dbus notify-send -a "NixOS Tests" "Test notification" "Notification from within sandbox." && touch /tmp/dbus-done')
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-session") machine.wait_for_file("/tmp/dbus-done")
collect_state_ui("dbus_notify_exited")
machine.succeed("pkill -9 mako")
# Start a terminal (foot) within fortify: # Start a terminal (foot) within fortify:
swaymsg("exec fortify run --wayland foot") fortify("run --wayland foot")
wait_for_window("u0_a0@machine") wait_for_window("u0_a0@machine")
machine.send_chars("clear; wayland-info && touch /tmp/success-client\n") machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client") machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client")
@ -216,17 +226,20 @@ nixosTest {
machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000") machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")
# Start a terminal (foot) within fortify from a terminal: # Start a terminal (foot) within fortify from a terminal:
swaymsg("exec foot fortify run --wayland foot") swaymsg("exec foot $SHELL -c '(fortify run --wayland foot) & sleep 1 && fortify show --short $(fortify ps --short) && touch /tmp/ps-show-ok && cat'")
wait_for_window("u0_a0@machine") wait_for_window("u0_a0@machine")
machine.send_chars("clear; wayland-info && touch /tmp/success-client-term\n") machine.send_chars("clear; wayland-info && touch /tmp/success-client-term\n")
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-term") machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-term")
machine.wait_for_file("/tmp/ps-show-ok")
collect_state_ui("foot_wayland_permissive_term") collect_state_ui("foot_wayland_permissive_term")
check_state(["foot"], 1) check_state(["foot"], 1)
machine.send_chars("exit\n") machine.send_chars("exit\n")
wait_for_window("foot")
machine.send_key("ctrl-c")
machine.wait_until_fails("pgrep foot") machine.wait_until_fails("pgrep foot")
# Test PulseAudio (fortify does not support PipeWire yet): # Test PulseAudio (fortify does not support PipeWire yet):
swaymsg("exec fortify run --wayland --pulse foot") fortify("run --wayland --pulse foot")
wait_for_window("u0_a0@machine") wait_for_window("u0_a0@machine")
machine.send_chars("clear; pactl info && touch /tmp/success-pulse\n") machine.send_chars("clear; pactl info && touch /tmp/success-pulse\n")
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-pulse") machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-pulse")
@ -236,7 +249,7 @@ nixosTest {
machine.wait_until_fails("pgrep foot") machine.wait_until_fails("pgrep foot")
# Test XWayland (foot does not support X): # Test XWayland (foot does not support X):
swaymsg("exec fortify run -X alacritty") fortify("run -X alacritty")
wait_for_window("u0_a0@machine") wait_for_window("u0_a0@machine")
machine.send_chars("clear; glinfo && touch /tmp/success-client-x11\n") machine.send_chars("clear; glinfo && touch /tmp/success-client-x11\n")
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-x11") machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-x11")