security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 36 Wiki Activity

Compare commits

base: security:b8c254f4f957ebf2db67d36e9d963f83b3f0b812
Branches Tags
security:master
security:staging
security:develop
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1
..
compare: security:ad6d0ee55febef84ab44ab7740267c490f5db7dd
Branches Tags
security:staging
security:develop
security:master
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1

No commits in common. "b8c254f4f957ebf2db67d36e9d963f83b3f0b812" and "ad6d0ee55febef84ab44ab7740267c490f5db7dd" have entirely different histories.
b8c254f4f9 ... ad6d0ee55f

16 changed files with 252 additions and 355 deletions
Show Stats Expand all files Collapse all files

17
.gitea/workflows/release.yml
View File

@ -9,14 +9,17 @@ jobs:
release: release:
name: Create release name: Create release
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
actions: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: https://github.com/actions/setup-go@v5
with:
go-version: '>=1.23.0'
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@v30 uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with: with:
# explicitly enable sandbox # explicitly enable sandbox
install_options: --daemon install_options: --daemon
@ -33,13 +36,15 @@ jobs:
- name: Restore Nix store - name: Restore Nix store
uses: nix-community/cache-nix-action@v5 uses: nix-community/cache-nix-action@v5
with: with:
primary-key: build-dist-${{ runner.os }}-${{ hashFiles('**/*.nix') }} primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
restore-prefixes-first-match: build-dist-${{ runner.os }}- restore-prefixes-first-match: nix-small-${{ runner.os }}-
- name: Build for release - name: Build for release
id: build-test
run: nix build --print-out-paths --print-build-logs .#dist run: nix build --print-out-paths --print-build-logs .#dist
- name: Release - name: Release
id: use-go-action
uses: https://gitea.com/actions/release-action@main uses: https://gitea.com/actions/release-action@main
with: with:
files: |- files: |-

12
.gitea/workflows/test.yml
View File

@ -8,14 +8,12 @@ jobs:
test: test:
name: Run NixOS test name: Run NixOS test
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
actions: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@v30 uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with: with:
# explicitly enable sandbox # explicitly enable sandbox
install_options: --daemon install_options: --daemon
@ -55,14 +53,12 @@ jobs:
dist: dist:
name: Create distribution name: Create distribution
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
actions: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@v30 uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with: with:
# explicitly enable sandbox # explicitly enable sandbox
install_options: --daemon install_options: --daemon

12
flake.lock generated
View File

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736373539, "lastModified": 1735344290,
"narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", "narHash": "sha256-oJDtWPH1oJT34RJK1FSWjwX4qcGOBRkcNQPD0EbSfNM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "bd65bc3cde04c16755955630b344bc9e35272c56", "rev": "613691f285dad87694c2ba1c9e6298d04736292d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -23,11 +23,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1737672001, "lastModified": 1735326919,
"narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=", "narHash": "sha256-BZlgs4l9CXAauo78giGCZdazMMk5VZNro7o5SHFUuyE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8", "rev": "8f0aa155aa29f7d2b471aa2ffd322745bf2b2036",
"type": "github" "type": "github"
}, },
"original": { "original": {

