e42ea32dbe
nix: configure sharefs via fileSystems
...
Test / ShareFS (push) Successful in 41s
Test / Sandbox (race detector) (push) Successful in 45s
Test / Create distribution (push) Successful in 42s
Test / Sandbox (push) Successful in 47s
Test / Hpkg (push) Successful in 50s
Test / Hakurei (push) Successful in 56s
Test / Hakurei (race detector) (push) Successful in 56s
Test / Flake checks (push) Successful in 1m35s
Turns out this did not work because in the vm test harness, virtualisation.fileSystems completely and silently overrides fileSystems, causing its contents to not even be evaluated anymore. This is not documented as far as I can tell, and is not obvious by any stretch of the imagination. The current hack is cargo culted from nix-community/impermanence and hopefully lasts until this project fully replaces nix.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-12-27 23:14:08 +09:00
7bfbd59810
cmd/sharefs: implement shared filesystem
...
Test / Create distribution (push) Successful in 46s
Test / Sandbox (push) Successful in 2m40s
Test / Hakurei (push) Successful in 3m41s
Test / Hpkg (push) Successful in 4m42s
Test / Sandbox (race detector) (push) Successful in 4m53s
Test / Hakurei (race detector) (push) Successful in 5m53s
Test / ShareFS (push) Successful in 38m10s
Test / Flake checks (push) Successful in 1m46s
This is for passing files between applications, similar to android /sdcard.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-12-25 05:13:02 +09:00
ea815a59e8
nix: disable source fortification in devShell
...
Test / Create distribution (push) Successful in 35s
Test / Sandbox (push) Successful in 43s
Test / Sandbox (race detector) (push) Successful in 42s
Test / Hakurei (race detector) (push) Successful in 46s
Test / Hpkg (push) Successful in 44s
Test / Hakurei (push) Successful in 49s
Test / Flake checks (push) Successful in 1m36s
This generates warnings when compiling without optimisation.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-12-21 02:22:28 +09:00
ebc67bb8ad
nix: update flake lock
...
Test / Create distribution (push) Successful in 1m1s
Test / Sandbox (push) Successful in 4m13s
Test / Hakurei (push) Successful in 5m11s
Test / Sandbox (race detector) (push) Successful in 5m46s
Test / Hakurei (race detector) (push) Successful in 6m50s
Test / Hpkg (push) Successful in 13m44s
Test / Flake checks (push) Successful in 2m14s
NixOS 25.11 introduces a crash in cage and an intermittent crash in foot.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-12-12 08:39:55 +09:00
c761e1de4d
nix: build with clang
...
Test / Create distribution (push) Successful in 36s
Test / Sandbox (push) Successful in 41s
Test / Sandbox (race detector) (push) Successful in 41s
Test / Hakurei (push) Successful in 44s
Test / Hakurei (race detector) (push) Successful in 45s
Test / Hpkg (push) Successful in 42s
Test / Flake checks (push) Successful in 1m29s
Clang is better than gcc in various ways. This also pulls in clang-format which is very helpful.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-11-15 16:36:36 +09:00
5c2b63a7f1
container: add 386 constants
...
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 2m17s
Test / Hakurei (push) Successful in 3m11s
Test / Hpkg (push) Successful in 4m0s
Test / Sandbox (race detector) (push) Successful in 4m16s
Test / Hakurei (race detector) (push) Successful in 5m2s
Test / Flake checks (push) Successful in 1m24s
While it is unlikely a use case for hakurei on i686 exists, it does not hurt to have this support.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-11-05 20:21:14 +09:00
a4f7e92e1c
test/interactive: helper scripts for tracing
...
Test / Hakurei (push) Successful in 41s
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 39s
Test / Hakurei (race detector) (push) Successful in 41s
Test / Sandbox (race detector) (push) Successful in 39s
Test / Hpkg (push) Successful in 40s
Test / Flake checks (push) Successful in 1m26s
The vm state is discarded often, and it is quite cumbersome to set everything up again when the shell history is gone.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-08 00:56:25 +09:00
72a931a71a
nix: interactive nixos vm
...
