Compare commits
No commits in common. "c109ac26530ba38d3713bedcb404c1ddd7452d13" and "5c73acb56f81d820fdacc4ceff4f00f869318dbc" have entirely different histories.
c109ac2653
...
5c73acb56f
@ -100,7 +100,6 @@ var testCasesPd = []sealTestCase{
|
||||
Bind("/run/wrappers", "/run/wrappers", false, true).
|
||||
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
||||
Bind("/run/zed.state", "/run/zed.state", false, true).
|
||||
Bind("/dev/kvm", "/dev/kvm", true, true, true).
|
||||
Bind("/etc", fst.Tmp+"/etc").
|
||||
Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
|
||||
Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
|
||||
@ -356,7 +355,6 @@ var testCasesPd = []sealTestCase{
|
||||
Bind("/run/zed.pid", "/run/zed.pid", false, true).
|
||||
Bind("/run/zed.state", "/run/zed.state", false, true).
|
||||
Bind("/dev/dri", "/dev/dri", true, true, true).
|
||||
Bind("/dev/kvm", "/dev/kvm", true, true, true).
|
||||
Bind("/etc", fst.Tmp+"/etc").
|
||||
Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
|
||||
Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
|
||||
|
||||
@ -201,8 +201,6 @@ func (a *app) Seal(config *fst.Config) error {
|
||||
if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
|
||||
conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
|
||||
}
|
||||
// opportunistically bind kvm
|
||||
conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})
|
||||
|
||||
config.Confinement.Sandbox = conf
|
||||
}
|
||||
|
||||
25
main.go
25
main.go
@ -122,21 +122,14 @@ func main() {
|
||||
printPs(short)
|
||||
fmsg.Exit(0)
|
||||
case "show": // pretty-print app info
|
||||
set := flag.NewFlagSet("show", flag.ExitOnError)
|
||||
var short bool
|
||||
set.BoolVar(&short, "short", false, "Omit filesystem information")
|
||||
|
||||
// Ignore errors; set is set for ExitOnError.
|
||||
_ = set.Parse(args[1:])
|
||||
|
||||
if len(set.Args()) != 1 {
|
||||
if len(args) != 2 {
|
||||
fmsg.Fatal("show requires 1 argument")
|
||||
}
|
||||
|
||||
likePrefix := false
|
||||
if len(set.Args()[0]) <= 32 {
|
||||
if len(args[1]) <= 32 {
|
||||
likePrefix = true
|
||||
for _, c := range set.Args()[0] {
|
||||
for _, c := range args[1] {
|
||||
if c >= '0' && c <= '9' {
|
||||
continue
|
||||
}
|
||||
@ -154,7 +147,7 @@ func main() {
|
||||
)
|
||||
|
||||
// try to match from state store
|
||||
if likePrefix && len(set.Args()[0]) >= 8 {
|
||||
if likePrefix && len(args[1]) >= 8 {
|
||||
fmsg.VPrintln("argument looks like prefix")
|
||||
|
||||
s := state.NewMulti(os.Paths().RunDirPath)
|
||||
@ -164,7 +157,7 @@ func main() {
|
||||
} else {
|
||||
for id := range entries {
|
||||
v := id.String()
|
||||
if strings.HasPrefix(v, set.Args()[0]) {
|
||||
if strings.HasPrefix(v, args[1]) {
|
||||
// match, use config from this state entry
|
||||
instance = entries[id]
|
||||
config = instance.Config
|
||||
@ -180,16 +173,16 @@ func main() {
|
||||
fmsg.VPrintf("reading from file")
|
||||
|
||||
config = new(fst.Config)
|
||||
if f, err := os.Open(set.Args()[0]); err != nil {
|
||||
fmsg.Fatalf("cannot access config file %q: %s", set.Args()[0], err)
|
||||
if f, err := os.Open(args[1]); err != nil {
|
||||
fmsg.Fatalf("cannot access config file %q: %s", args[1], err)
|
||||
panic("unreachable")
|
||||
} else if err = json.NewDecoder(f).Decode(&config); err != nil {
|
||||
fmsg.Fatalf("cannot parse config file %q: %s", set.Args()[0], err)
|
||||
fmsg.Fatalf("cannot parse config file %q: %s", args[1], err)
|
||||
panic("unreachable")
|
||||
}
|
||||
}
|
||||
|
||||
printShow(instance, config, short)
|
||||
printShow(instance, config)
|
||||
fmsg.Exit(0)
|
||||
case "app": // launch app from configuration file
|
||||
if len(args) < 2 {
|
||||
|
||||
@ -36,7 +36,7 @@ package
|
||||
|
||||
|
||||
*Default:*
|
||||
` <derivation fortify-0.2.7> `
|
||||
` <derivation fortify-0.2.6> `
|
||||
|
||||
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "fortify";
