a4f7e92e1c
test/interactive: helper scripts for tracing
...
Test / Hakurei (push) Successful in 41s
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 39s
Test / Hpkg (push) Successful in 40s
Test / Hakurei (race detector) (push) Successful in 41s
Test / Sandbox (race detector) (push) Successful in 39s
Test / Flake checks (push) Successful in 1m26s
The vm state is discarded often, and it is quite cumbersome to set everything up again when the shell history is gone.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-08 00:56:25 +09:00
72a931a71a
nix: interactive nixos vm
...
Test / Hakurei (push) Successful in 41s
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 39s
Test / Sandbox (race detector) (push) Successful in 39s
Test / Hpkg (push) Successful in 40s
Test / Hakurei (race detector) (push) Successful in 41s
Test / Flake checks (push) Successful in 1m26s
This is useful for quickly spinning up an ephemeral hakurei environment for testing changes or reproducing vm test failures.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-07 02:46:04 +09:00
a8a79a8664
cmd/hpkg: rename from planterette
...
Test / Create distribution (push) Successful in 33s
Test / Sandbox (push) Successful in 1m58s
Test / Sandbox (race detector) (push) Successful in 3m47s
Test / Hpkg (push) Successful in 3m54s
Test / Hakurei (race detector) (push) Successful in 4m32s
Test / Hakurei (push) Successful in 2m10s
Test / Flake checks (push) Successful in 1m19s
Planterette is now developed in another repository, so rename this proof of concept to avoid confusion.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-31 23:57:11 +09:00
72c2b66fc0
nix: cross-platform syscall wrapper
...
Test / Create distribution (push) Successful in 42s
Test / Sandbox (push) Successful in 54s
Test / Sandbox (race detector) (push) Successful in 52s
Test / Planterette (push) Successful in 51s
Test / Hakurei (push) Successful in 1m1s
Test / Hakurei (race detector) (push) Successful in 59s
Test / Flake checks (push) Successful in 1m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-07 04:22:55 +09:00
e03d702d08
sandbox/seccomp: implement syscall lookup
...
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 1m51s
Test / Hakurei (push) Successful in 2m52s
Test / Sandbox (race detector) (push) Successful in 3m20s
Test / Planterette (push) Successful in 3m40s
Test / Hakurei (race detector) (push) Successful in 4m18s
Test / Flake checks (push) Successful in 1m10s
This uses the Go map and is verified against libseccomp.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-01 00:35:27 +09:00
9a8a047908
sandbox/seccomp: syscall name lookup table
...
Test / Create distribution (push) Successful in 33s
Test / Sandbox (push) Successful in 1m58s
Test / Hakurei (push) Successful in 2m42s
Test / Sandbox (race detector) (push) Successful in 2m59s
Test / Planterette (push) Successful in 3m31s
Test / Hakurei (race detector) (push) Successful in 4m21s
Test / Flake checks (push) Successful in 1m9s
The script is from Go source of same name. The result is checked against libseccomp.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-06-26 03:49:07 +09:00
aa454b158f
cmd/planterette: remove hsu special case
...
Test / Hakurei (push) Successful in 42s
Test / Create distribution (push) Successful in 25s
Test / Sandbox (push) Successful in 40s
Test / Hakurei (race detector) (push) Successful in 43s
Test / Sandbox (race detector) (push) Successful in 38s
Test / Planterette (push) Successful in 40s
Test / Flake checks (push) Successful in 1m15s
Remove special case and invoke hakurei out of process.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-06-25 20:50:24 +09:00
87e008d56d
treewide: rename to hakurei
...
Test / Create distribution (push) Successful in 43s
Test / Sandbox (push) Successful in 2m18s
Test / Hakurei (push) Successful in 3m10s
Test / Sandbox (race detector) (push) Successful in 3m30s
Test / Hakurei (race detector) (push) Successful in 4m43s
Test / Fpkg (push) Successful in 5m4s
Test / Flake checks (push) Successful in 1m12s
Fortify makes little sense for a container tool.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-06-25 04:57:41 +09:00
b7e991de5b
nix: update flake lock
...
