internal/app/app_pd_test.go

@@ -100,7 +100,6 @@ var testCasesPd = []sealTestCase{
 			Bind("/run/wrappers", "/run/wrappers", false, true).
 			Bind("/run/zed.pid", "/run/zed.pid", false, true).
 			Bind("/run/zed.state", "/run/zed.state", false, true).
-			Bind("/dev/kvm", "/dev/kvm", true, true, true).
 			Bind("/etc", fst.Tmp+"/etc").
 			Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
 			Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
@@ -356,7 +355,6 @@ var testCasesPd = []sealTestCase{
 			Bind("/run/zed.pid", "/run/zed.pid", false, true).
 			Bind("/run/zed.state", "/run/zed.state", false, true).
 			Bind("/dev/dri", "/dev/dri", true, true, true).
-			Bind("/dev/kvm", "/dev/kvm", true, true, true).
 			Bind("/etc", fst.Tmp+"/etc").
 			Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
 			Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").

internal/app/seal.go

@@ -201,8 +201,6 @@ func (a *app) Seal(config *fst.Config) error {
 		if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
 			conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
 		}
-		// opportunistically bind kvm
-		conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})
 
 		config.Confinement.Sandbox = conf
 	}

main.go

@@ -122,21 +122,14 @@ func main() {
 		printPs(short)
 		fmsg.Exit(0)
 	case "show": // pretty-print app info
-		set := flag.NewFlagSet("show", flag.ExitOnError)
+		if len(args) != 2 {
-		var short bool
-		set.BoolVar(&short, "short", false, "Omit filesystem information")
-
-		// Ignore errors; set is set for ExitOnError.
-		_ = set.Parse(args[1:])
-
-		if len(set.Args()) != 1 {
 			fmsg.Fatal("show requires 1 argument")
 		}
 
 		likePrefix := false
-		if len(set.Args()[0]) <= 32 {
+		if len(args[1]) <= 32 {
 			likePrefix = true
-			for _, c := range set.Args()[0] {
+			for _, c := range args[1] {
 				if c >= '0' && c <= '9' {
 					continue
 				}
@@ -154,7 +147,7 @@ func main() {
 		)
 
 		// try to match from state store
-		if likePrefix && len(set.Args()[0]) >= 8 {
+		if likePrefix && len(args[1]) >= 8 {
 			fmsg.VPrintln("argument looks like prefix")
 
 			s := state.NewMulti(os.Paths().RunDirPath)
@@ -164,7 +157,7 @@ func main() {
 			} else {
 				for id := range entries {
 					v := id.String()
-					if strings.HasPrefix(v, set.Args()[0]) {
+					if strings.HasPrefix(v, args[1]) {
 						// match, use config from this state entry
 						instance = entries[id]
 						config = instance.Config
@@ -180,16 +173,16 @@ func main() {
 			fmsg.VPrintf("reading from file")
 
 			config = new(fst.Config)
-			if f, err := os.Open(set.Args()[0]); err != nil {
+			if f, err := os.Open(args[1]); err != nil {
-				fmsg.Fatalf("cannot access config file %q: %s", set.Args()[0], err)
+				fmsg.Fatalf("cannot access config file %q: %s", args[1], err)
 				panic("unreachable")
 			} else if err = json.NewDecoder(f).Decode(&config); err != nil {
-				fmsg.Fatalf("cannot parse config file %q: %s", set.Args()[0], err)
+				fmsg.Fatalf("cannot parse config file %q: %s", args[1], err)
 				panic("unreachable")
 			}
 		}
 
-		printShow(instance, config, short)
+		printShow(instance, config)
 		fmsg.Exit(0)
 	case "app": // launch app from configuration file
 		if len(args) < 2 {

options.md

@@ -36,7 +36,7 @@ package
 
 
 *Default:*
-` <derivation fortify-0.2.7> `
+` <derivation fortify-0.2.6> `
 
 
 

package.nix

@@ -14,7 +14,7 @@
 
 buildGoModule rec {
   pname = "fortify";
-  version = "0.2.7";
+  version = "0.2.6";
 
   src = builtins.path {
     name = "fortify-src";

print.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	direct "os"
-	"slices"
 	"strconv"
 	"strings"
 	"text/tabwriter"
@@ -16,7 +15,7 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/state"
 )
 
-func printShow(instance *state.State, config *fst.Config, short bool) {
+func printShow(instance *state.State, config *fst.Config) {
 	if flagJSON {
 		v := any(config)
 		if instance != nil {
@@ -81,7 +80,7 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
 	fmt.Fprintf(w, " Command:\t%s\n", strings.Join(config.Command, " "))
 	fmt.Fprintf(w, "\n")
 
-	if !short && config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
+	if config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
 		fmt.Fprintf(w, "Filesystem:\n")
 		for _, f := range config.Confinement.Sandbox.Filesystem {
 			expr := new(strings.Builder)
@@ -154,6 +153,27 @@ func printPs(short bool) {
 		fmsg.Printf("cannot close store: %v", err)
 	}
 
+	if short {
+		var v []string
+		if flagJSON {
+			v = make([]string, 0, len(entries))
+		}
+
+		for _, instance := range entries {
+			if !flagJSON {
+				fmt.Println(instance.ID.String())
+			} else {
+				v = append(v, instance.ID.String())
+			}
+		}
+
+		if flagJSON {
+			printJSON(v)
+		}
+
+		return
+	}
+
 	if flagJSON {
 		es := make(map[string]*state.State, len(entries))
 		for id, instance := range entries {
@@ -163,69 +183,36 @@ func printPs(short bool) {
 		return
 	}
 