96
helper/seccomp/seccomp-export.c → helper/bwrap/seccomp-export.c
View File

@ -28,7 +28,7 @@ struct f_syscall_act {
#define LEN(arr) (sizeof(arr) / sizeof((arr)[0])) #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
#define SECCOMP_RULESET_ADD(ruleset) do { \ #define SECCOMP_RULESET_ADD(ruleset) do { \
if (opts & F_VERBOSE) F_println("adding seccomp ruleset \"" #ruleset "\""); \ F_println("adding seccomp ruleset \"" #ruleset "\""); \
for (int i = 0; i < LEN(ruleset); i++) { \ for (int i = 0; i < LEN(ruleset); i++) { \
assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS); \ assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS); \
\ \
@ -89,31 +89,6 @@ int32_t f_export_bpf(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts o
{SCMP_SYS(migrate_pages), EPERM}, {SCMP_SYS(migrate_pages), EPERM},
}; };
// fortify: project-specific extensions
struct f_syscall_act deny_common_ext[] = {
// system calls for changing the system clock
{SCMP_SYS(adjtimex), EPERM},
{SCMP_SYS(clock_adjtime), EPERM},
{SCMP_SYS(clock_adjtime64), EPERM},
{SCMP_SYS(clock_settime), EPERM},
{SCMP_SYS(clock_settime64), EPERM},
{SCMP_SYS(settimeofday), EPERM},
// loading and unloading of kernel modules
{SCMP_SYS(delete_module), EPERM},
{SCMP_SYS(finit_module), EPERM},
{SCMP_SYS(init_module), EPERM},
// system calls for rebooting and reboot preparation
{SCMP_SYS(kexec_file_load), EPERM},
{SCMP_SYS(kexec_load), EPERM},
{SCMP_SYS(reboot), EPERM},
// system calls for enabling/disabling swap devices
{SCMP_SYS(swapoff), EPERM},
{SCMP_SYS(swapon), EPERM},
};
struct f_syscall_act deny_ns[] = { struct f_syscall_act deny_ns[] = {
// Don't allow subnamespace setups: // Don't allow subnamespace setups:
{SCMP_SYS(unshare), EPERM}, {SCMP_SYS(unshare), EPERM},
@ -151,34 +126,6 @@ int32_t f_export_bpf(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts o
{SCMP_SYS(mount_setattr), ENOSYS}, {SCMP_SYS(mount_setattr), ENOSYS},
}; };
// fortify: project-specific extensions
struct f_syscall_act deny_ns_ext[] = {
// changing file ownership
{SCMP_SYS(chown), EPERM},
{SCMP_SYS(chown32), EPERM},
{SCMP_SYS(fchown), EPERM},
{SCMP_SYS(fchown32), EPERM},
{SCMP_SYS(fchownat), EPERM},
{SCMP_SYS(lchown), EPERM},
{SCMP_SYS(lchown32), EPERM},
// system calls for changing user ID and group ID credentials
{SCMP_SYS(setgid), EPERM},
{SCMP_SYS(setgid32), EPERM},
{SCMP_SYS(setgroups), EPERM},
{SCMP_SYS(setgroups32), EPERM},
{SCMP_SYS(setregid), EPERM},
{SCMP_SYS(setregid32), EPERM},
{SCMP_SYS(setresgid), EPERM},
{SCMP_SYS(setresgid32), EPERM},
{SCMP_SYS(setresuid), EPERM},
{SCMP_SYS(setresuid32), EPERM},
{SCMP_SYS(setreuid), EPERM},
{SCMP_SYS(setreuid32), EPERM},
{SCMP_SYS(setuid), EPERM},
{SCMP_SYS(setuid32), EPERM},
};
struct f_syscall_act deny_tty[] = { struct f_syscall_act deny_tty[] = {
// Don't allow faking input to the controlling tty (CVE-2017-5226) // Don't allow faking input to the controlling tty (CVE-2017-5226)
{SCMP_SYS(ioctl), EPERM, &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)}, {SCMP_SYS(ioctl), EPERM, &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
@ -198,22 +145,6 @@ int32_t f_export_bpf(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts o
{SCMP_SYS(ptrace), EPERM} {SCMP_SYS(ptrace), EPERM}
}; };
struct f_syscall_act deny_emu[] = {
// modify_ldt is a historic source of interesting information leaks,
// so it's disabled as a hardening measure.
// However, it is required to run old 16-bit applications
// as well as some Wine patches, so it's allowed in multiarch.
{SCMP_SYS(modify_ldt), EPERM},
};
// fortify: project-specific extensions
struct f_syscall_act deny_emu_ext[] = {
{SCMP_SYS(subpage_prot), ENOSYS},
{SCMP_SYS(switch_endian), ENOSYS},
{SCMP_SYS(vm86), ENOSYS},
{SCMP_SYS(vm86old), ENOSYS},
};
// Blocklist all but unix, inet, inet6 and netlink // Blocklist all but unix, inet, inet6 and netlink
struct struct
{ {
@ -268,11 +199,26 @@ int32_t f_export_bpf(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts o
if (opts & F_DENY_NS) SECCOMP_RULESET_ADD(deny_ns); if (opts & F_DENY_NS) SECCOMP_RULESET_ADD(deny_ns);
if (opts & F_DENY_TTY) SECCOMP_RULESET_ADD(deny_tty); if (opts & F_DENY_TTY) SECCOMP_RULESET_ADD(deny_tty);
if (opts & F_DENY_DEVEL) SECCOMP_RULESET_ADD(deny_devel); if (opts & F_DENY_DEVEL) SECCOMP_RULESET_ADD(deny_devel);
if (!allow_multiarch) SECCOMP_RULESET_ADD(deny_emu);
if (opts & F_EXT) { if (!allow_multiarch) {
SECCOMP_RULESET_ADD(deny_common_ext); F_println("disabling modify_ldt");
if (opts & F_DENY_NS) SECCOMP_RULESET_ADD(deny_ns_ext);
if (!allow_multiarch) SECCOMP_RULESET_ADD(deny_emu_ext); // modify_ldt is a historic source of interesting information leaks,
// so it's disabled as a hardening measure.
// However, it is required to run old 16-bit applications
// as well as some Wine patches, so it's allowed in multiarch.
ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(modify_ldt), 0);
// See above for the meaning of EFAULT.
if (ret == -EFAULT) {
// call fmsg here?
res = 4;
goto out;
} else if (ret < 0) {
res = 5;
errno = -ret;
goto out;
}
} }
// Socket filtering doesn't work on e.g. i386, so ignore failures here // Socket filtering doesn't work on e.g. i386, so ignore failures here

