security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 9 Pull Requests Actions 1 Packages Projects Releases 7 Wiki Activity
924 Commits 3 Branches 7 Tags
Commit Graph

105 Commits

Author SHA1 Message Date
Ophestra
92f510a647
cmd/hakurei/command: pd run dbus-verbose nil check
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 40s
Details
Test / Sandbox (race detector) (push) Successful in 40s
Details
Test / Hakurei (race detector) (push) Successful in 43s
Details
Test / Hpkg (push) Successful in 41s
Details
Test / Hakurei (push) Successful in 2m23s
Details
Test / Flake checks (push) Successful in 1m33s
Details 
This otherwise dereferences a nil pointer when dbus-verbose is set and either session or system bus are nil.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-06 00:09:25 +09:00
Ophestra
acb6931f3e
app/seal: leave $DISPLAY as is on host abstract
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Hakurei (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 42s
Details
Test / Sandbox (race detector) (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 40s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Flake checks (push) Successful in 1m24s
Details 
This helps work around faulty software that misinterprets unix: DISPLAY string.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-27 20:42:03 +09:00
Ophestra
9bc8532d56
container/initdev: mount tmpfs on shm for ro dev
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 2m13s
Details
Test / Hakurei (push) Successful in 2m51s
Details
Test / Hpkg (push) Successful in 3m58s
Details
Test / Sandbox (race detector) (push) Successful in 4m26s
Details
Test / Hakurei (race detector) (push) Successful in 4m46s
Details
Test / Flake checks (push) Successful in 1m26s
Details 
Programs expect /dev/shm to be a writable tmpfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 03:27:07 +09:00
Ophestra
4cf694d2b3
hst: use hsu userid for share path suffix
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m8s
Details
Test / Hakurei (push) Successful in 3m11s
Details
Test / Hpkg (push) Successful in 4m8s
Details
Test / Sandbox (race detector) (push) Successful in 4m31s
Details
Test / Hakurei (race detector) (push) Successful in 5m8s
Details
Test / Flake checks (push) Successful in 1m25s
Details 
The privileged user is identifier to hakurei through its hsu userid. Using the kernel uid here makes little sense and is a leftover design choice from before hsu was implemented.

Closes #7.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 02:16:33 +09:00
Ophestra
c9facb746b
hst/config: remove data field, rename dir to home
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m13s
Details
Test / Hakurei (push) Successful in 3m10s
Details
Test / Hpkg (push) Successful in 4m5s
Details
Test / Sandbox (race detector) (push) Successful in 4m27s
Details
Test / Hakurei (race detector) (push) Successful in 5m7s
Details
Test / Flake checks (push) Successful in 1m28s
Details 
There is no reason to give the home directory special treatment, as this behaviour can be quite confusing. The home directory also does not necessarily require its own mount point, it could be provided by a parent or simply be ephemeral.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 00:56:10 +09:00
Ophestra
0dcac55a0c
hst/config: remove container etc field
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m25s
Details
Test / Hakurei (push) Successful in 3m18s
Details
Test / Hpkg (push) Successful in 4m14s
Details
Test / Sandbox (race detector) (push) Successful in 4m32s
Details
Test / Hakurei (race detector) (push) Successful in 5m19s
Details
Test / Flake checks (push) Successful in 1m29s
Details 
This no longer needs special treatment since it can be specified as a generic filesystem entry.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-25 19:24:33 +09:00
Clayton Gilmer
5db0714072
container: optionally isolate host abstract UNIX domain sockets via landlock
All checks were successful
Test / Create distribution (pull_request) Successful in 33s
Details
Test / Sandbox (pull_request) Successful in 2m10s
Details
Test / Hpkg (pull_request) Successful in 4m1s
Details
Test / Sandbox (race detector) (pull_request) Successful in 4m19s
Details
Test / Hakurei (pull_request) Successful in 4m55s
Details
Test / Hakurei (race detector) (pull_request) Successful in 5m0s
Details
Test / Create distribution (push) Successful in 27s
Details
Test / Sandbox (race detector) (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 44s
Details
Test / Hakurei (push) Successful in 47s
Details
Test / Hakurei (race detector) (push) Successful in 47s
Details
Test / Hpkg (push) Successful in 45s
Details
Test / Flake checks (pull_request) Successful in 1m47s
Details
Test / Flake checks (push) Successful in 1m36s
Details
2025-08-18 16:28:14 +09:00
Ophestra
22d577ab49