Test / Hakurei (push) Successful in 41s
Test / Create distribution (push) Successful in 32s
Test / Hakurei (race detector) (push) Successful in 41s
Test / Sandbox (push) Successful in 39s
Test / Sandbox (race detector) (push) Successful in 39s
Test / Hpkg (push) Successful in 40s
Test / Flake checks (push) Successful in 1m26s
This is useful for quickly spinning up an ephemeral hakurei environment for testing changes or reproducing vm test failures.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-07 02:46:04 +09:00
a8a79a8664
cmd/hpkg: rename from planterette
...
Test / Create distribution (push) Successful in 33s
Test / Sandbox (push) Successful in 1m58s
Test / Sandbox (race detector) (push) Successful in 3m47s
Test / Hpkg (push) Successful in 3m54s
Test / Hakurei (race detector) (push) Successful in 4m32s
Test / Hakurei (push) Successful in 2m10s
Test / Flake checks (push) Successful in 1m19s
Planterette is now developed in another repository, so rename this proof of concept to avoid confusion.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-31 23:57:11 +09:00
72c2b66fc0
nix: cross-platform syscall wrapper
...
Test / Create distribution (push) Successful in 42s
Test / Sandbox (push) Successful in 54s
Test / Sandbox (race detector) (push) Successful in 52s
Test / Planterette (push) Successful in 51s
Test / Hakurei (push) Successful in 1m1s
Test / Hakurei (race detector) (push) Successful in 59s
Test / Flake checks (push) Successful in 1m6s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-07 04:22:55 +09:00
e03d702d08
sandbox/seccomp: implement syscall lookup
...
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 1m51s
Test / Hakurei (push) Successful in 2m52s
Test / Sandbox (race detector) (push) Successful in 3m20s
Test / Planterette (push) Successful in 3m40s
Test / Hakurei (race detector) (push) Successful in 4m18s
Test / Flake checks (push) Successful in 1m10s
This uses the Go map and is verified against libseccomp.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-01 00:35:27 +09:00
9a8a047908
sandbox/seccomp: syscall name lookup table
...
Test / Create distribution (push) Successful in 33s
Test / Sandbox (push) Successful in 1m58s
Test / Hakurei (push) Successful in 2m42s
Test / Sandbox (race detector) (push) Successful in 2m59s
Test / Planterette (push) Successful in 3m31s
Test / Hakurei (race detector) (push) Successful in 4m21s
Test / Flake checks (push) Successful in 1m9s
The script is from Go source of same name. The result is checked against libseccomp.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-26 03:49:07 +09:00
aa454b158f
cmd/planterette: remove hsu special case
...
Test / Hakurei (push) Successful in 42s
Test / Create distribution (push) Successful in 25s
Test / Sandbox (push) Successful in 40s
Test / Hakurei (race detector) (push) Successful in 43s
Test / Sandbox (race detector) (push) Successful in 38s
Test / Planterette (push) Successful in 40s
Test / Flake checks (push) Successful in 1m15s
Remove special case and invoke hakurei out of process.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-25 20:50:24 +09:00
87e008d56d
treewide: rename to hakurei
...
Test / Create distribution (push) Successful in 43s
Test / Sandbox (push) Successful in 2m18s
Test / Hakurei (push) Successful in 3m10s
Test / Sandbox (race detector) (push) Successful in 3m30s
Test / Hakurei (race detector) (push) Successful in 4m43s
Test / Fpkg (push) Successful in 5m4s
Test / Flake checks (push) Successful in 1m12s
Fortify makes little sense for a container tool.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-25 04:57:41 +09:00
b7e991de5b
nix: update flake lock
...
Test / Create distribution (push) Successful in 51s
Test / Sandbox (push) Successful in 15m56s
Test / Sandbox (race detector) (push) Successful in 16m5s
Test / Fpkg (push) Successful in 17m33s
Test / Fortify (race detector) (push) Successful in 2m28s
Test / Fortify (push) Successful in 40s
Test / Flake checks (push) Successful in 2m58s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-05 04:05:39 +09:00
297b444dfb
test: separate app and sandbox
...