16
helper/seccomp/seccomp-export.h → helper/bwrap/seccomp-export.h
View File

@ -8,15 +8,13 @@
#endif #endif
typedef enum { typedef enum {
F_VERBOSE = 1 << 0, F_DENY_NS = 1 << 0,
F_EXT = 1 << 1, F_DENY_TTY = 1 << 1,
F_DENY_NS = 1 << 2, F_DENY_DEVEL = 1 << 2,
F_DENY_TTY = 1 << 3, F_MULTIARCH = 1 << 3,
F_DENY_DEVEL = 1 << 4, F_LINUX32 = 1 << 4,
F_MULTIARCH = 1 << 5, F_CAN = 1 << 5,
F_LINUX32 = 1 << 6, F_BLUETOOTH = 1 << 6,
F_CAN = 1 << 7,
F_BLUETOOTH = 1 << 8,
} f_syscall_opts; } f_syscall_opts;
extern void F_println(char *v); extern void F_println(char *v);

95
helper/bwrap/seccomp-resolve.go Normal file
View File

@ -0,0 +1,95 @@
package bwrap
import (
"fmt"
"io"
"os"
"git.gensokyo.uk/security/fortify/internal/fmsg"
)
type SyscallPolicy struct {
DenyDevel bool `json:"deny_devel"`
Multiarch bool `json:"multiarch"`
Linux32 bool `json:"linux32"`
Can bool `json:"can"`
Bluetooth bool `json:"bluetooth"`
}
type seccompBuilder struct {
config *Config
}
func (s *seccompBuilder) Len() int {
if s == nil {
return 0
}
return 2
}
func (s *seccompBuilder) Append(args *[]string, extraFiles *[]*os.File) error {
if s == nil {
return nil
}
if f, err := s.config.resolveSeccomp(); err != nil {
return err
} else {
extraFile(args, extraFiles, positionalArgs[Seccomp], f)
return nil
}
}
func (c *Config) resolveSeccomp() (*os.File, error) {
if c.Syscall == nil {
return nil, nil
}
// resolve seccomp filter opts
var (
opts syscallOpts
optd []string
optCond = [...]struct {
v bool
o syscallOpts
d string
}{
{!c.UserNS, flagDenyNS, "denyns"},
{c.NewSession, flagDenyTTY, "denytty"},
{c.Syscall.DenyDevel, flagDenyDevel, "denydevel"},
{c.Syscall.Multiarch, flagMultiarch, "multiarch"},
{c.Syscall.Linux32, flagLinux32, "linux32"},
{c.Syscall.Can, flagCan, "can"},
{c.Syscall.Bluetooth, flagBluetooth, "bluetooth"},
}
)
if CPrintln != nil {
optd = make([]string, 1, len(optCond)+1)
optd[0] = "common"
}
for _, opt := range optCond {
if opt.v {
opts |= opt.o
if fmsg.Verbose() {
optd = append(optd, opt.d)
}
}
}
if CPrintln != nil {
CPrintln(fmt.Sprintf("seccomp flags: %s", optd))
}
// export seccomp filter to tmpfile
if f, err := tmpfile(); err != nil {
return nil, err
} else {
return f, exportAndSeek(f, opts)
}
}
func exportAndSeek(f *os.File, opts syscallOpts) error {
if err := exportFilter(f.Fd(), opts); err != nil {
return err
}
_, err := f.Seek(0, io.SeekStart)
return err
}