test/sandbox: do not discard stderr getting hash
All checks were successful
Test / Create distribution (push) Successful in 31s
Details
Test / Create distribution (pull_request) Successful in 29s
Details
Test / Sandbox (push) Successful in 45s
Details
Test / Hakurei (push) Successful in 47s
Details
Test / Hakurei (race detector) (push) Successful in 48s
Details
Test / Hpkg (push) Successful in 46s
Details
Test / Sandbox (pull_request) Successful in 45s
Details
Test / Hakurei (pull_request) Successful in 49s
Details
Test / Hakurei (race detector) (pull_request) Successful in 49s
Details
Test / Hpkg (pull_request) Successful in 46s
Details
Test / Sandbox (race detector) (pull_request) Successful in 1m16s
Details
Test / Sandbox (race detector) (push) Successful in 1m25s
Details
Test / Flake checks (pull_request) Successful in 1m35s
Details
Test / Flake checks (push) Successful in 1m34s
Details 
This is the first hakurei run in the test, if the container outright fails to start this is often where it happens, so throwing away the output is very unhelpful.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-18 11:36:13 +09:00
Ophestra
83a1c75f1a
app: set up acl on X11 socket
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m9s
Details
Test / Hakurei (push) Successful in 3m22s
Details
Test / Sandbox (race detector) (push) Successful in 4m26s
Details
Test / Hpkg (push) Successful in 4m25s
Details
Test / Hakurei (race detector) (push) Successful in 43s
Details
Test / Flake checks (push) Successful in 1m38s
Details 
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging #1.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-18 11:30:58 +09:00
Ophestra
4ffeec3004
hst/enablement: editor friendly enablement adaptor
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Hakurei (push) Successful in 45s
Details
Test / Hpkg (push) Successful in 3m17s
Details
Test / Sandbox (push) Successful in 43s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Sandbox (race detector) (push) Successful in 43s
Details
Test / Flake checks (push) Successful in 1m27s
Details 
Having the bit field value here (in decimal, no less) is unfriendly to text editors. Use a bunch of booleans here to improve ease of use.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-15 05:16:51 +09:00
Ophestra
9ed3ba85ea
hst/fs: implement overlay fstype
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m8s
Details
Test / Hakurei (push) Successful in 3m8s
Details
Test / Hpkg (push) Successful in 3m59s
Details
Test / Sandbox (race detector) (push) Successful in 4m20s
Details
Test / Hakurei (race detector) (push) Successful in 5m1s
Details
Test / Flake checks (push) Successful in 1m27s
Details 
This finally exposes overlay mounts in the high level hakurei API.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-15 04:00:55 +09:00
Ophestra
4433c993fa
nix: check config via hakurei
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 1m28s
Details
Test / Sandbox (race detector) (push) Successful in 2m20s
Details
Test / Hakurei (push) Successful in 2m26s
Details
Test / Hakurei (race detector) (push) Successful in 3m5s
Details
Test / Flake checks (push) Successful in 1m24s
Details 
This is unfortunately the only feasible way of doing this in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-15 03:27:54 +09:00
Ophestra
a4f7e92e1c
test/interactive: helper scripts for tracing
All checks were successful
Test / Hakurei (push) Successful in 41s
Details
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 39s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Hakurei (race detector) (push) Successful in 41s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Flake checks (push) Successful in 1m26s
Details 
The vm state is discarded often, and it is quite cumbersome to set everything up again when the shell history is gone.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-08 00:56:25 +09:00
Ophestra
b353c3deea
nix: make src overlay writable
All checks were successful
Test / Hakurei (push) Successful in 42s
Details
Test / Create distribution (push) Successful in 33s
Details
Test / Hakurei (race detector) (push) Successful in 42s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Sandbox (push) Successful in 40s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Flake checks (push) Successful in 1m23s
Details 
The lowerdir is in the nix store.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-07 18:07:19 +09:00
Ophestra
72a931a71a
nix: interactive nixos vm
All checks were successful
Test / Hakurei (push) Successful in 41s
Details
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 39s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Hakurei (race detector) (push) Successful in 41s
Details
Test / Flake checks (push) Successful in 1m26s
Details 
