1082 Commits

Author SHA1 Message Date
124743ffd3
app: expose single run method
All checks were successful
Tests / Go tests (push) Successful in 1m1s
Nix / NixOS tests (push) Successful in 3m20s
App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 23:39:51 +09:00
be4d8b6300
release: 0.2.9
All checks were successful
Create distribution / Release (push) Successful in 1m21s
Tests / Go tests (push) Successful in 46s
Nix / NixOS tests (push) Successful in 3m6s
This release mostly contains permissive defaults fixes and optimisations. It also contains a proof of concept version of fpkg.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 13:14:43 +09:00
3e11ce6868
helper/bwrap: separate sequential/static args
All checks were successful
Tests / Go tests (push) Successful in 41s
Nix / NixOS tests (push) Successful in 3m59s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 13:07:06 +09:00
562f5ed797
fst: hide sockets exposed via Filesystem
All checks were successful
Tests / Go tests (push) Successful in 40s
Nix / NixOS tests (push) Successful in 2m49s
This is mostly useful for permissive defaults.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 10:13:18 +09:00
db03565614
fst: move sandbox struct to separate file
All checks were successful
Tests / Go tests (push) Successful in 1m0s
Nix / NixOS tests (push) Successful in 3m9s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-15 09:42:44 +09:00
7d99e45b88
helper/bwrap: register OverlayConfig with gob
All checks were successful
Tests / Go tests (push) Successful in 58s
Nix / NixOS tests (push) Successful in 3m5s
This is required for copying bwrap configurations across processes.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-14 12:25:10 +09:00
1651eb06df
dbus: implement dbus_parse_address
All checks were successful
Tests / Go tests (push) Successful in 1m14s
Nix / NixOS tests (push) Successful in 7m36s
This parses D-Bus addresses according to spec. It does significantly fewer copies than dbus_parse_address.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-12 23:24:03 +09:00
ac543a1ce8
dbus: rename makeTestCases
All checks were successful
Tests / Go tests (push) Successful in 2m36s
Nix / NixOS tests (push) Successful in 10m5s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-12 23:21:28 +09:00
e2489059c1
helper/bwrap: implement overlayfs builder
All checks were successful
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 4m5s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-05 20:09:35 +09:00
2e3f6a4c51
helper/bwrap: move test out of bwrap package
All checks were successful
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 4m51s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-05 19:45:24 +09:00
2162029f46
helper/bwrap: add json struct tag to filesystem
All checks were successful
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 4m43s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-05 19:41:04 +09:00
a1148edd00
fst/config: allocate filesystem slice
All checks were successful
Tests / Go tests (push) Successful in 32s
Nix / NixOS tests (push) Successful in 4m5s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-04 00:16:41 +09:00
6acd0d4e88
linux/std: handle fsu exit status 1
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 2m27s
Printing "exit status 1" is confusing. This handles the ExitError and returns EACCES instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-01 21:34:57 +09:00
35b7142317
fortify: show system info when instance is not specified
All checks were successful
Tests / Go tests (push) Successful in 38s
Nix / NixOS tests (push) Successful in 4m32s
This contains useful information not obtainable by external tools.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-01 19:35:50 +09:00
c4d6651cae
update reverse-DNS style identifiers
All checks were successful
Tests / Go tests (push) Successful in 1m6s
Nix / NixOS tests (push) Successful in 4m11s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-31 16:16:38 +09:00
22a4b99674
cmd/fpkg/install: deduplicate nix store
All checks were successful
Tests / Go tests (push) Successful in 41s
Nix / NixOS tests (push) Successful in 4m43s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-30 02:25:04 +09:00
1464ef774b
cmd/fpkg: expose nixGL wrappers
All checks were successful
Tests / Go tests (push) Successful in 35s
Nix / NixOS tests (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-30 02:02:20 +09:00
66ba4cea5c
cmd/fpkg: remove workDir acl from activation
All checks were successful
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 3m56s
Activation does not require access to workDir, and by this point all information is available in dataHome.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 23:48:45 +09:00
f8d0786509
cmd/fpkg: include nixGL source in inner store
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 4m24s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 23:37:11 +09:00
56a73bb019
nix: create nixpkgs symlink
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 4m25s
This is included as part of the system as nixGL needs to be built somewhere between activation and start.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 23:23:11 +09:00
fb8abf63db
nix: update flake lock
All checks were successful
Tests / Go tests (push) Successful in 40s
Nix / NixOS tests (push) Successful in 4m15s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 23:14:16 +09:00
63802c5f0d
nix: nixos test create parent directory
All checks were successful
Tests / Go tests (push) Successful in 37s
Nix / NixOS tests (push) Successful in 4m9s
This tests directory creation in shim.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 22:36:53 +09:00
aff80b6b00
cmd/fpkg: optional network access when invoking with nix daemon
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 3m36s
This is useful for building nixGL.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 18:32:44 +09:00
a98a176907
cmd/fpkg: bind and document more gpu devices
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 3m40s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 18:25:26 +09:00
5302879b88
cmd/fpkg: improve readability of fortify invocations
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 3m41s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 17:55:56 +09:00
891b3cbde7
cmd/fpkg: compare all three store paths
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 3m39s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 17:10:41 +09:00
c795293f36