141
helper/bwrap/seccomp.go
View File

@ -1,90 +1,83 @@
package bwrap package bwrap
/*
#cgo linux pkg-config: --static libseccomp
#include "seccomp-export.h"
*/
import "C"
import ( import (
"errors"
"fmt" "fmt"
"os" "os"
"runtime"
"git.gensokyo.uk/security/fortify/helper/seccomp"
"git.gensokyo.uk/security/fortify/internal/fmsg"
) )
type SyscallPolicy struct { var CPrintln func(v ...any)
// disable fortify extensions
Compat bool `json:"compat"` var resErr = [...]error{
// deny development syscalls 0: nil,
DenyDevel bool `json:"deny_devel"` 1: errors.New("seccomp_init failed"),
// deny multiarch/emulation syscalls 2: errors.New("seccomp_arch_add failed"),
Multiarch bool `json:"multiarch"` 3: errors.New("seccomp_arch_add failed (multiarch)"),
// allow PER_LINUX32 4: errors.New("internal libseccomp failure"),
Linux32 bool `json:"linux32"` 5: errors.New("seccomp_rule_add failed"),
// allow AF_CAN 6: errors.New("seccomp_export_bpf failed"),
Can bool `json:"can"`
// allow AF_BLUETOOTH
Bluetooth bool `json:"bluetooth"`
} }
type seccompBuilder struct { type (
config *Config syscallOpts = C.f_syscall_opts
)
const (
flagDenyNS syscallOpts = C.F_DENY_NS
flagDenyTTY syscallOpts = C.F_DENY_TTY
flagDenyDevel syscallOpts = C.F_DENY_DEVEL
flagMultiarch syscallOpts = C.F_MULTIARCH
flagLinux32 syscallOpts = C.F_LINUX32
flagCan syscallOpts = C.F_CAN
flagBluetooth syscallOpts = C.F_BLUETOOTH
)
func tmpfile() (*os.File, error) {
fd, err := C.f_tmpfile_fd()
if err != nil {
return nil, err
}
return os.NewFile(uintptr(fd), "tmpfile"), err
} }
func (s *seccompBuilder) Len() int { func exportFilter(fd uintptr, opts syscallOpts) error {
if s == nil {
return 0
}
return 2
}
func (s *seccompBuilder) Append(args *[]string, extraFiles *[]*os.File) error {
if s == nil {
return nil
}
if f, err := s.config.resolveSeccomp(); err != nil {
return err
} else {
extraFile(args, extraFiles, positionalArgs[Seccomp], f)
return nil
}
}
func (c *Config) resolveSeccomp() (*os.File, error) {
if c.Syscall == nil {
return nil, nil
}
// resolve seccomp filter opts
var ( var (
opts seccomp.SyscallOpts arch C.uint32_t = 0
optd []string multiarch C.uint32_t = 0
optCond = [...]struct {
v bool
o seccomp.SyscallOpts
d string
}{
{!c.Syscall.Compat, seccomp.FlagExt, "fortify"},
{!c.UserNS, seccomp.FlagDenyNS, "denyns"},
{c.NewSession, seccomp.FlagDenyTTY, "denytty"},
{c.Syscall.DenyDevel, seccomp.FlagDenyDevel, "denydevel"},
{c.Syscall.Multiarch, seccomp.FlagMultiarch, "multiarch"},
{c.Syscall.Linux32, seccomp.FlagLinux32, "linux32"},
{c.Syscall.Can, seccomp.FlagCan, "can"},
{c.Syscall.Bluetooth, seccomp.FlagBluetooth, "bluetooth"},
}
) )
if seccomp.CPrintln != nil { switch runtime.GOARCH {
optd = make([]string, 1, len(optCond)+1) case "386":
optd[0] = "common" arch = C.SCMP_ARCH_X86
} case "amd64":
for _, opt := range optCond { arch = C.SCMP_ARCH_X86_64
if opt.v { multiarch = C.SCMP_ARCH_X86
opts |= opt.o case "arm":
if fmsg.Verbose() { arch = C.SCMP_ARCH_ARM
optd = append(optd, opt.d) case "arm64":
} arch = C.SCMP_ARCH_AARCH64
} multiarch = C.SCMP_ARCH_ARM
}
if seccomp.CPrintln != nil {
seccomp.CPrintln(fmt.Sprintf("seccomp flags: %s", optd))
} }
return seccomp.Export(opts) res, err := C.f_export_bpf(C.int(fd), arch, multiarch, opts)
if re := resErr[res]; re != nil {
if err == nil {
return re
}
return fmt.Errorf("%s: %v", re.Error(), err)
}
return err
}
//export F_println
func F_println(v *C.char) {
if CPrintln != nil {
CPrintln(C.GoString(v))
}
} }