This is useful for quickly spinning up an ephemeral hakurei environment for testing changes or reproducing vm test failures.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-07 02:46:04 +09:00
Ophestra
38245559dc
container/ops: mount dev readonly
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m2s
Details
Test / Hakurei (push) Successful in 2m57s
Details
Test / Sandbox (race detector) (push) Successful in 3m53s
Details
Test / Hpkg (push) Successful in 3m53s
Details
Test / Hakurei (race detector) (push) Successful in 4m37s
Details
Test / Flake checks (push) Successful in 1m18s
Details 
There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 19:18:53 +09:00
Ophestra
3b8a3d3b00
app: remount root readonly
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Sandbox (push) Successful in 41s
Details
Test / Sandbox (race detector) (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Hpkg (push) Successful in 44s
Details
Test / Hakurei (push) Successful in 2m13s
Details
Test / Flake checks (push) Successful in 1m25s
Details 
This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:56:28 +09:00
Ophestra
ec33061c92
nix: remove nscd cover
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 1m30s
Details
Test / Hakurei (push) Successful in 2m18s
Details
Test / Sandbox (race detector) (push) Successful in 2m21s
Details
Test / Hakurei (race detector) (push) Successful in 2m50s
Details
Test / Flake checks (push) Successful in 1m15s
Details 
This is a pd workaround that does nothing in the nixos module.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 22:04:58 +09:00
Ophestra
af0899de96
hst/container: mount tmpfs via magic src string
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m10s
Details
Test / Hakurei (push) Successful in 2m50s
Details
Test / Sandbox (race detector) (push) Successful in 3m53s
Details
Test / Hpkg (push) Successful in 3m54s
Details
Test / Hakurei (race detector) (push) Successful in 4m30s
Details
Test / Flake checks (push) Successful in 1m24s
Details 
There's often good reason to mount tmpfs in the container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 21:23:52 +09:00
Ophestra
547a2adaa4
container/mount: pass tmpfs flags
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 2m1s
Details
Test / Sandbox (race detector) (push) Successful in 3m57s
Details
Test / Hpkg (push) Successful in 3m55s
Details
Test / Hakurei (race detector) (push) Successful in 4m30s
Details
Test / Hakurei (push) Successful in 2m18s
Details
Test / Flake checks (push) Successful in 1m14s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 18:59:06 +09:00
Ophestra
387b86bcdd
app: integrate container autoroot
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m25s
Details
Test / Sandbox (race detector) (push) Successful in 4m13s
Details
Test / Hpkg (push) Successful in 4m36s
Details
Test / Hakurei (race detector) (push) Successful in 5m2s
Details
Test / Hakurei (push) Successful in 2m40s
Details
Test / Flake checks (push) Successful in 1m36s
Details 
Doing this instead of mounting directly on / because it's impossible to ensure a parent is available for every path hakurei wants to mount to. This situation is similar to autoetc hence the similar name, however a symlink mirror will not work in this case.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:21:54 +09:00
Ophestra
987981df73
test/sandbox: check pd behaviour
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (race detector) (push) Successful in 42s
Details
Test / Hakurei (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Hpkg (push) Successful in 43s
Details
Test / Flake checks (push) Successful in 1m23s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 03:27:02 +09:00
Ophestra
3ae0cec000
test: increase vm memory
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 39s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Planterette (push) Successful in 40s
Details
Test / Hakurei (push) Successful in 2m11s
Details
Test / Hakurei (race detector) (push) Successful in 2m42s
Details
Test / Flake checks (push) Successful in 1m10s
Details 
This hopefully fixes the intermittent failures.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-31 22:08:01 +09:00
Ophestra
f7bd28118c
hst: configurable wait delay
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 1m58s
Details
Test / Hakurei (push) Successful in 2m47s
Details
Test / Sandbox (race detector) (push) Successful in 3m56s
Details
Test / Planterette (push) Successful in 3m58s
Details
Test / Hakurei (race detector) (push) Successful in 4m31s
Details
Test / Flake checks (push) Successful in 1m17s
Details 
This is useful for programs that take a long time to clean up.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 03:06:49 +09:00
Ophestra
b43d104680
app: integrate interrupt forwarding
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 1m58s
Details
Test / Hakurei (push) Successful in 2m53s