|
||||
version = "0.2.7";
|
||||
version = "0.2.6";
|
||||
|
||||
src = builtins.path {
|
||||
name = "fortify-src";
|
||||
|
||||
83
print.go
83
print.go
@ -4,7 +4,6 @@ import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
direct "os"
|
||||
"slices"
|
||||
"strconv"
|
||||
"strings"
|
||||
"text/tabwriter"
|
||||
@ -16,7 +15,7 @@ import (
|
||||
"git.gensokyo.uk/security/fortify/internal/state"
|
||||
)
|
||||
|
||||
func printShow(instance *state.State, config *fst.Config, short bool) {
|
||||
func printShow(instance *state.State, config *fst.Config) {
|
||||
if flagJSON {
|
||||
v := any(config)
|
||||
if instance != nil {
|
||||
@ -81,7 +80,7 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
|
||||
fmt.Fprintf(w, " Command:\t%s\n", strings.Join(config.Command, " "))
|
||||
fmt.Fprintf(w, "\n")
|
||||
|
||||
if !short && config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
|
||||
if config.Confinement.Sandbox != nil && len(config.Confinement.Sandbox.Filesystem) > 0 {
|
||||
fmt.Fprintf(w, "Filesystem:\n")
|
||||
for _, f := range config.Confinement.Sandbox.Filesystem {
|
||||
expr := new(strings.Builder)
|
||||
@ -154,6 +153,27 @@ func printPs(short bool) {
|
||||
fmsg.Printf("cannot close store: %v", err)
|
||||
}
|
||||
|
||||
if short {
|
||||
var v []string
|
||||
if flagJSON {
|
||||
v = make([]string, 0, len(entries))
|
||||
}
|
||||
|
||||
for _, instance := range entries {
|
||||
if !flagJSON {
|
||||
fmt.Println(instance.ID.String())
|
||||
} else {
|
||||
v = append(v, instance.ID.String())
|
||||
}
|
||||
}
|
||||
|
||||
if flagJSON {
|
||||
printJSON(v)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
if flagJSON {
|
||||
es := make(map[string]*state.State, len(entries))
|
||||
for id, instance := range entries {
|
||||
@ -163,69 +183,36 @@ func printPs(short bool) {
|
||||
return
|
||||
}
|
||||
|
||||
// sort state entries by id string to ensure consistency between runs
|
||||
exp := make([]*expandedStateEntry, 0, len(entries))
|
||||
for id, instance := range entries {
|
||||
// gracefully skip nil states
|
||||
if instance == nil {
|
||||
fmsg.Printf("got invalid state entry %s", id.String())
|
||||
continue
|
||||
}
|
||||
|
||||
// gracefully skip inconsistent states
|
||||
if id != instance.ID {
|
||||
fmt.Printf("possible store corruption: entry %s has id %s",
|
||||
id.String(), instance.ID.String())
|
||||
continue
|
||||
}
|
||||
exp = append(exp, &expandedStateEntry{s: id.String(), State: instance})
|
||||
}
|
||||
slices.SortFunc(exp, func(a, b *expandedStateEntry) int { return a.Time.Compare(b.Time) })
|
||||
|
||||
if short {
|
||||
if flagJSON {
|
||||
v := make([]string, len(exp))
|
||||
for i, e := range exp {
|
||||
v[i] = e.s
|
||||
}
|
||||
printJSON(v)
|
||||
} else {
|
||||
for _, e := range exp {
|
||||
fmt.Println(e.s[:8])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// buffer output to reduce terminal activity
|
||||
w := tabwriter.NewWriter(direct.Stdout, 0, 1, 4, ' ', 0)
|
||||
fmt.Fprintln(w, "\tInstance\tPID\tApp\tUptime\tEnablements\tCommand")
|
||||
for _, e := range exp {
|
||||
printInstance(w, e, now)
|
||||
for _, instance := range entries {
|
||||
printInstance(w, instance, now)
|
||||
}
|
||||
if err := w.Flush(); err != nil {
|
||||
fmsg.Fatalf("cannot flush tabwriter: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
type expandedStateEntry struct {
|
||||
s string
|
||||
*state.State
|
||||
func printInstance(w *tabwriter.Writer, instance *state.State, now time.Time) {
|
||||
// gracefully skip nil states
|
||||
if instance == nil {
|
||||
fmsg.Println("got invalid state entry")
|
||||
return
|
||||
}
|
||||
|
||||
func printInstance(w *tabwriter.Writer, e *expandedStateEntry, now time.Time) {
|
||||
var (
|
||||
es = "(No confinement information)"
|
||||
cs = "(No command information)"
|
||||
as = "(No configuration information)"
|
||||
)
|
||||
