hakurei

Author	SHA1	Message	Date
Ophestra	ea8f228af3	proc/priv/shim: merge shim into main program All checks were successful Build / Create distribution (push) Successful in 2m15s Details Test / Run NixOS test (push) Successful in 2m53s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 23:43:32 +09:00
Ophestra	16db3dabe2	internal: do PR_SET_PDEATHSIG once All checks were successful Build / Create distribution (push) Successful in 3m7s Details Test / Run NixOS test (push) Successful in 4m40s Details This prctl affects the entire process, doing it on every OS thread is pointless. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 23:08:46 +09:00
Ophestra	c4de450217	nix: do not force static linking on nix All checks were successful Build / Create distribution (push) Successful in 3m14s Details Test / Run NixOS test (push) Successful in 3m25s Details In a typical Nix or NixOS-based setup, the entire /nix/store directory is available to the sandbox. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-17 22:56:16 +09:00
Ophestra	b60c01f440	fortify: switch to static linking All checks were successful Build / Create distribution (push) Successful in 1m43s Details Test / Run NixOS test (push) Successful in 4m32s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-16 17:32:52 +09:00
Ophestra	124743ffd3	app: expose single run method All checks were successful Tests / Go tests (push) Successful in 1m1s Details Nix / NixOS tests (push) Successful in 3m20s Details App is no longer just a simple [exec.Cmd] wrapper, so exposing these steps separately no longer makes sense and actually hinders proper error handling, cleanup and cancellation. This change removes the five-second wait when the shim dies before receiving the payload, and provides caller the ability to gracefully stop execution of the confined process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 23:39:51 +09:00
Ophestra	be4d8b6300	release: 0.2.9 All checks were successful Create distribution / Release (push) Successful in 1m21s Details Tests / Go tests (push) Successful in 46s Details Nix / NixOS tests (push) Successful in 3m6s Details This release mostly contains permissive defaults fixes and optimisations. It also contains a proof of concept version of fpkg. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 13:14:43 +09:00
Ophestra	3e11ce6868	helper/bwrap: separate sequential/static args All checks were successful Tests / Go tests (push) Successful in 41s Details Nix / NixOS tests (push) Successful in 3m59s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 13:07:06 +09:00
Ophestra	562f5ed797	fst: hide sockets exposed via Filesystem All checks were successful Tests / Go tests (push) Successful in 40s Details Nix / NixOS tests (push) Successful in 2m49s Details This is mostly useful for permissive defaults. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 10:13:18 +09:00
Ophestra	db03565614	fst: move sandbox struct to separate file All checks were successful Tests / Go tests (push) Successful in 1m0s Details Nix / NixOS tests (push) Successful in 3m9s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-15 09:42:44 +09:00
Ophestra	7d99e45b88	helper/bwrap: register OverlayConfig with gob All checks were successful Tests / Go tests (push) Successful in 58s Details Nix / NixOS tests (push) Successful in 3m5s Details This is required for copying bwrap configurations across processes. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-14 12:25:10 +09:00
Ophestra	1651eb06df	dbus: implement dbus_parse_address All checks were successful Tests / Go tests (push) Successful in 1m14s Details Nix / NixOS tests (push) Successful in 7m36s Details This parses D-Bus addresses according to spec. It does significantly fewer copies than dbus_parse_address. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-12 23:24:03 +09:00
Ophestra	ac543a1ce8	dbus: rename makeTestCases All checks were successful Tests / Go tests (push) Successful in 2m36s Details Nix / NixOS tests (push) Successful in 10m5s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-12 23:21:28 +09:00
Ophestra	e2489059c1	helper/bwrap: implement overlayfs builder All checks were successful Tests / Go tests (push) Successful in 33s Details Nix / NixOS tests (push) Successful in 4m5s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-05 20:09:35 +09:00
Ophestra	2e3f6a4c51	helper/bwrap: move test out of bwrap package All checks were successful Tests / Go tests (push) Successful in 36s Details Nix / NixOS tests (push) Successful in 4m51s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-05 19:45:24 +09:00
Ophestra	2162029f46	helper/bwrap: add json struct tag to filesystem All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 4m43s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-05 19:41:04 +09:00