Details
Test / Sandbox (race detector) (push) Successful in 3m53s
Details
Test / Planterette (push) Successful in 3m53s
Details
Test / Hakurei (race detector) (push) Successful in 4m31s
Details
Test / Flake checks (push) Successful in 1m19s
Details 
This significantly increases usability of command line tools running through hakurei.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 02:23:06 +09:00
Ophestra
ddf48a6c22
app/shim: implement signal handler outcome in Go
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 1m53s
Details
Test / Hakurei (push) Successful in 2m48s
Details
Test / Planterette (push) Successful in 3m48s
Details
Test / Sandbox (race detector) (push) Successful in 3m56s
Details
Test / Hakurei (race detector) (push) Successful in 4m27s
Details
Test / Flake checks (push) Successful in 1m13s
Details 
This needs to be done from the Go side eventually anyway to integrate the signal forwarding behaviour now supported by the container package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-28 23:39:30 +09:00
Ophestra
625632c593
nix: update flake lock
All checks were successful
Test / Create distribution (push) Successful in 39s
Details
Test / Sandbox (race detector) (push) Successful in 50s
Details
Test / Sandbox (push) Successful in 52s
Details
Test / Planterette (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 57s
Details
Test / Hakurei (push) Successful in 59s
Details
Test / Flake checks (push) Successful in 1m53s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-26 18:57:54 +09:00
Ophestra
749a2779f5
test/sandbox: add arm64 constants
All checks were successful
Test / Create distribution (push) Successful in 24s
Details
Test / Sandbox (push) Successful in 40s
Details
Test / Hakurei (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 42s
Details
Test / Sandbox (race detector) (push) Successful in 38s
Details
Test / Planterette (push) Successful in 40s
Details
Test / Flake checks (push) Successful in 1m30s
Details 
Most of these are differences in qemu.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 05:36:35 +09:00
Ophestra
e574042d76
test/sandbox: verify seccomp on all test cases
All checks were successful
Test / Hakurei (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 39s
Details
Test / Hakurei (race detector) (push) Successful in 41s
Details
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Planterette (push) Successful in 41s
Details
Test / Flake checks (push) Successful in 1m17s
Details 
This change also makes seccomp hashes cross-platform.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 04:21:35 +09:00
Ophestra
2b44493e8a
test/sandbox: guard on testtool tag
All checks were successful
Test / Hakurei (push) Successful in 40s
Details
Test / Create distribution (push) Successful in 31s
Details
Test / Hakurei (race detector) (push) Successful in 41s
Details
Test / Planterette (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 1m30s
Details
Test / Sandbox (race detector) (push) Successful in 1m43s
Details
Test / Flake checks (push) Successful in 1m11s
Details 
This tool should not show up when building hakurei normally.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 20:11:29 +09:00
Ophestra
c30dd4e630
test/sandbox/seccomp: remove uselib
All checks were successful
Test / Hakurei (push) Successful in 41s
Details
Test / Create distribution (push) Successful in 32s
Details
Test / Hakurei (race detector) (push) Successful in 41s
Details
Test / Sandbox (push) Successful in 1m27s
Details
Test / Sandbox (race detector) (push) Successful in 1m44s
Details
Test / Flake checks (push) Successful in 1m12s
Details
Test / Planterette (push) Successful in 40s
Details 
This syscall is not wired on all platforms. This test barely does anything anyway and seccomp is covered by the privileged test instrumentation.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 15:28:55 +09:00
Ophestra
d2f9a9b83b
treewide: migrate to hakurei.app
All checks were successful
Test / Create distribution (push) Successful in 24s
Details
Test / Sandbox (push) Successful in 46s
Details
Test / Hakurei (push) Successful in 2m9s
Details
Test / Sandbox (race detector) (push) Successful in 3m14s
Details
Test / Planterette (push) Successful in 3m41s
Details
Test / Hakurei (race detector) (push) Successful in 3m40s
Details
Test / Flake checks (push) Successful in 1m18s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 03:30:39 +09:00
Ophestra
87e008d56d
treewide: rename to hakurei
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m18s
Details
Test / Hakurei (push) Successful in 3m10s
Details
Test / Sandbox (race detector) (push) Successful in 3m30s
Details
Test / Hakurei (race detector) (push) Successful in 4m43s
Details
Test / Fpkg (push) Successful in 5m4s
Details
Test / Flake checks (push) Successful in 1m12s