if e.Config != nil {
|
||||
es = e.Config.Confinement.Enablements.String()
|
||||
cs = fmt.Sprintf("%q", e.Config.Command)
|
||||
as = strconv.Itoa(e.Config.Confinement.AppID)
|
||||
if instance.Config != nil {
|
||||
es = instance.Config.Confinement.Enablements.String()
|
||||
cs = fmt.Sprintf("%q", instance.Config.Command)
|
||||
as = strconv.Itoa(instance.Config.Confinement.AppID)
|
||||
}
|
||||
fmt.Fprintf(w, "\t%s\t%d\t%s\t%s\t%s\t%s\n",
|
||||
e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String(), strings.TrimPrefix(es, ", "), cs)
|
||||
instance.ID.String()[:8], instance.PID, as, now.Sub(instance.Time).Round(time.Second).String(), strings.TrimPrefix(es, ", "), cs)
|
||||
}
|
||||
|
||||
func printJSON(v any) {
|
||||
|
||||
25
test.nix
25
test.nix
@ -38,10 +38,6 @@ nixosTest {
|
||||
wayland-utils
|
||||
alacritty
|
||||
|
||||
# For D-Bus tests:
|
||||
libnotify
|
||||
mako
|
||||
|
||||
# For go tests:
|
||||
self.devShells.${system}.fhs
|
||||
];
|
||||
@ -180,10 +176,6 @@ nixosTest {
|
||||
if instance['config']['confinement']['enablements'] != enablements:
|
||||
raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
|
||||
|
||||
|
||||
def fortify(command):
|
||||
swaymsg(f"exec fortify {command}")
|
||||
|
||||
start_all()
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
|
||||
@ -206,13 +198,11 @@ nixosTest {
|
||||
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare")
|
||||
|
||||
# Start fortify within Wayland session:
|
||||
fortify('-v run --wayland --dbus notify-send -a "NixOS Tests" "Test notification" "Notification from within sandbox." && touch /tmp/dbus-done')
|
||||
machine.wait_for_file("/tmp/dbus-done")
|
||||
collect_state_ui("dbus_notify_exited")
|
||||
machine.succeed("pkill -9 mako")
|
||||
swaymsg("exec fortify -v run --wayland --dbus touch /tmp/success-session")
|
||||
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-session")
|
||||
|
||||
# Start a terminal (foot) within fortify:
|
||||
fortify("run --wayland foot")
|
||||
swaymsg("exec fortify run --wayland foot")
|
||||
wait_for_window("u0_a0@machine")
|
||||
machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
|
||||
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client")
|
||||
@ -226,20 +216,17 @@ nixosTest {
|
||||
machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")
|
||||
|
||||
# Start a terminal (foot) within fortify from a terminal:
|
||||
swaymsg("exec foot $SHELL -c '(fortify run --wayland foot) & sleep 1 && fortify show --short $(fortify ps --short) && touch /tmp/ps-show-ok && cat'")
|
||||
swaymsg("exec foot fortify run --wayland foot")
|
||||
wait_for_window("u0_a0@machine")
|
||||
machine.send_chars("clear; wayland-info && touch /tmp/success-client-term\n")
|
||||
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-term")
|
||||
machine.wait_for_file("/tmp/ps-show-ok")
|
||||
collect_state_ui("foot_wayland_permissive_term")
|
||||
check_state(["foot"], 1)
|
||||
machine.send_chars("exit\n")
|
||||
wait_for_window("foot")
|
||||
machine.send_key("ctrl-c")
|
||||
machine.wait_until_fails("pgrep foot")
|
||||
|
||||
# Test PulseAudio (fortify does not support PipeWire yet):
|
||||
fortify("run --wayland --pulse foot")
|
||||
swaymsg("exec fortify run --wayland --pulse foot")
|
||||
wait_for_window("u0_a0@machine")
|
||||
machine.send_chars("clear; pactl info && touch /tmp/success-pulse\n")
|
||||
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-pulse")
|
||||
@ -249,7 +236,7 @@ nixosTest {
|
||||
machine.wait_until_fails("pgrep foot")
|
||||
|
||||
# Test XWayland (foot does not support X):
|
||||
fortify("run -X alacritty")
|
||||
swaymsg("exec fortify run -X alacritty")
|
||||
wait_for_window("u0_a0@machine")
|
||||
machine.send_chars("clear; glinfo && touch /tmp/success-client-x11\n")
|
||||
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-x11")
|
||||
|
||||
Loading…
Reference in New Issue
Block a user