288 Commits

Author	SHA1	Message	Date
Ophestra	eb0ef2d115	helper/bwrap: generic extra file interface ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-20 00:20:04 +09:00
Ophestra	2f70506865	helper/bwrap: move sync to helper state ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:38:13 +09:00
Ophestra	cae567c109	proc/priv/shim: remove unnecessary state ... These values are only used during process creation. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-19 18:09:07 +09:00
Ophestra	b31d055e20	proc/priv/init: early init check ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-18 12:33:33 +09:00
Ophestra	7baca66a56	proc: remove duplicate compile-time fortify reference ... This is no longer needed since shim and init are now part of the main program. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-18 11:59:33 +09:00
Ophestra	27d2914286	proc/priv/init: merge init into main program ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-18 11:47:01 +09:00
Ophestra	ea8f228af3	proc/priv/shim: merge shim into main program ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 23:43:32 +09:00
Ophestra	16db3dabe2	internal: do PR_SET_PDEATHSIG once ... This prctl affects the entire process, doing it on every OS thread is pointless. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 23:08:46 +09:00
Ophestra	124743ffd3	app: expose single run method ... App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 23:39:51 +09:00
Ophestra	562f5ed797	fst: hide sockets exposed via Filesystem ... This is mostly useful for permissive defaults. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 10:13:18 +09:00
Ophestra	6acd0d4e88	linux/std: handle fsu exit status 1 ... Printing "exit status 1" is confusing. This handles the ExitError and returns EACCES instead. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-01 21:34:57 +09:00
Ophestra	c4d6651cae	update reverse-DNS style identifiers ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-31 16:16:38 +09:00
Ophestra	bf8094c6ca	internal: include path to fortify main program ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 12:48:48 +09:00
Ophestra	9b206072fa	cmd/fshim: ensure data directory ... Ensuring home directory in shim causes the directory to be owned by the target user. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:39:01 +09:00
Ophestra	b9e2003d5b	app: ensure extra paths ... The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app). Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:07:49 +09:00
Ophestra	847b667489	app: extra acl entries from configuration ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 13:23:27 +09:00
Ophestra	0107620d8c	app: merge share methods ... This significantly increases readability and makes order of ops more obvious. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 11:12:35 +09:00
Ophestra	1f173a469c	system/dbus: fix inverted system bus state ... Debug message and socket cleanup gets missed due to this value being inverted. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-27 18:38:11 +09:00
Ophestra	f608f28a6a	app: mount /dev/kvm in permissive defaults ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-22 12:37:24 +09:00
Ophestra	cb98baa19d	fortify: clean up ps formatting code ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-21 20:34:40 +09:00
Ophestra	7a8b625a57	app: rename /fortify to /.fortify ... Also removed the inner share tmpfs mount. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-21 18:11:32 +09:00
Ophestra	74fe74e6b5	app: do not fail on missing cookie ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-21 17:56:21 +09:00
Ophestra	b9cc318314	system: implement Enablements String method ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-20 23:21:19 +09:00
Ophestra	ed10574dea	state: store join util ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-20 19:05:39 +09:00
Ophestra Umiker	df6fc298f6	migrate to git.gensokyo.uk/security/fortify ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-20 00:20:02 +09:00
Ophestra Umiker	eae3034260	state: expose aids and use instance id as key ... Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 21:36:17 +09:00
Ophestra Umiker	f796622c35	state: rename simple store implementation ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 11:48:48 +09:00
Ophestra Umiker	5d25bee786	fortify: remove systemd check ... This is no longer necessary as fortify no longer integrates with external user switchers. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 11:14:31 +09:00
Ophestra Umiker	52f21a19f3	cmd/fshim: switch to setup pipe ... The socket-based approach is no longer necessary as fsu allows extra files and sudo compatibility is no longer relevant. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 19:39:25 +09:00
Ophestra Umiker	7f29b37a32	proc: setup payload send ... Generic setup payload encoder adapted from fshim. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 17:20:01 +09:00
Ophestra Umiker	ef8fd37e9d	proc: setup payload receive ... Generic implementation of setup payload receiver adapted from finit. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 16:48:41 +09:00
Ophestra Umiker	2f676c9d6e	fst: rename from fipc ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 15:50:46 +09:00
Ophestra Umiker	b752ec4468	fipc: export config struct ... Also store full config as part of state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 13:45:55 +09:00
Ophestra Umiker	f773c92411	system: prevent duplicate Wayland op ... Wayland is implemented as an Op to enforce dependency and cleanup, its implementation does not allow multiple instances on a single sys object, nor would doing that make any sense. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-07 19:45:37 +09:00
Ophestra Umiker	cc816a1aaa	proc: cleaner extra files ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-06 16:05:04 +09:00
Ophestra Umiker	b3ef53b193	app: integrate security-context-v1 ... Should be able to get rid of XDG_RUNTIME_DIR share after this. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-06 04:25:33 +09:00
Ophestra Umiker	38e92edb8e	system/wayland: integrate security-context-v1 ... Had to pass the sync fd through sys. The rest are just part of a standard Op. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-06 04:20:15 +09:00
Ophestra Umiker	b291f0b710	app: add nixos-based config test case ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-21 12:13:21 +09:00
Ophestra Umiker	9faf3b3596	app: validate username ... This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-19 21:01:41 +09:00
Ophestra Umiker	ae2628e57a	cmd/fshim/ipc: install signal handler on shim start ... Getting killed at this point will result in inconsistent state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-18 13:33:46 +09:00
Ophestra Umiker	05b7dbf066	app: alternative inner home path ... Support binding home to an alternative path in the mount namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-18 00:18:21 +09:00
Ophestra Umiker	866270ff05	fmsg: add to wg prior to enqueue ... Adding after channel write is racy. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-17 23:50:02 +09:00
Ophestra Umiker	c1fad649e8	app/start: check for cleanup and abort condition ... Dirty fix. Will rewrite after fsu integration complete. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-17 23:41:52 +09:00
Ophestra Umiker	b5f01ef20b	app: append # for ChangeHosts message with numerical uid ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-17 23:40:37 +09:00
Ophestra Umiker	df33123bd7	app: integrate fsu ... This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-16 21:19:45 +09:00
Ophestra Umiker	9a13b311ac	app/config: rename map_real_uid from use_real_uid ... This option only changes mapped uid in the user namespace. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-09 12:01:34 +09:00
Ophestra Umiker	3dfc1fcd56	app: support full /dev access ... Also moved /dev/fortify to /fortify since it is impossible to create new directories in /dev from the init namespace and bind mounting its contents has undesirable side effects. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-06 03:49:39 +09:00
Ophestra Umiker	69cc64ef56	linux: provide access to stdout ... Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 22:55:46 +09:00
Ophestra Umiker	fc25ac2523	app: separate auto etc from permissive defaults ... Populating /etc with symlinks is quite useful even outside the permissive defaults usage pattern. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 22:18:05 +09:00
Ophestra Umiker	d909b1190a	app/config: UseRealUID as true in template ... The template is based on a Chromium setup, which this workaround was created for. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-11-04 19:45:31 +09:00