17
helper/seccomp/export.go
View File

@ -1,17 +0,0 @@
package seccomp
import (
"io"
"os"
)
func Export(opts SyscallOpts) (f *os.File, err error) {
if f, err = tmpfile(); err != nil {
return
}
if err = exportFilter(f.Fd(), opts); err != nil {
return
}
_, err = f.Seek(0, io.SeekStart)
return
}

89
helper/seccomp/seccomp.go
View File

@ -1,89 +0,0 @@
package seccomp
/*
#cgo linux pkg-config: --static libseccomp
#include "seccomp-export.h"
*/
import "C"
import (
"errors"
"fmt"
"os"
"runtime"
)
var CPrintln func(v ...any)
var resErr = [...]error{
0: nil,
1: errors.New("seccomp_init failed"),
2: errors.New("seccomp_arch_add failed"),
3: errors.New("seccomp_arch_add failed (multiarch)"),
4: errors.New("internal libseccomp failure"),
5: errors.New("seccomp_rule_add failed"),
6: errors.New("seccomp_export_bpf failed"),
}
type SyscallOpts = C.f_syscall_opts
const (
flagVerbose SyscallOpts = C.F_VERBOSE
FlagExt SyscallOpts = C.F_EXT
FlagDenyNS SyscallOpts = C.F_DENY_NS
FlagDenyTTY SyscallOpts = C.F_DENY_TTY
FlagDenyDevel SyscallOpts = C.F_DENY_DEVEL
FlagMultiarch SyscallOpts = C.F_MULTIARCH
FlagLinux32 SyscallOpts = C.F_LINUX32
FlagCan SyscallOpts = C.F_CAN
FlagBluetooth SyscallOpts = C.F_BLUETOOTH
)
func tmpfile() (*os.File, error) {
fd, err := C.f_tmpfile_fd()
if err != nil {
return nil, err
}
return os.NewFile(uintptr(fd), "tmpfile"), err
}
func exportFilter(fd uintptr, opts SyscallOpts) error {
var (
arch C.uint32_t = 0
multiarch C.uint32_t = 0
)
switch runtime.GOARCH {
case "386":
arch = C.SCMP_ARCH_X86
case "amd64":
arch = C.SCMP_ARCH_X86_64
multiarch = C.SCMP_ARCH_X86
case "arm":
arch = C.SCMP_ARCH_ARM
case "arm64":
arch = C.SCMP_ARCH_AARCH64
multiarch = C.SCMP_ARCH_ARM
}
// this removes repeated transitions between C and Go execution
// when producing log output via F_println and CPrintln is nil
if CPrintln != nil {
opts |= flagVerbose
}
res, err := C.f_export_bpf(C.int(fd), arch, multiarch, opts)
if re := resErr[res]; re != nil {
if err == nil {
return re
}
return fmt.Errorf("%s: %v", re.Error(), err)
}
return err
}
//export F_println
func F_println(v *C.char) {
if CPrintln != nil {
CPrintln(C.GoString(v))
}
}