Test / Create distribution (push) Successful in 51s
Test / Sandbox (push) Successful in 15m56s
Test / Sandbox (race detector) (push) Successful in 16m5s
Test / Fpkg (push) Successful in 17m33s
Test / Fortify (race detector) (push) Successful in 2m28s
Test / Fortify (push) Successful in 40s
Test / Flake checks (push) Successful in 2m58s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-06-05 04:05:39 +09:00
297b444dfb
test: separate app and sandbox
...
Test / Create distribution (push) Successful in 26s
Test / Sandbox (push) Successful in 1m42s
Test / Fortify (push) Successful in 2m39s
Test / Sandbox (race detector) (push) Successful in 2m52s
Test / Fpkg (push) Successful in 3m37s
Test / Fortify (race detector) (push) Successful in 4m17s
Test / Flake checks (push) Successful in 1m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-30 22:09:46 +09:00
b39f3aeb59
helper: remove bubblewrap wrapper
...
Test / Create distribution (push) Successful in 19s
Test / Fortify (push) Successful in 2m12s
Test / Fpkg (push) Successful in 3m34s
Test / Data race detector (push) Successful in 4m19s
Test / Flake checks (push) Successful in 57s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-25 05:35:02 +09:00
3385538142
nix: clean up flake outputs
...
Test / Create distribution (push) Successful in 25s
Test / Fpkg (push) Successful in 32s
Test / Fortify (push) Successful in 2m0s
Test / Data race detector (push) Successful in 2m32s
Test / Flake checks (push) Successful in 48s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-17 12:26:19 +09:00
4bb5d9780f
ldd: run in native sandbox
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m27s
Test / Fpkg (push) Successful in 3m22s
Test / Data race detector (push) Successful in 3m43s
Test / Flake checks (push) Successful in 48s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-14 17:55:55 +09:00
9b1a60b5c9
sandbox: native container tooling
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m28s
Test / Fpkg (push) Successful in 3m23s
Test / Data race detector (push) Successful in 3m35s
Test / Flake checks (push) Successful in 48s
This should eventually replace bwrap.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-13 21:36:26 +09:00
c8ed7aae6e
nix: update flake lock
...
Test / Create distribution (push) Successful in 42s
Test / Fortify (push) Successful in 24m42s
Test / Data race detector (push) Successful in 25m3s
Test / Fpkg (push) Successful in 25m40s
Test / Flake checks (push) Successful in 1m43s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-10 18:38:14 +09:00
2d4cabe786
nix: increase nixfmt max width
...
Test / Create distribution (push) Successful in 30s
Test / Fpkg (push) Successful in 36s
Test / Data race detector (push) Successful in 35s
Test / Fortify (push) Successful in 39s
Test / Flake checks (push) Successful in 50s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-28 14:43:46 +09:00
12c6d66bfd
cmd/fpkg/test: nixos test fpkg install/start
...
Test / Create distribution (push) Successful in 27s
Test / Fortify (push) Successful in 2m33s
Test / Data race detector (push) Successful in 3m25s
Test / Fpkg (push) Successful in 38m26s
Test / Flake checks (push) Successful in 54s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-26 13:12:16 +09:00
c21a4cff14
nix: wrap fpkg
...
Test / Create distribution (push) Successful in 26s
Test / Data race detector (push) Successful in 2m11s
Test / Fortify (push) Successful in 2m24s
Test / Flake checks (push) Successful in 42s
This is usable on nixos now due to the static build.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-26 12:24:04 +09:00
5a732d153e
nix: include fsu sources in dist build
...
Test / Create distribution (push) Successful in 20s
Test / Fortify (push) Successful in 37s
Test / Data race detector (push) Successful in 37s
Test / Flake checks (push) Successful in 46s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-25 01:32:47 +09:00
b6af8caffe
nix: clean up directory structure
...
Test / Create distribution (push) Successful in 19s
Test / Fortify (push) Successful in 36s
Test / Data race detector (push) Successful in 56s
Test / Flake checks (push) Successful in 41s
Tests for fpkg is going to be in ./cmd/fpkg, so this central tests directory is no longer necessary.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-23 18:48:01 +09:00
8bf162820b
nix: separate fsu from package
...
Test / Create distribution (push) Successful in 26s
Test / Run NixOS test (push) Successful in 7m25s
This appears to be the only way to build them with different configuration. This enables static linking in the main package.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-23 18:13:37 +09:00
eb0c16dd8c
cmd/fpkg: rename buildPackage file
...