Test / Create distribution (push) Successful in 26s
Test / Sandbox (push) Successful in 1m42s
Test / Fortify (push) Successful in 2m39s
Test / Sandbox (race detector) (push) Successful in 2m52s
Test / Fpkg (push) Successful in 3m37s
Test / Fortify (race detector) (push) Successful in 4m17s
Test / Flake checks (push) Successful in 1m6s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 22:09:46 +09:00
b39f3aeb59
helper: remove bubblewrap wrapper
...
Test / Create distribution (push) Successful in 19s
Test / Fortify (push) Successful in 2m12s
Test / Fpkg (push) Successful in 3m34s
Test / Data race detector (push) Successful in 4m19s
Test / Flake checks (push) Successful in 57s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 05:35:02 +09:00
3385538142
nix: clean up flake outputs
...
Test / Create distribution (push) Successful in 25s
Test / Fpkg (push) Successful in 32s
Test / Fortify (push) Successful in 2m0s
Test / Data race detector (push) Successful in 2m32s
Test / Flake checks (push) Successful in 48s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 12:26:19 +09:00
4bb5d9780f
ldd: run in native sandbox
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m27s
Test / Fpkg (push) Successful in 3m22s
Test / Data race detector (push) Successful in 3m43s
Test / Flake checks (push) Successful in 48s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-14 17:55:55 +09:00
9b1a60b5c9
sandbox: native container tooling
...
Test / Create distribution (push) Successful in 25s
Test / Fortify (push) Successful in 2m28s
Test / Fpkg (push) Successful in 3m23s
Test / Data race detector (push) Successful in 3m35s
Test / Flake checks (push) Successful in 48s
This should eventually replace bwrap.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-13 21:36:26 +09:00
c8ed7aae6e
nix: update flake lock
...
Test / Create distribution (push) Successful in 42s
Test / Fortify (push) Successful in 24m42s
Test / Data race detector (push) Successful in 25m3s
Test / Fpkg (push) Successful in 25m40s
Test / Flake checks (push) Successful in 1m43s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-10 18:38:14 +09:00
2d4cabe786
nix: increase nixfmt max width
...
Test / Create distribution (push) Successful in 30s
Test / Fpkg (push) Successful in 36s
Test / Data race detector (push) Successful in 35s
Test / Fortify (push) Successful in 39s
Test / Flake checks (push) Successful in 50s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-28 14:43:46 +09:00
12c6d66bfd
cmd/fpkg/test: nixos test fpkg install/start
...
Test / Create distribution (push) Successful in 27s
Test / Fortify (push) Successful in 2m33s
Test / Data race detector (push) Successful in 3m25s
Test / Fpkg (push) Successful in 38m26s
Test / Flake checks (push) Successful in 54s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-26 13:12:16 +09:00
c21a4cff14
nix: wrap fpkg
...
Test / Create distribution (push) Successful in 26s
Test / Data race detector (push) Successful in 2m11s
Test / Fortify (push) Successful in 2m24s
Test / Flake checks (push) Successful in 42s
This is usable on nixos now due to the static build.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-26 12:24:04 +09:00
5a732d153e
nix: include fsu sources in dist build
...
Test / Create distribution (push) Successful in 20s
Test / Fortify (push) Successful in 37s
Test / Data race detector (push) Successful in 37s
Test / Flake checks (push) Successful in 46s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-25 01:32:47 +09:00
b6af8caffe
nix: clean up directory structure
...
Test / Create distribution (push) Successful in 19s
Test / Fortify (push) Successful in 36s
Test / Data race detector (push) Successful in 56s
Test / Flake checks (push) Successful in 41s
Tests for fpkg is going to be in ./cmd/fpkg, so this central tests directory is no longer necessary.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-23 18:48:01 +09:00
8bf162820b
nix: separate fsu from package
...
Test / Create distribution (push) Successful in 26s
Test / Run NixOS test (push) Successful in 7m25s
This appears to be the only way to build them with different configuration. This enables static linking in the main package.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-23 18:13:37 +09:00
eb0c16dd8c
cmd/fpkg: rename buildPackage file
...