4
internal/proc/priv/shim/main.go
View File

@ -8,7 +8,7 @@ import (
"git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/helper" "git.gensokyo.uk/security/fortify/helper"
"git.gensokyo.uk/security/fortify/helper/seccomp" "git.gensokyo.uk/security/fortify/helper/bwrap"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/internal/proc" "git.gensokyo.uk/security/fortify/internal/proc"
@ -128,7 +128,7 @@ func Main() {
helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
if fmsg.Verbose() { if fmsg.Verbose() {
seccomp.CPrintln = fmsg.Println bwrap.CPrintln = fmsg.Println
} }
if b, err := helper.NewBwrap( if b, err := helper.NewBwrap(
conf, innerInit, conf, innerInit,

4
main.go
View File

@ -16,7 +16,7 @@ import (
"git.gensokyo.uk/security/fortify/dbus" "git.gensokyo.uk/security/fortify/dbus"
"git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/helper/seccomp" "git.gensokyo.uk/security/fortify/helper/bwrap"
"git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/app" "git.gensokyo.uk/security/fortify/internal/app"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
@ -310,7 +310,7 @@ func runApp(config *fst.Config) {
ctx, cancel := context.WithCancel(context.Background()) ctx, cancel := context.WithCancel(context.Background())
if fmsg.Verbose() { if fmsg.Verbose() {
seccomp.CPrintln = fmsg.Println bwrap.CPrintln = fmsg.Println
} }
// handle signals for graceful shutdown // handle signals for graceful shutdown

63
nixos.nix
View File

@ -118,46 +118,47 @@ in
env env
; ;
syscall = { syscall = {
inherit (app) compat multiarch bluetooth; inherit (app) devel multiarch bluetooth;
deny_devel = !app.devel;
}; };
map_real_uid = app.mapRealUid; map_real_uid = app.mapRealUid;
no_new_session = app.tty; no_new_session = app.tty;
filesystem = filesystem =
let
bind = src: { inherit src; };
mustBind = src: {
inherit src;
require = true;
};
devBind = src: {
inherit src;
dev = true;
};
in
[ [
(mustBind "/bin") { src = "/bin"; }
(mustBind "/usr/bin") { src = "/usr/bin"; }
(mustBind "/nix/store") { src = "/nix/store"; }
(mustBind "/run/current-system") { src = "/run/current-system"; }
(bind "/sys/block") {
(bind "/sys/bus") src = "/sys/block";
(bind "/sys/class") require = false;
(bind "/sys/dev") }
(bind "/sys/devices") {
src = "/sys/bus";
require = false;
}
{
src = "/sys/class";
require = false;
}
{
src = "/sys/dev";
require = false;
}
{
src = "/sys/devices";
require = false;
}
] ]
++ optionals app.nix [ ++ optionals app.nix [
(mustBind "/nix/var") { src = "/nix/var"; }
(bind "/var/db/nix-channels") { src = "/var/db/nix-channels"; }
] ]
++ optionals (if app.gpu != null then app.gpu else app.capability.wayland || app.capability.x11) [ ++ optionals (if app.gpu != null then app.gpu else app.capability.wayland || app.capability.x11) [
(bind "/run/opengl-driver") { src = "/run/opengl-driver"; }
(devBind "/dev/dri") {
(devBind "/dev/nvidiactl") src = "/dev/dri";
(devBind "/dev/nvidia-modeset") dev = true;
(devBind "/dev/nvidia-uvm") }
(devBind "/dev/nvidia-uvm-tools")
(devBind "/dev/nvidia0")
] ]
++ app.extraPaths; ++ app.extraPaths;
auto_etc = true; auto_etc = true;

