1074 Commits

Author SHA1 Message Date
34272672b1
nix: verify silent output when not running with -v
All checks were successful
Test / Create distribution (push) Successful in 1m51s
Test / Run NixOS test (push) Successful in 4m40s
This checks behaviour of fmsg and seccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 13:38:18 +09:00
7b96cd6ded
helper/seccomp: do not call F_println if not verbose
All checks were successful
Test / Create distribution (push) Successful in 1m42s
Test / Run NixOS test (push) Successful in 3m34s
This (slightly) improves performance.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 13:19:38 +09:00
163f15e93f
helper/seccomp: separate seccomp package
All checks were successful
Test / Create distribution (push) Successful in 1m39s
Test / Run NixOS test (push) Successful in 3m31s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 12:59:11 +09:00
016da20443
nix: expose compat flag in nixos module
All checks were successful
Test / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 12:42:48 +09:00
37780456a7
helper: block more unusual/privileged syscalls
All checks were successful
Test / Create distribution (push) Successful in 1m44s
Test / Run NixOS test (push) Successful in 3m35s
These are toggled by F_EXT and exposed as SyscallPolicy.Compat in the Go interface.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-25 12:35:47 +09:00
efacaa40fa
nix: set deny_devel correctly
All checks were successful
Test / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 3m51s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-24 00:50:35 +09:00
ad6d0ee55f
workflows: rename integration test artifact
All checks were successful
Test / Create distribution (push) Successful in 1m53s
Test / Run NixOS test (push) Successful in 3m45s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-24 00:30:39 +09:00
cf791469d8
workflows: gc store and purge old caches
All checks were successful
Test / Create distribution (push) Successful in 1m39s
Test / Run NixOS test (push) Successful in 3m32s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-24 00:25:57 +09:00
be14421775
workflows: merge test build job into test
All checks were successful
Test / Create distribution (push) Successful in 2m8s
Test / Run NixOS test (push) Successful in 3m57s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-24 00:22:44 +09:00
045983d7f4
wl: separate inline C
All checks were successful
Build / Create distribution (push) Successful in 1m41s
Test / Run NixOS test (push) Successful in 3m29s
Having a huge blurb of inline C hurts readability on web pages and some text editors.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-23 22:06:29 +09:00
7106b00968
release: 0.2.11
All checks were successful
Build / Create distribution (push) Successful in 3m51s
Release / Create release (push) Successful in 4m12s
Test / Run NixOS test (push) Successful in 6m17s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-23 20:49:49 +09:00
96d5d8a396
nix: apply shared home config to reserved aid
All checks were successful
Build / Create distribution (push) Successful in 2m16s
Test / Run NixOS test (push) Successful in 5m43s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-23 20:48:04 +09:00
8a00a83c71
nix: expose syscall filter policy
All checks were successful
Build / Create distribution (push) Successful in 1m31s
Test / Run NixOS test (push) Successful in 1m52s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-23 17:24:42 +09:00
134247b57d
nix: configure target users via nixos
All checks were successful
Build / Create distribution (push) Successful in 2m0s
Test / Run NixOS test (push) Successful in 3m46s
This makes patching home-manager no longer necessary.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-23 17:04:19 +09:00
b5bb7654da
nix: redirect sway output to journal
All checks were successful
Build / Create distribution (push) Successful in 2m8s
Test / Run NixOS test (push) Successful in 3m58s
This makes swaymsg exec output appear in test output.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-23 16:08:22 +09:00
cc1efa22e2
fst: add missing fields to template
All checks were successful
Build / Create distribution (push) Successful in 1m28s
Test / Run NixOS test (push) Successful in 3m43s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 12:09:25 +09:00
580128922b
cmd/fpkg: expose syscall policy options
All checks were successful
Build / Create distribution (push) Successful in 1m34s
Test / Run NixOS test (push) Successful in 3m44s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 12:01:30 +09:00