Details 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
Ophestra
717771ae80
app: share runtime dir
All checks were successful
Test / Create distribution (push) Successful in 24s
Details
Test / Sandbox (race detector) (push) Successful in 37s
Details
Test / Sandbox (push) Successful in 37s
Details
Test / Fortify (push) Successful in 40s
Details
Test / Fortify (race detector) (push) Successful in 40s
Details
Test / Fpkg (push) Successful in 38s
Details
Test / Flake checks (push) Successful in 1m5s
Details 
This allows apps with the same identity to access the same runtime dir.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-08 03:24:48 +09:00
Ophestra
bf5772bd8a
nix: deduplicate home-manager merging
All checks were successful
Test / Create distribution (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 55s
Details
Test / Sandbox (race detector) (push) Successful in 53s
Details
Test / Fortify (race detector) (push) Successful in 50s
Details
Test / Fpkg (push) Successful in 54s
Details
Test / Fortify (push) Successful in 2m8s
Details
Test / Flake checks (push) Successful in 1m7s
Details 
This becomes a problem when extraHomeConfig defines nixos module options.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-08 01:12:18 +09:00
Ophestra
9a7c81a44e
nix: go generate in src derivation
All checks were successful
Test / Sandbox (push) Successful in 40s
Details
Test / Fortify (race detector) (push) Successful in 49s
Details
Test / Fortify (push) Successful in 50s
Details
Test / Create distribution (push) Successful in 24s
Details
Test / Sandbox (race detector) (push) Successful in 45s
Details
Test / Fpkg (push) Successful in 39s
Details
Test / Flake checks (push) Successful in 1m12s
Details 
This saves the generated files in the nix store and exposes them for use by external tools.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-07 03:10:36 +09:00
Ophestra
b7e991de5b
nix: update flake lock
All checks were successful
Test / Create distribution (push) Successful in 51s
Details
Test / Sandbox (push) Successful in 15m56s
Details
Test / Sandbox (race detector) (push) Successful in 16m5s
Details
Test / Fpkg (push) Successful in 17m33s
Details
Test / Fortify (race detector) (push) Successful in 2m28s
Details
Test / Fortify (push) Successful in 40s
Details
Test / Flake checks (push) Successful in 2m58s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-05 04:05:39 +09:00
Ophestra
2ffca6984a
nix: use reverse-DNS style id as unique identifier
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Sandbox (push) Successful in 31s
Details
Test / Fortify (push) Successful in 35s
Details
Test / Sandbox (race detector) (push) Successful in 31s
Details
Test / Fortify (race detector) (push) Successful in 35s
Details
Test / Fpkg (push) Successful in 33s
Details
Test / Flake checks (push) Successful in 1m7s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-05-25 20:12:30 +09:00
Ophestra
f30a439bcd
nix: improve common usability
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Sandbox (push) Successful in 31s
Details
Test / Fortify (push) Successful in 35s
Details
Test / Sandbox (race detector) (push) Successful in 31s
Details
Test / Fortify (race detector) (push) Successful in 35s
Details
Test / Fpkg (push) Successful in 33s
Details
Test / Flake checks (push) Successful in 1m7s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-05-16 04:40:12 +09:00
Ophestra
008e9e7fc5
nix: update flake lock
All checks were successful
Test / Create distribution (push) Successful in 28s
Details
Test / Fortify (push) Successful in 38s
Details
Test / Fortify (race detector) (push) Successful in 37s
Details
Test / Fpkg (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 1m18s
Details
Test / Sandbox (race detector) (push) Successful in 1m27s
Details
Test / Flake checks (push) Successful in 2m47s
Details
2025-05-07 21:35:37 +09:00
Ophestra
e587112e63
test: check xdg-dbus-proxy termination
All checks were successful
Test / Sandbox (race detector) (push) Successful in 31s
Details
Test / Sandbox (push) Successful in 33s
Details
Test / Create distribution (push) Successful in 28s
Details
Test / Fpkg (push) Successful in 35s
Details
Test / Fortify (push) Successful in 2m9s
Details
Test / Fortify (race detector) (push) Successful in 2m37s
Details
Test / Flake checks (push) Successful in 1m2s
Details 
This process runs outside the application container's pid namespace, so it is a good idea to check whether its lifecycle becomes decoupled from the application.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-15 20:45:31 +09:00
Ophestra
31b7ddd122
fst: improve config
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 1m50s
Details
Test / Fortify (push) Successful in 2m46s
Details
Test / Sandbox (race detector) (push) Successful in 2m59s
Details
Test / Fortify (race detector) (push) Successful in 4m23s
Details
