279 Commits

Author SHA1 Message Date
eae3034260
state: expose aids and use instance id as key
All checks were successful
Tests / Go tests (push) Successful in 39s
Nix / NixOS tests (push) Successful in 3m26s
Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-19 21:36:17 +09:00
52f21a19f3
cmd/fshim: switch to setup pipe
All checks were successful
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 5m43s
The socket-based approach is no longer necessary as fsu allows extra files and sudo compatibility is no longer relevant.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 19:39:25 +09:00
2f676c9d6e
fst: rename from fipc
All checks were successful
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 5m48s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 15:50:46 +09:00
b752ec4468
fipc: export config struct
All checks were successful
Tests / Go tests (push) Successful in 1m12s
Nix / NixOS tests (push) Successful in 10m51s
Also store full config as part of state.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-18 13:45:55 +09:00
b3ef53b193
app: integrate security-context-v1
All checks were successful
test / test (push) Successful in 37s
Should be able to get rid of XDG_RUNTIME_DIR share after this.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:25:33 +09:00
b291f0b710
app: add nixos-based config test case
All checks were successful
test / test (push) Successful in 20s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-21 12:13:21 +09:00
9faf3b3596
app: validate username
All checks were successful
test / test (push) Successful in 23s
This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 21:01:41 +09:00
ae2628e57a
cmd/fshim/ipc: install signal handler on shim start
All checks were successful
test / test (push) Successful in 20s
Getting killed at this point will result in inconsistent state.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 13:33:46 +09:00
05b7dbf066
app: alternative inner home path
All checks were successful
test / test (push) Successful in 24s
Support binding home to an alternative path in the mount namespace.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 00:18:21 +09:00
c1fad649e8
app/start: check for cleanup and abort condition
All checks were successful
test / test (push) Successful in 21s
Dirty fix. Will rewrite after fsu integration complete.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 23:41:52 +09:00
b5f01ef20b
app: append # for ChangeHosts message with numerical uid
All checks were successful
test / test (push) Successful in 21s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 23:40:37 +09:00
df33123bd7
app: integrate fsu
All checks were successful
test / test (push) Successful in 21s
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-16 21:19:45 +09:00
9a13b311ac
app/config: rename map_real_uid from use_real_uid
All checks were successful
test / test (push) Successful in 19s
This option only changes mapped uid in the user namespace.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-09 12:01:34 +09:00
3dfc1fcd56
app: support full /dev access
All checks were successful
test / test (push) Successful in 22s
Also moved /dev/fortify to /fortify since it is impossible to create new directories in /dev from the init namespace and bind mounting its contents has undesirable side effects.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 03:49:39 +09:00
69cc64ef56
linux: provide access to stdout
All checks were successful
test / test (push) Successful in 22s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 22:55:46 +09:00
fc25ac2523
app: separate auto etc from permissive defaults
All checks were successful
test / test (push) Successful in 23s
Populating /etc with symlinks is quite useful even outside the permissive defaults usage pattern.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 22:18:05 +09:00
d909b1190a
app/config: UseRealUID as true in template
All checks were successful
test / test (push) Successful in 24s
The template is based on a Chromium setup, which this workaround was created for.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 19:45:31 +09:00
af15b1c048
app: support mapping target uid as privileged uid in sandbox
All checks were successful
test / test (push) Successful in 40s
Chromium's D-Bus client implementation refuses to work when its getuid call returns a different value than what the D-Bus server is running as. The reason behind this is not fully understood, but this workaround is implemented to support chromium and electron apps. This is not used by default since it has many side effects that break many other programs, like SSH on NixOS.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 03:15:39 +09:00
7962681f4a
app: format mapped uid instead of real uid
All checks were successful
test / test (push) Successful in 19s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 00:49:32 +09:00
bfcce3ff75
system/dbus: buffer xdg-dbus-proxy messages
All checks were successful
test / test (push) Successful in 21s
Pointing xdg-dbus-proxy to stdout/stderr makes a huge mess. This change enables app to neatly print out prefixed xdg-dbus-proxy messages after output is resumed.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-03 03:07:02 +09:00
584732f80a
cmd: shim and init into separate binaries
All checks were successful
test / test (push) Successful in 19s
This change also fixes a deadlock when shim fails to connect and complete the setup.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-02 03:13:57 +09:00
431dc095e5
app/start: skip cleanup if shim is nil
All checks were successful
test / test (push) Successful in 19s
Shim is created before any system operation happens.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 14:21:15 +09:00
60e91b9b0f
shim: expose checkPid in constructor
All checks were successful
test / test (push) Successful in 1m44s
This will be supported soon when launching via fsu.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 00:02:55 +09:00
51e84ba8a5
system/dbus: compare sealed value by string
All checks were successful
test / test (push) Successful in 19s
Stringer method of dbus.Proxy returns a string representation of its args stream when sealed.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-27 12:09:34 +09:00
7df9d8d01d
system: move sd_booted implementation to os abstraction
This implements lazy loading of the systemd marker (they are not accessed in init and shim) and ensures consistent behaviour when running with a stub.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-27 12:09:34 +09:00
1d6ea81205
shim: user switcher process management struct
All checks were successful