cmd/fpkg: clean up broken links before activation
All checks were successful
Tests / Go tests (push) Successful in 35s
Nix / NixOS tests (push) Successful in 3m38s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 15:21:40 +09:00
42e1043300
nix: set home-manager user information
All checks were successful
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 2m36s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 15:11:36 +09:00
5416b07daa
nix: remove unused argument 'self'
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 2m36s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 14:49:55 +09:00
e57a0e9bf2
nix: rename fortifyBundle to buildPackage
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 2m35s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 14:35:37 +09:00
ab48706ebe
dist: install fpkg to /usr/bin
All checks were successful
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 2m25s
This is a high level user-facing tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 01:04:53 +09:00
c1a459a0b1
cmd/fpkg/start: correct drop to shell wording
All checks were successful
Tests / Go tests (push) Successful in 52s
Nix / NixOS tests (push) Successful in 4m27s
Activation no longer happens during application startup.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 00:56:14 +09:00
5125e96ecf
nix: generate application package build script
All checks were successful
Tests / Go tests (push) Successful in 55s
Nix / NixOS tests (push) Successful in 4m24s
This takes some metadata, sandbox options, a launch script and a list of home-manager modules. The result needs to be executed in an environment with nix daemon access, and it produces the final package file.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 00:42:21 +09:00
e0e2f40e84
cmd/fpkg: app bundle helper
All checks were successful
Tests / Go tests (push) Successful in 43s
Nix / NixOS tests (push) Successful in 4m25s
This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-26 13:21:49 +09:00
bf8094c6ca
internal: include path to fortify main program
All checks were successful
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-26 12:48:48 +09:00
2e3bb1893e
release: 0.2.8
All checks were successful
Tests / Go tests (push) Successful in 42s
Create distribution / Release (push) Successful in 1m0s
Nix / NixOS tests (push) Successful in 3m53s
This release mostly fixes bugs uncovered when running fortify on a generic linux distribution.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-29 01:09:47 +09:00
9b206072fa
cmd/fshim: ensure data directory
All checks were successful
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 3m33s
Ensuring home directory in shim causes the directory to be owned by the target user.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:39:01 +09:00
b9e2003d5b
app: ensure extra paths
All checks were successful
Tests / Go tests (push) Successful in 36s
Nix / NixOS tests (push) Successful in 3m37s
The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app).

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 14:07:49 +09:00
66ec0d882f
dist: build with -trimpath
All checks were successful
Tests / Go tests (push) Successful in 35s
Nix / NixOS tests (push) Successful in 3m26s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 13:44:05 +09:00
847b667489
app: extra acl entries from configuration
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 13:23:27 +09:00
c70f0612ad
fortify/print: skip nil filesystem entries
All checks were successful
Tests / Go tests (push) Successful in 31s
Nix / NixOS tests (push) Successful in 3m24s
This fixes a panic when displaying configurations with nil filesystem entries.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 12:14:42 +09:00
85e5b097fd
fst/config: add template etc entry
All checks were successful
Tests / Go tests (push) Successful in 31s
Nix / NixOS tests (push) Successful in 3m21s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 12:05:32 +09:00
0107620d8c
app: merge share methods
All checks were successful
Tests / Go tests (push) Successful in 32s
Nix / NixOS tests (push) Successful in 3m25s
This significantly increases readability and makes order of ops more obvious.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-28 11:12:35 +09:00
fc26659ea1
fst/config: autoetc read custom path
All checks were successful
Tests / Go tests (push) Successful in 43s
Nix / NixOS tests (push) Successful in 3m40s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 18:57:44 +09:00
1f173a469c
system/dbus: fix inverted system bus state
All checks were successful
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 3m38s
Debug message and socket cleanup gets missed due to this value being inverted.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 18:38:11 +09:00
2fdbd6a4dd
fst/config: alternative /etc directory
All checks were successful
Tests / Go tests (push) Successful in 32s
Nix / NixOS tests (push) Successful in 3m41s
This is useful for static /etc directories provided by self-contained application packages, or in cases where autoetc is useful for paths other than /etc.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 18:06:26 +09:00
aef847b5ae
helper/bwrap: fix typo in --dir config builder
All checks were successful
Tests / Go tests (push) Successful in 32s
Nix / NixOS tests (push) Successful in 3m33s
Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 15:34:43 +09:00
0a2aa5823b
cmd/fshim: bind finit inside sandbox
All checks were successful
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 3m32s
The outer finit executable is normally inaccessible inside the sandbox. This was obscured by the current Nix-based setup exposing /nix/store to the sandbox.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-27 14:44:57 +09:00
b956ce4052
ldd: trim leading and trailing white spaces from name
All checks were successful
Tests / Go tests (push) Successful in 33s
Nix / NixOS tests (push) Successful in 3m31s
Glibc emits ldd output with \t prefix for formatting. Remove that here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-26 16:53:01 +09:00
dc579dc610
dbus/run: bind ldd entry absolute name
All checks were successful
Tests / Go tests (push) Successful in 32s
Nix / NixOS tests (push) Successful in 3m35s
The ld.so entry has an absolute name. They are usually symlinks so binding path does not guarantee ld.so availability under its expected path in the mount namespace.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-26 16:36:03 +09:00