Test / Fpkg (push) Successful in 5m25s
Details
Test / Flake checks (push) Successful in 1m1s
Details 
The config struct more or less "grew" to what it is today. This change moves things around to make more sense and fixes nonsensical comments describing obsolete behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-13 03:30:19 +09:00
Ophestra
ae6f5ede19
fst: mount passthrough /dev writable
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 1m50s
Details
Test / Fortify (push) Successful in 2m39s
Details
Test / Sandbox (race detector) (push) Successful in 3m1s
Details
Test / Fpkg (push) Successful in 3m30s
Details
Test / Fortify (race detector) (push) Successful in 4m13s
Details
Test / Flake checks (push) Successful in 59s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 20:01:54 +09:00
Ophestra
807d511c8b
test/sandbox: check device outcome
All checks were successful
Test / Fortify (push) Successful in 35s
Details
Test / Create distribution (push) Successful in 26s
Details
Test / Fortify (race detector) (push) Successful in 35s
Details
Test / Fpkg (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 1m22s
Details
Test / Sandbox (race detector) (push) Successful in 1m41s
Details
Test / Flake checks (push) Successful in 1m5s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 19:55:16 +09:00
Ophestra
9967909460
sandbox: relative autoetc links
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 1m44s
Details
Test / Fortify (push) Successful in 2m41s
Details
Test / Sandbox (race detector) (push) Successful in 2m48s
Details
Test / Fpkg (push) Successful in 3m35s
Details
Test / Fortify (race detector) (push) Successful in 4m13s
Details
Test / Flake checks (push) Successful in 1m3s
Details 
This allows nested containers to use autoetc, and increases compatibility with other implementations.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 18:54:00 +09:00
Ophestra
e9a7cd526f
app: improve shim process management
All checks were successful
Test / Create distribution (push) Successful in 27s
Details
Test / Sandbox (push) Successful in 1m45s
Details
Test / Fortify (push) Successful in 2m36s
Details
Test / Sandbox (race detector) (push) Successful in 2m49s
Details
Test / Fpkg (push) Successful in 3m33s
Details
Test / Fortify (race detector) (push) Successful in 4m13s
Details
Test / Flake checks (push) Successful in 1m6s
Details 
This ensures a signal gets delivered to the process instead of relying on parent death behaviour.

SIGCONT was chosen as it is the only signal an unprivileged process is allowed to send to processes with different credentials.

A custom signal handler is installed because the Go runtime does not expose signal information other than which signal was received, and shim must check pid to ensure reasonable behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-07 03:55:17 +09:00
Ophestra
8aeb06f53c
app: share path setup on demand
All checks were successful
Test / Create distribution (push) Successful in 28s
Details
Test / Sandbox (race detector) (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 34s
Details
Test / Fpkg (push) Successful in 39s
Details
Test / Fortify (push) Successful in 2m16s
Details
Test / Fortify (race detector) (push) Successful in 2m58s
Details
Test / Flake checks (push) Successful in 1m33s
Details 
This removes the unnecessary creation and destruction of share paths when none of the enablements making use of them are set.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 00:47:32 +09:00
Ophestra
297b444dfb
test: separate app and sandbox
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 1m42s
Details
Test / Fortify (push) Successful in 2m39s
Details
Test / Sandbox (race detector) (push) Successful in 2m52s
Details
Test / Fpkg (push) Successful in 3m37s
Details
Test / Fortify (race detector) (push) Successful in 4m17s
Details
Test / Flake checks (push) Successful in 1m6s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 22:09:46 +09:00
Ophestra
89a05909a4
test: move test program to sandbox directory
All checks were successful
Test / Create distribution (push) Successful in 27s
Details
Test / Fpkg (push) Successful in 39s
Details
Test / Fortify (push) Successful in 2m38s
Details
Test / Data race detector (push) Successful in 3m22s
Details
Test / Flake checks (push) Successful in 1m1s
Details 
This prepares for the separation of app and sandbox tests.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 21:09:16 +09:00
Ophestra
f772940768
test/sandbox: treat ESRCH as temporary failure
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fpkg (push) Successful in 33s
Details
Test / Fortify (push) Successful in 2m30s
Details
Test / Data race detector (push) Successful in 3m13s
Details
Test / Flake checks (push) Successful in 52s
Details 
This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 03:50:59 +09:00