test / test (push) Successful in 19s
This change moves all user switcher and shim management to the shim package and withholds output while shim is alive. This also eliminated all exit scenarios where revert is skipped.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-27 00:46:15 +09:00
093e99d062
app: separate nixos test cases from tests
All checks were successful
test / test (push) Successful in 20s
Test cases are very long, separating them improves editor performance.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-25 17:44:29 +09:00
ad7e389eee
app: test app permissive defaults sealing behaviour
All checks were successful
test / test (push) Successful in 20s
This test seals App against a deterministic os stub and checks the resulting sys and bwrap values against known correct ones. The effects of sys and bwrap on the OS and sandbox is deterministic and tested in their own respective packages.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-25 17:12:13 +09:00
eb767e7642
app/start: cleaner command not found message
All checks were successful
test / test (push) Successful in 27s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-25 16:12:18 +09:00
8fa791a2f8
app/seal: symlink /etc entries in permissive default
All checks were successful
test / test (push) Successful in 20s
Fortify overrides /etc/passwd and /etc/group in the sandbox. Bind mounting /etc results in them being replaced when the passwd database is updated on host.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-25 13:31:57 +09:00
b932ac8260
app/config: support creating symlinks within sandbox
All checks were successful
test / test (push) Successful in 21s
This is already supported by the underlying bwrap helper. This change exposes access to it in Config.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-25 13:29:01 +09:00
31350d74e5
shim: kill shim if setup becomes impossible
All checks were successful
test / test (push) Successful in 23s
This prevents a hang when setup faults but the shim keeps waiting on the socket. Setup is automatically aborted when the shim is killed.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-25 13:19:37 +09:00
6bc5be7e5a
internal: wrap calls to os standard library functions
All checks were successful
test / test (push) Successful in 19s
This change helps tests stub out and simulate OS behaviour during the sealing process. This also removes dependency on XDG_RUNTIME_DIR as the internal.System implementation provided to App provides a compat directory inside the tmpdir-based share when XDG_RUNTIME_DIR is unavailable.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-23 21:46:21 +09:00
cafed5f234
shim: abort setup on failed start and process exit
All checks were successful
test / test (push) Successful in 25s
Shim setup listens on a socket in the process share, if shim setup hasn't happened on exit revert will fail. This change makes sure shim setup is aborted on a doomed launch.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-21 21:23:56 +09:00
42e0b168e3
fmsg: produce all output through fmsg
All checks were successful
test / test (push) Successful in 17s
The behaviour of print functions from package fmt is not thread safe. Functions provided by fmsg wrap around Logger methods. This makes prefix much cleaner and makes it easy to deal with future changes to logging.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-21 20:47:02 +09:00
380d1f4585
app: move wayland mediation to shim package
All checks were successful
test / test (push) Successful in 29s
Values used in the Wayland mediation implementation is stored in various struct fields strewn across multiple app structs and checks are messy and confusing. This commit unifies them into a single struct and access it using much better looking methods.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-21 18:46:06 +09:00
65af1684e3
migrate to git.ophivana.moe/security/fortify
All checks were successful
test / test (push) Successful in 14s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-20 19:50:13 +09:00
ad0034b09a
app: move app ID to app struct
App ID is inherent to App, and it makes no sense to generate it as part of the app sealing process.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-20 00:22:18 +09:00
55bb348d5f
state: store launch method instead of launcher path
Launcher path is constant for each launch method on the same system.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-18 22:25:09 +09:00
65bd7d18db
app/share: fix order to ensure SharePath before any of its subdirectories
shareTmpdirChild happened to request an ephemeral dir within SharePath and was called before shareRuntime which ensures that path. This commit moves SharePath initialisation to shareSystem and moves shareTmpdirChild into ShareSystem. Further cleanup and tests are desperately needed for the app package but for now this fix will have to do.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-18 01:21:58 +09:00
c21168a741
system: move enablements from state package
This removes the unnecessary import of the state package.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-16 14:38:57 +09:00
084cd84f36
app: port app to use the system package
This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-16 01:38:59 +09:00
aa5dd2313c
app: filter /tmp from permissive default
Tmpdir is bind mounted over further along in execution so there is no point sharing it here.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:54:50 +09:00
2faf510146
helper/bwrap: ordered filesystem args
The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:15:55 +09:00
1302bcede0
init: custom init process inside sandbox
Bubblewrap as init is a bit awkward and don't support a few setup actions fortify will need, such as starting/supervising nscd.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-14 02:27:02 +09:00
b470941911
shim: get rid of insane launch condition
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 12:09:38 +09:00
e4536b87ad
app: generate and replace passwd and group files
This ensures libc functions get correct user information.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 02:43:00 +09:00
65a5f8fb08
app/config: map bwrap tmpfs in app config
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 02:39:27 +09:00
655020eb5d
app/config: always use nobody UID within sandbox
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 00:50:24 +09:00
c818ea649a
app/seal: skip /mnt in permissive default
This directory usually contains temporarily mounted stuff and shouldn't get into the sandbox.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-13 00:07:48 +09:00