-	// sort state entries by id string to ensure consistency between runs
-	exp := make([]*expandedStateEntry, 0, len(entries))
-	for id, instance := range entries {
-		// gracefully skip nil states
-		if instance == nil {
-			fmsg.Printf("got invalid state entry %s", id.String())
-			continue
-		}
-
-		// gracefully skip inconsistent states
-		if id != instance.ID {
-			fmt.Printf("possible store corruption: entry %s has id %s",
-				id.String(), instance.ID.String())
-			continue
-		}
-		exp = append(exp, &expandedStateEntry{s: id.String(), State: instance})
-	}
-	slices.SortFunc(exp, func(a, b *expandedStateEntry) int { return a.Time.Compare(b.Time) })
-
-	if short {
-		if flagJSON {
-			v := make([]string, len(exp))
-			for i, e := range exp {
-				v[i] = e.s
-			}
-			printJSON(v)
-		} else {
-			for _, e := range exp {
-				fmt.Println(e.s[:8])
-			}
-		}
-		return
-	}
-
 	// buffer output to reduce terminal activity
 	w := tabwriter.NewWriter(direct.Stdout, 0, 1, 4, ' ', 0)
 	fmt.Fprintln(w, "\tInstance\tPID\tApp\tUptime\tEnablements\tCommand")
-	for _, e := range exp {
+	for _, instance := range entries {
-		printInstance(w, e, now)
+		printInstance(w, instance, now)
 	}
 	if err := w.Flush(); err != nil {
 		fmsg.Fatalf("cannot flush tabwriter: %v", err)
 	}
 }
 
-type expandedStateEntry struct {
+func printInstance(w *tabwriter.Writer, instance *state.State, now time.Time) {
-	s string
+	// gracefully skip nil states
-	*state.State
+	if instance == nil {
-}
+		fmsg.Println("got invalid state entry")
+		return
+	}
 
-func printInstance(w *tabwriter.Writer, e *expandedStateEntry, now time.Time) {
 	var (
 		es = "(No confinement information)"
 		cs = "(No command information)"
 		as = "(No configuration information)"
 	)
-	if e.Config != nil {
+	if instance.Config != nil {
-		es = e.Config.Confinement.Enablements.String()
+		es = instance.Config.Confinement.Enablements.String()
-		cs = fmt.Sprintf("%q", e.Config.Command)
+		cs = fmt.Sprintf("%q", instance.Config.Command)
-		as = strconv.Itoa(e.Config.Confinement.AppID)
+		as = strconv.Itoa(instance.Config.Confinement.AppID)
 	}
 	fmt.Fprintf(w, "\t%s\t%d\t%s\t%s\t%s\t%s\n",
-		e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String(), strings.TrimPrefix(es, ", "), cs)
+		instance.ID.String()[:8], instance.PID, as, now.Sub(instance.Time).Round(time.Second).String(), strings.TrimPrefix(es, ", "), cs)
 }
 
 func printJSON(v any) {

test.nix

@@ -38,10 +38,6 @@ nixosTest {
           wayland-utils
           alacritty
 
-          # For D-Bus tests:
-          libnotify
-          mako
-
           # For go tests:
           self.devShells.${system}.fhs
         ];
@@ -180,10 +176,6 @@ nixosTest {
         if instance['config']['confinement']['enablements'] != enablements:
             raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
 
-
-    def fortify(command):
-        swaymsg(f"exec fortify {command}")
-
     start_all()
     machine.wait_for_unit("multi-user.target")
 
@@ -206,13 +198,11 @@ nixosTest {
     machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare")
 
     # Start fortify within Wayland session:
-    fortify('-v run --wayland --dbus notify-send -a "NixOS Tests" "Test notification" "Notification from within sandbox." && touch /tmp/dbus-done')
+    swaymsg("exec fortify -v run --wayland --dbus touch /tmp/success-session")
-    machine.wait_for_file("/tmp/dbus-done")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-session")
-    collect_state_ui("dbus_notify_exited")
-    machine.succeed("pkill -9 mako")
 
     # Start a terminal (foot) within fortify:
-    fortify("run --wayland foot")
+    swaymsg("exec fortify run --wayland foot")
     wait_for_window("u0_a0@machine")
     machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
     machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client")
@@ -226,20 +216,17 @@ nixosTest {
     machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")
 
     # Start a terminal (foot) within fortify from a terminal:
-    swaymsg("exec foot $SHELL -c '(fortify run --wayland foot) & sleep 1 && fortify show --short $(fortify ps --short) && touch /tmp/ps-show-ok && cat'")
+    swaymsg("exec foot fortify run --wayland foot")
     wait_for_window("u0_a0@machine")
     machine.send_chars("clear; wayland-info && touch /tmp/success-client-term\n")
     machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-term")
-    machine.wait_for_file("/tmp/ps-show-ok")
     collect_state_ui("foot_wayland_permissive_term")
     check_state(["foot"], 1)
     machine.send_chars("exit\n")
-    wait_for_window("foot")
-    machine.send_key("ctrl-c")
     machine.wait_until_fails("pgrep foot")
 
     # Test PulseAudio (fortify does not support PipeWire yet):
-    fortify("run --wayland --pulse foot")
+    swaymsg("exec fortify run --wayland --pulse foot")
     wait_for_window("u0_a0@machine")
     machine.send_chars("clear; pactl info && touch /tmp/success-pulse\n")
     machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-pulse")
@@ -249,7 +236,7 @@ nixosTest {
     machine.wait_until_fails("pgrep foot")
 
     # Test XWayland (foot does not support X):
-    fortify("run -X alacritty")
+    swaymsg("exec fortify run -X alacritty")
     wait_for_window("u0_a0@machine")
     machine.send_chars("clear; glinfo && touch /tmp/success-client-x11\n")
     machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-x11")