23e1152baa
app/share: clean BaseError message
All checks were successful
Build / Create distribution (push) Successful in 1m35s
Test / Run NixOS test (push) Successful in 3m42s
This removes trailing '\n' in the PulseAudio warning.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 11:54:16 +09:00
8c51012ef5
dbus: enable syscall filter
All checks were successful
Build / Create distribution (push) Successful in 1m33s
Test / Run NixOS test (push) Successful in 3m42s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 11:49:23 +09:00
5a64cdaf4f
ldd: enable syscall filter
All checks were successful
Build / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 02:00:49 +09:00
a30f5e1226
fortify: set up seccomp verbose logging early
All checks were successful
Build / Create distribution (push) Successful in 1m34s
Test / Run NixOS test (push) Successful in 4m4s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 01:58:54 +09:00
9a239fa1a5
helper/bwrap: integrate seccomp into helper interface
All checks were successful
Build / Create distribution (push) Successful in 1m36s
Test / Run NixOS test (push) Successful in 3m40s
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-22 01:52:57 +09:00
82029948e6
proc: append to ExtraFiles slice pointer
All checks were successful
Build / Create distribution (push) Successful in 1m30s
Test / Run NixOS test (push) Successful in 4m4s
This is useful for initialising extra files before command.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-21 12:51:39 +09:00
dfcdc5ce20
state: store config in separate gob stream
All checks were successful
Build / Create distribution (push) Successful in 1m37s
Test / Run NixOS test (push) Successful in 3m38s
This enables early serialisation of config.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-21 12:10:58 +09:00
fa0616b274
fortify: print permissive defaults warning early
All checks were successful
Build / Create distribution (push) Successful in 1m47s
Test / Run NixOS test (push) Successful in 4m1s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-21 12:05:31 +09:00
20a3d4c458
proc/priv/shim: resolve and load seccomp rules
All checks were successful
Build / Create distribution (push) Successful in 1m33s
Test / Run NixOS test (push) Successful in 3m36s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 23:52:56 +09:00
3df344828f
proc/priv/shim: seccomp bpf filter via libseccomp
All checks were successful
Build / Create distribution (push) Successful in 1m59s
Test / Run NixOS test (push) Successful in 4m11s
Rulesets adapted from Flatpak for compatibility.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 23:39:47 +09:00
27f5922d5c
fst: include syscall filter configuration
All checks were successful
Build / Create distribution (push) Successful in 3m0s
Test / Run NixOS test (push) Successful in 5m19s
This value is passed through to shim.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 21:12:39 +09:00
2cf1f46ea2
nix: test show without --short
All checks were successful
Build / Create distribution (push) Successful in 3m36s
Test / Run NixOS test (push) Successful in 6m45s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 21:10:24 +09:00
3c55fc8e86
proc/priv/shim: do not log bwrap args
All checks were successful
Build / Create distribution (push) Successful in 1m22s
Test / Run NixOS test (push) Successful in 3m30s
This message is very long and does not serve much real purpose. Remove it to de-clutter verbose messages.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 19:51:28 +09:00
eb0ef2d115
helper/bwrap: generic extra file interface
All checks were successful
Build / Create distribution (push) Successful in 1m32s
Test / Run NixOS test (push) Successful in 3m50s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 00:20:04 +09:00
2f70506865
helper/bwrap: move sync to helper state
All checks were successful
Build / Create distribution (push) Successful in 1m25s
Test / Run NixOS test (push) Successful in 3m33s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-19 18:38:13 +09:00
cae567c109
proc/priv/shim: remove unnecessary state
All checks were successful
Build / Create distribution (push) Successful in 1m27s
Test / Run NixOS test (push) Successful in 3m37s
These values are only used during process creation.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-19 18:09:07 +09:00
1ec901f79e
release: 0.2.10
All checks were successful
Build / Create distribution (push) Successful in 1m32s
Test / Run NixOS test (push) Successful in 3m39s
Release / Create release (push) Successful in 1m30s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 22:50:08 +09:00