Ophestra	a1148edd00	fst/config: allocate filesystem slice All checks were successful Tests / Go tests (push) Successful in 32s Details Nix / NixOS tests (push) Successful in 4m5s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-04 00:16:41 +09:00
Ophestra	6acd0d4e88	linux/std: handle fsu exit status 1 All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 2m27s Details Printing "exit status 1" is confusing. This handles the ExitError and returns EACCES instead. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-01 21:34:57 +09:00
Ophestra	35b7142317	fortify: show system info when instance is not specified All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 4m32s Details This contains useful information not obtainable by external tools. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-01-01 19:35:50 +09:00
Ophestra	c4d6651cae	update reverse-DNS style identifiers All checks were successful Tests / Go tests (push) Successful in 1m6s Details Nix / NixOS tests (push) Successful in 4m11s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-31 16:16:38 +09:00
Ophestra	22a4b99674	cmd/fpkg/install: deduplicate nix store All checks were successful Tests / Go tests (push) Successful in 41s Details Nix / NixOS tests (push) Successful in 4m43s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-30 02:25:04 +09:00
Ophestra	1464ef774b	cmd/fpkg: expose nixGL wrappers All checks were successful Tests / Go tests (push) Successful in 35s Details Nix / NixOS tests (push) Successful in 4m6s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-30 02:02:20 +09:00
Ophestra	66ba4cea5c	cmd/fpkg: remove workDir acl from activation All checks were successful Tests / Go tests (push) Successful in 33s Details Nix / NixOS tests (push) Successful in 3m56s Details Activation does not require access to workDir, and by this point all information is available in dataHome. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 23:48:45 +09:00
Ophestra	f8d0786509	cmd/fpkg: include nixGL source in inner store All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 4m24s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 23:37:11 +09:00
Ophestra	56a73bb019	nix: create nixpkgs symlink All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 4m25s Details This is included as part of the system as nixGL needs to be built somewhere between activation and start. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 23:23:11 +09:00
Ophestra	fb8abf63db	nix: update flake lock All checks were successful Tests / Go tests (push) Successful in 40s Details Nix / NixOS tests (push) Successful in 4m15s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 23:14:16 +09:00
Ophestra	63802c5f0d	nix: nixos test create parent directory All checks were successful Tests / Go tests (push) Successful in 37s Details Nix / NixOS tests (push) Successful in 4m9s Details This tests directory creation in shim. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 22:36:53 +09:00
Ophestra	aff80b6b00	cmd/fpkg: optional network access when invoking with nix daemon All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 3m36s Details This is useful for building nixGL. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 18:32:44 +09:00
Ophestra	a98a176907	cmd/fpkg: bind and document more gpu devices All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 3m40s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 18:25:26 +09:00
Ophestra	5302879b88	cmd/fpkg: improve readability of fortify invocations All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 3m41s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 17:55:56 +09:00
Ophestra	891b3cbde7	cmd/fpkg: compare all three store paths All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 3m39s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 17:10:41 +09:00
Ophestra	c795293f36	cmd/fpkg: clean up broken links before activation All checks were successful Tests / Go tests (push) Successful in 35s Details Nix / NixOS tests (push) Successful in 3m38s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 15:21:40 +09:00
Ophestra	42e1043300	nix: set home-manager user information All checks were successful Tests / Go tests (push) Successful in 33s Details Nix / NixOS tests (push) Successful in 2m36s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 15:11:36 +09:00
Ophestra	5416b07daa	nix: remove unused argument 'self' All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 2m36s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 14:49:55 +09:00
Ophestra	e57a0e9bf2	nix: rename fortifyBundle to buildPackage All checks were successful Tests / Go tests (push) Successful in 34s Details Nix / NixOS tests (push) Successful in 2m35s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 14:35:37 +09:00
Ophestra	ab48706ebe	dist: install fpkg to /usr/bin All checks were successful Tests / Go tests (push) Successful in 36s Details Nix / NixOS tests (push) Successful in 2m25s Details This is a high level user-facing tool. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 01:04:53 +09:00