26
options.md
View File

@ -36,7 +36,7 @@ package
*Default:* *Default:*
` <derivation fortify-0.2.12> ` ` <derivation fortify-0.2.11> `
@ -198,30 +198,6 @@ null or string
## environment\.fortify\.apps\.\*\.compat
Whether to enable disable syscall filter extensions\.
*Type:*
boolean
*Default:*
` false `
*Example:*
` true `
## environment\.fortify\.apps\.\*\.dbus\.session ## environment\.fortify\.apps\.\*\.dbus\.session

1
options.nix
View File

@ -151,7 +151,6 @@ in
default = true; default = true;
}; };
compat = mkEnableOption "disable syscall filter extensions";
devel = mkEnableOption "development kernel APIs"; devel = mkEnableOption "development kernel APIs";
multiarch = mkEnableOption "multiarch kernel support"; multiarch = mkEnableOption "multiarch kernel support";
bluetooth = mkEnableOption "AF_BLUETOOTH socket operations"; bluetooth = mkEnableOption "AF_BLUETOOTH socket operations";

4
package.nix
View File

@ -16,7 +16,7 @@
buildGoModule rec { buildGoModule rec {
pname = "fortify"; pname = "fortify";
version = "0.2.12"; version = "0.2.11";
src = builtins.path { src = builtins.path {
name = "fortify-src"; name = "fortify-src";
@ -63,7 +63,7 @@ buildGoModule rec {
makeBinaryWrapper makeBinaryWrapper
]; ];
preBuild = '' preConfigure = ''
HOME=$(mktemp -d) go generate ./... HOME=$(mktemp -d) go generate ./...
''; '';

10
test.nix
View File

@ -80,7 +80,6 @@ nixosTest {
mkdir -p ~/.config/sway mkdir -p ~/.config/sway
sed s/Mod4/Mod1/ /etc/sway/config > ~/.config/sway/config sed s/Mod4/Mod1/ /etc/sway/config > ~/.config/sway/config
echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' >> ~/.config/sway/config
sway --validate sway --validate
systemd-cat --identifier=sway sway && touch /tmp/sway-exit-ok systemd-cat --identifier=sway sway && touch /tmp/sway-exit-ok
@ -238,8 +237,8 @@ nixosTest {
machine.succeed("rm -rf /tmp/src && cp -a '${self.packages.${system}.fortify.src}' /tmp/src") machine.succeed("rm -rf /tmp/src && cp -a '${self.packages.${system}.fortify.src}' /tmp/src")
machine.succeed("fortify-fhs -c '(cd /tmp/src && go generate ./... && go test ./... && touch /tmp/success-gotest)' &> /tmp/gotest &") machine.succeed("fortify-fhs -c '(cd /tmp/src && go generate ./... && go test ./... && touch /tmp/success-gotest)' &> /tmp/gotest &")
# To check fortify's version: # To check sway's version:
print(machine.succeed("sudo -u alice -i fortify version")) print(machine.succeed("sway --version"))
# Wait for Sway to complete startup: # Wait for Sway to complete startup:
machine.wait_for_file("/run/user/1000/wayland-1") machine.wait_for_file("/run/user/1000/wayland-1")
@ -255,11 +254,6 @@ nixosTest {
print(machine.succeed("sudo -u alice -i fortify -v run -a 0 touch /tmp/success-bare")) print(machine.succeed("sudo -u alice -i fortify -v run -a 0 touch /tmp/success-bare"))
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare") machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare")
# Verify silent output permissive defaults:
output = machine.succeed("sudo -u alice -i fortify run -a 0 true &>/dev/stdout")
if output != "":
raise Exception(f"unexpected output\n{output}")
# Start fortify permissive defaults within Wayland session: # Start fortify permissive defaults within Wayland session:
fortify('-v run --wayland --dbus notify-send -a "NixOS Tests" "Test notification" "Notification from within sandbox." && touch /tmp/dbus-done') fortify('-v run --wayland --dbus notify-send -a "NixOS Tests" "Test notification" "Notification from within sandbox." && touch /tmp/dbus-done')
machine.wait_for_file("/tmp/dbus-done") machine.wait_for_file("/tmp/dbus-done")