Test / Create distribution (push) Successful in 26s
Test / Run NixOS test (push) Successful in 50s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 18:13:34 +09:00
64b6dc41ba
nix: split integration test
...
Test / Create distribution (push) Successful in 25s
Test / Run NixOS test (push) Successful in 3m24s
For adding tests for fpkg.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-21 17:05:17 +09:00
60c10c3f4a
nix: run integration tests with race detector
...
Test / Create distribution (push) Successful in 25s
Test / Run NixOS test (push) Successful in 3m4s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-16 20:58:08 +09:00
3df344828f
proc/priv/shim: seccomp bpf filter via libseccomp
...
Build / Create distribution (push) Successful in 1m59s
Test / Run NixOS test (push) Successful in 4m11s
Rulesets adapted from Flatpak for compatibility.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 23:39:47 +09:00
c4de450217
nix: do not force static linking on nix
...
Build / Create distribution (push) Successful in 3m14s
Test / Run NixOS test (push) Successful in 3m25s
In a typical Nix or NixOS-based setup, the entire /nix/store directory is available to the sandbox.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 22:56:16 +09:00
b60c01f440
fortify: switch to static linking
...
Build / Create distribution (push) Successful in 1m43s
Test / Run NixOS test (push) Successful in 4m32s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-16 17:32:52 +09:00
5416b07daa
nix: remove unused argument 'self'
...
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 2m36s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 14:49:55 +09:00
e57a0e9bf2
nix: rename fortifyBundle to buildPackage
...
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 2m35s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 14:35:37 +09:00
5125e96ecf
nix: generate application package build script
...
Tests / Go tests (push) Successful in 55s
Nix / NixOS tests (push) Successful in 4m24s
This takes some metadata, sandbox options, a launch script and a list of home-manager modules. The result needs to be executed in an environment with nix daemon access, and it produces the final package file.
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 00:42:21 +09:00
7b6052a473
nix: run Go tests in nixos
...
Tests / Go tests (push) Successful in 41s
Nix / NixOS tests (push) Successful in 9m56s
Nix build environment does not support ACLs in any filesystem. This allows acl tests to run.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-17 21:16:55 +09:00
3f993021f8
nix: permissive defaults nixos test
...
test / test (push) Successful in 37s
Adapted from nixos sway integration tests.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-16 22:56:10 +09:00
4d3bd5338f
nix: implement flake checks
...
test / test (push) Successful in 36s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-16 20:54:28 +09:00
6b8ddca7b4
nix: track nixos stable 24.11
...
test / test (push) Successful in 25s
Reduce rebuilds during development on my system.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 00:44:04 +09:00
0a546885e3
nix: update options doc
...
test / test (push) Successful in 22s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 18:12:35 +09:00
d9cb2a9f2b
fsu: implement simple setuid user switcher
...
Contains path to fortify, set at compile time, authenticates based on a simple uid range assignment file which also acts as the allow list.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 00:02:34 +09:00
40161c5938
nix: remove fortify package from default devShell
...
This change makes it possible to start a devShell when tests aren't passing.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-17 20:35:10 +09:00
1038af98f0
dbus: add tests
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-28 00:06:16 +09:00
61628dabb7
nix: remove obnoxious shell hook
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 16:08:11 +09:00
3d963b9f67
nix: include package buildInputs in devShells
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-17 23:15:33 +09:00
945cce2f5e
nix: implement nixos module
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 17:03:21 +09:00
d8f76f3b25
rename to fortify and restructure
...
More sandbox features will be added and this will no longer track ego's features and behaviour.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 01:20:12 +09:00
7e6eb82195
license: embed license in executable
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-16 22:07:40 +09:00
09507a541b
nix: build directly with buildGoModules
...
Since we have no dependencies, we don't need a vendor hash, so doing this actually makes sense.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-16 21:54:44 +09:00
190eb088bc
nix: add libxcb package to dev shell
...
Since we link libxcb as well now this is needed in the dev shell for it to build properly without impure.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-15 00:38:11 +09:00
94c69806ef
nix: set up devShell
...
Since we're using cgo to call into libacl a few dependencies other than go are required to build.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-07-11 01:10:35 +09:00