Ophestra	c1a459a0b1	cmd/fpkg/start: correct drop to shell wording All checks were successful Tests / Go tests (push) Successful in 52s Details Nix / NixOS tests (push) Successful in 4m27s Details Activation no longer happens during application startup. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 00:56:14 +09:00
Ophestra	5125e96ecf	nix: generate application package build script All checks were successful Tests / Go tests (push) Successful in 55s Details Nix / NixOS tests (push) Successful in 4m24s Details This takes some metadata, sandbox options, a launch script and a list of home-manager modules. The result needs to be executed in an environment with nix daemon access, and it produces the final package file. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 00:42:21 +09:00
Ophestra	e0e2f40e84	cmd/fpkg: app bundle helper All checks were successful Tests / Go tests (push) Successful in 43s Details Nix / NixOS tests (push) Successful in 4m25s Details This helper program creates fortify configuration for running an application bundle. The activate action wraps a home-manager activation package and ensures each generation gets activated once. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 13:21:49 +09:00
Ophestra	bf8094c6ca	internal: include path to fortify main program All checks were successful Tests / Go tests (push) Successful in 36s Details Nix / NixOS tests (push) Successful in 4m6s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-26 12:48:48 +09:00
Ophestra	2e3bb1893e	release: 0.2.8 All checks were successful Tests / Go tests (push) Successful in 42s Details Create distribution / Release (push) Successful in 1m0s Details Nix / NixOS tests (push) Successful in 3m53s Details This release mostly fixes bugs uncovered when running fortify on a generic linux distribution. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-29 01:09:47 +09:00
Ophestra	9b206072fa	cmd/fshim: ensure data directory All checks were successful Tests / Go tests (push) Successful in 36s Details Nix / NixOS tests (push) Successful in 3m33s Details Ensuring home directory in shim causes the directory to be owned by the target user. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:39:01 +09:00
Ophestra	b9e2003d5b	app: ensure extra paths All checks were successful Tests / Go tests (push) Successful in 36s Details Nix / NixOS tests (push) Successful in 3m37s Details The primary use case for extra perms is app-specific state directories, which may or may not exist (first run of any app). Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 14:07:49 +09:00
Ophestra	66ec0d882f	dist: build with -trimpath All checks were successful Tests / Go tests (push) Successful in 35s Details Nix / NixOS tests (push) Successful in 3m26s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 13:44:05 +09:00
Ophestra	847b667489	app: extra acl entries from configuration Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 13:23:27 +09:00
Ophestra	c70f0612ad	fortify/print: skip nil filesystem entries All checks were successful Tests / Go tests (push) Successful in 31s Details Nix / NixOS tests (push) Successful in 3m24s Details This fixes a panic when displaying configurations with nil filesystem entries. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 12:14:42 +09:00
Ophestra	85e5b097fd	fst/config: add template etc entry All checks were successful Tests / Go tests (push) Successful in 31s Details Nix / NixOS tests (push) Successful in 3m21s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 12:05:32 +09:00
Ophestra	0107620d8c	app: merge share methods All checks were successful Tests / Go tests (push) Successful in 32s Details Nix / NixOS tests (push) Successful in 3m25s Details This significantly increases readability and makes order of ops more obvious. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-28 11:12:35 +09:00
Ophestra	fc26659ea1	fst/config: autoetc read custom path All checks were successful Tests / Go tests (push) Successful in 43s Details Nix / NixOS tests (push) Successful in 3m40s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-27 18:57:44 +09:00
Ophestra	1f173a469c	system/dbus: fix inverted system bus state All checks were successful Tests / Go tests (push) Successful in 33s Details Nix / NixOS tests (push) Successful in 3m38s Details Debug message and socket cleanup gets missed due to this value being inverted. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-27 18:38:11 +09:00
Ophestra	2fdbd6a4dd	fst/config: alternative /etc directory All checks were successful Tests / Go tests (push) Successful in 32s Details Nix / NixOS tests (push) Successful in 3m41s Details This is useful for static /etc directories provided by self-contained application packages, or in cases where autoetc is useful for paths other than /etc. Signed-off-by: Ophestra <cat@gensokyo.uk>	2024-12-27 18:06:26 +09:00

... 14 15 16 17 18 ...

1136 Commits