715addaccd
helper/bwrap: append --sync-fd before --
All checks were successful
Build / Create distribution (push) Successful in 1m26s
Test / Run NixOS test (push) Successful in 3m26s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 12:30:03 +09:00
b31d055e20
proc/priv/init: early init check
All checks were successful
Build / Create distribution (push) Successful in 1m39s
Test / Run NixOS test (push) Successful in 3m45s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 12:33:33 +09:00
7baca66a56
proc: remove duplicate compile-time fortify reference
All checks were successful
Build / Create distribution (push) Successful in 1m46s
Test / Run NixOS test (push) Successful in 3m44s
This is no longer needed since shim and init are now part of the main program.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:59:33 +09:00
27d2914286
proc/priv/init: merge init into main program
All checks were successful
Build / Create distribution (push) Successful in 1m47s
Test / Run NixOS test (push) Successful in 3m46s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-18 11:47:01 +09:00
ea8f228af3
proc/priv/shim: merge shim into main program
All checks were successful
Build / Create distribution (push) Successful in 2m15s
Test / Run NixOS test (push) Successful in 2m53s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 23:43:32 +09:00
16db3dabe2
internal: do PR_SET_PDEATHSIG once
All checks were successful
Build / Create distribution (push) Successful in 3m7s
Test / Run NixOS test (push) Successful in 4m40s
This prctl affects the entire process, doing it on every OS thread is pointless.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 23:08:46 +09:00
c4de450217
nix: do not force static linking on nix
All checks were successful
Build / Create distribution (push) Successful in 3m14s
Test / Run NixOS test (push) Successful in 3m25s
In a typical Nix or NixOS-based setup, the entire /nix/store directory is available to the sandbox.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 22:56:16 +09:00
b60c01f440
fortify: switch to static linking
All checks were successful
Build / Create distribution (push) Successful in 1m43s
Test / Run NixOS test (push) Successful in 4m32s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-16 17:32:52 +09:00
124743ffd3
app: expose single run method
All checks were successful
Tests / Go tests (push) Successful in 1m1s
Nix / NixOS tests (push) Successful in 3m20s
App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 23:39:51 +09:00
be4d8b6300
release: 0.2.9
All checks were successful
Create distribution / Release (push) Successful in 1m21s
Tests / Go tests (push) Successful in 46s
Nix / NixOS tests (push) Successful in 3m6s
This release mostly contains permissive defaults fixes and optimisations. It also contains a proof of concept version of fpkg.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 13:14:43 +09:00
3e11ce6868
helper/bwrap: separate sequential/static args
All checks were successful
Tests / Go tests (push) Successful in 41s
Nix / NixOS tests (push) Successful in 3m59s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 13:07:06 +09:00
562f5ed797
fst: hide sockets exposed via Filesystem
All checks were successful
Tests / Go tests (push) Successful in 40s
Nix / NixOS tests (push) Successful in 2m49s
This is mostly useful for permissive defaults.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 10:13:18 +09:00
db03565614
fst: move sandbox struct to separate file
All checks were successful
Tests / Go tests (push) Successful in 1m0s
Nix / NixOS tests (push) Successful in 3m9s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 09:42:44 +09:00
7d99e45b88
helper/bwrap: register OverlayConfig with gob
All checks were successful
Tests / Go tests (push) Successful in 58s
Nix / NixOS tests (push) Successful in 3m5s
This is required for copying bwrap configurations across processes.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-14 12:25:10 +09:00
1651eb06df
dbus: implement dbus_parse_address
All checks were successful
Tests / Go tests (push) Successful in 1m14s
Nix / NixOS tests (push) Successful in 7m36s
This parses D-Bus addresses according to spec. It does significantly fewer copies than dbus_parse_address.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-12 23:24:03 +09:00
ac543a1ce8
dbus: rename makeTestCases
All checks were successful
Tests / Go tests (push) Successful in 2m36s
Nix / NixOS tests (push) Successful in 10m5s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-12 23:21:28 +09:00