Test / Create distribution (push) Successful in 26s
Test / Run NixOS test (push) Successful in 50s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-21 18:13:34 +09:00
64b6dc41ba
nix: split integration test
...
Test / Create distribution (push) Successful in 25s
Test / Run NixOS test (push) Successful in 3m24s
For adding tests for fpkg.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-21 17:05:17 +09:00
60c10c3f4a
nix: run integration tests with race detector
...
Test / Create distribution (push) Successful in 25s
Test / Run NixOS test (push) Successful in 3m4s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-16 20:58:08 +09:00
3df344828f
proc/priv/shim: seccomp bpf filter via libseccomp
...
Build / Create distribution (push) Successful in 1m59s
Test / Run NixOS test (push) Successful in 4m11s
Rulesets adapted from Flatpak for compatibility.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-20 23:39:47 +09:00
c4de450217
nix: do not force static linking on nix
...
Build / Create distribution (push) Successful in 3m14s
Test / Run NixOS test (push) Successful in 3m25s
In a typical Nix or NixOS-based setup, the entire /nix/store directory is available to the sandbox.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-17 22:56:16 +09:00
b60c01f440
fortify: switch to static linking
...
Build / Create distribution (push) Successful in 1m43s
Test / Run NixOS test (push) Successful in 4m32s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-16 17:32:52 +09:00
5416b07daa
nix: remove unused argument 'self'
...
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 2m36s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-29 14:49:55 +09:00
e57a0e9bf2
nix: rename fortifyBundle to buildPackage
...
Tests / Go tests (push) Successful in 34s
Nix / NixOS tests (push) Successful in 2m35s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-29 14:35:37 +09:00
5125e96ecf
nix: generate application package build script
...
Tests / Go tests (push) Successful in 55s
Nix / NixOS tests (push) Successful in 4m24s
This takes some metadata, sandbox options, a launch script and a list of home-manager modules. The result needs to be executed in an environment with nix daemon access, and it produces the final package file.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2024-12-29 00:42:21 +09:00
7b6052a473
nix: run Go tests in nixos
...
Tests / Go tests (push) Successful in 41s
Nix / NixOS tests (push) Successful in 9m56s
Nix build environment does not support ACLs in any filesystem. This allows acl tests to run.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-17 21:16:55 +09:00
3f993021f8
nix: permissive defaults nixos test
...
test / test (push) Successful in 37s
Adapted from nixos sway integration tests.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-16 22:56:10 +09:00
4d3bd5338f
nix: implement flake checks
...
test / test (push) Successful in 36s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-16 20:54:28 +09:00
6b8ddca7b4
nix: track nixos stable 24.11
...
test / test (push) Successful in 25s
Reduce rebuilds during development on my system.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-06 00:44:04 +09:00
0a546885e3
nix: update options doc
...
test / test (push) Successful in 22s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-19 18:12:35 +09:00
d9cb2a9f2b
fsu: implement simple setuid user switcher
...
Contains path to fortify, set at compile time, authenticates based on a simple uid range assignment file which also acts as the allow list.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-28 00:02:34 +09:00
40161c5938
nix: remove fortify package from default devShell
...
This change makes it possible to start a devShell when tests aren't passing.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-17 20:35:10 +09:00
1038af98f0
dbus: add tests
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-28 00:06:16 +09:00
61628dabb7
nix: remove obnoxious shell hook
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-22 16:08:11 +09:00
3d963b9f67
nix: include package buildInputs in devShells
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-17 23:15:33 +09:00
945cce2f5e
nix: implement nixos module
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-04 17:03:21 +09:00
d8f76f3b25
rename to fortify and restructure
...
More sandbox features will be added and this will no longer track ego's features and behaviour.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-04 01:20:12 +09:00
7e6eb82195
license: embed license in executable
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-07-16 22:07:40 +09:00
09507a541b
nix: build directly with buildGoModules
...
Since we have no dependencies, we don't need a vendor hash, so doing this actually makes sense.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-07-16 21:54:44 +09:00
