hakurei

Author	SHA1	Message	Date
Ophestra	1fb453dffe	sandbox/seccomp: extra constants All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m59s Details Test / Hakurei (push) Successful in 2m44s Details Test / Sandbox (race detector) (push) Successful in 3m1s Details Test / Planterette (push) Successful in 3m33s Details Test / Hakurei (race detector) (push) Successful in 4m20s Details Test / Flake checks (push) Successful in 1m7s Details These all resolve to pseudo syscall numbers in libseccomp, but are necessary anyway for other platforms. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-01 20:15:42 +09:00
Ophestra	e03d702d08	sandbox/seccomp: implement syscall lookup All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m51s Details Test / Hakurei (push) Successful in 2m52s Details Test / Sandbox (race detector) (push) Successful in 3m20s Details Test / Planterette (push) Successful in 3m40s Details Test / Hakurei (race detector) (push) Successful in 4m18s Details Test / Flake checks (push) Successful in 1m10s Details This uses the Go map and is verified against libseccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-01 00:35:27 +09:00
Ophestra	241dc964a6	sandbox/seccomp: wire extra syscall All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m46s Details Test / Hakurei (push) Successful in 2m48s Details Test / Sandbox (race detector) (push) Successful in 3m6s Details Test / Planterette (push) Successful in 40s Details Test / Hakurei (race detector) (push) Successful in 2m39s Details Test / Flake checks (push) Successful in 1m15s Details These values are only useful for libseccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-01 00:32:08 +09:00
Ophestra	8ef71e14d5	sandbox/seccomp: emit syscall constants All checks were successful Test / Create distribution (push) Successful in 44s Details Test / Sandbox (push) Successful in 2m15s Details Test / Hakurei (push) Successful in 3m8s Details Test / Sandbox (race detector) (push) Successful in 3m18s Details Test / Planterette (push) Successful in 3m55s Details Test / Hakurei (race detector) (push) Successful in 4m37s Details Test / Flake checks (push) Successful in 1m9s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-30 20:34:33 +09:00
Ophestra	972f4006f0	treewide: switch to hakurei.app All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m0s Details Test / Hakurei (push) Successful in 2m49s Details Test / Sandbox (race detector) (push) Successful in 3m12s Details Test / Planterette (push) Successful in 3m35s Details Test / Hakurei (race detector) (push) Successful in 4m22s Details Test / Flake checks (push) Successful in 1m7s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-26 04:01:02 +09:00
Ophestra	9a8a047908	sandbox/seccomp: syscall name lookup table All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 1m58s Details Test / Hakurei (push) Successful in 2m42s Details Test / Sandbox (race detector) (push) Successful in 2m59s Details Test / Planterette (push) Successful in 3m31s Details Test / Hakurei (race detector) (push) Successful in 4m21s Details Test / Flake checks (push) Successful in 1m9s Details The script is from Go source of same name. The result is checked against libseccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-26 03:49:07 +09:00
Ophestra	863bf69ad3	treewide: reapply clang-format All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m51s Details Test / Hakurei (push) Successful in 2m49s Details Test / Sandbox (race detector) (push) Successful in 2m58s Details Test / Planterette (push) Successful in 3m37s Details Test / Hakurei (race detector) (push) Successful in 4m15s Details Test / Flake checks (push) Successful in 1m8s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 23:43:42 +09:00
Ophestra	0e957cc9c1	release: 0.0.2 All checks were successful Release / Create release (push) Successful in 43s Details Test / Create distribution (push) Successful in 25s Details Test / Sandbox (push) Successful in 40s Details Test / Hakurei (push) Successful in 45s Details Test / Sandbox (race detector) (push) Successful in 39s Details Test / Planterette (push) Successful in 1m41s Details Test / Hakurei (race detector) (push) Successful in 1m44s Details Test / Flake checks (push) Successful in 1m14s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 21:11:11 +09:00
Ophestra	aa454b158f	cmd/planterette: remove hsu special case All checks were successful Test / Hakurei (push) Successful in 42s Details Test / Create distribution (push) Successful in 25s Details Test / Sandbox (push) Successful in 40s Details Test / Hakurei (race detector) (push) Successful in 43s Details Test / Sandbox (race detector) (push) Successful in 38s Details Test / Planterette (push) Successful in 40s Details Test / Flake checks (push) Successful in 1m15s Details Remove special case and invoke hakurei out of process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 20:50:24 +09:00
Ophestra	7007bd6a1c	workflows: port release workflow to github All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m55s Details Test / Hakurei (push) Successful in 2m46s Details Test / Sandbox (race detector) (push) Successful in 3m6s Details Test / Fpkg (push) Successful in 3m31s Details Test / Hakurei (race detector) (push) Successful in 4m15s Details Test / Flake checks (push) Successful in 1m8s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 20:17:53 +09:00
Ophestra	00efc95ee7	workflows: port test workflow to github All checks were successful Test / Create distribution (push) Successful in 24s Details Test / Sandbox (push) Successful in 1m29s Details Test / Sandbox (race detector) (push) Successful in 2m54s Details Test / Fpkg (push) Successful in 3m10s Details Test / Hakurei (race detector) (push) Successful in 4m10s Details Test / Hakurei (push) Successful in 1m57s Details Test / Flake checks (push) Successful in 1m8s Details This is a much less useful port of the test workflow and runs much slower due to runner limitations. Still better than nothing though. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 19:37:45 +09:00
Ophestra	b380bb248c	release: 0.0.1 All checks were successful Release / Create release (push) Successful in 40s Details Test / Create distribution (push) Successful in 25s Details Test / Sandbox (push) Successful in 38s Details Test / Sandbox (race detector) (push) Successful in 38s Details Test / Hakurei (push) Successful in 42s Details Test / Hakurei (race detector) (push) Successful in 41s Details Test / Fpkg (push) Successful in 39s Details Test / Flake checks (push) Successful in 1m10s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 05:05:06 +09:00
Ophestra	87e008d56d	treewide: rename to hakurei All checks were successful Test / Create distribution (push) Successful in 43s Details Test / Sandbox (push) Successful in 2m18s Details Test / Hakurei (push) Successful in 3m10s Details Test / Sandbox (race detector) (push) Successful in 3m30s Details Test / Hakurei (race detector) (push) Successful in 4m43s Details Test / Fpkg (push) Successful in 5m4s Details Test / Flake checks (push) Successful in 1m12s Details Fortify makes little sense for a container tool. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 04:57:41 +09:00
Ophestra	3992073212	dist: move comp to dist All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 1m58s Details Test / Fortify (push) Successful in 2m49s Details Test / Sandbox (race detector) (push) Successful in 3m13s Details Test / Fpkg (push) Successful in 3m39s Details Test / Fortify (race detector) (push) Successful in 4m17s Details Test / Flake checks (push) Successful in 1m9s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-18 17:01:16 +09:00
Ophestra	ef80b19f2f	treewide: switch to clang-format All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m49s Details Test / Fortify (push) Successful in 2m44s Details Test / Sandbox (race detector) (push) Successful in 3m5s Details Test / Fpkg (push) Successful in 3m32s Details Test / Fortify (race detector) (push) Successful in 4m15s Details Test / Flake checks (push) Successful in 1m4s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-18 13:45:34 +09:00
Ophestra	717771ae80	app: share runtime dir All checks were successful Test / Create distribution (push) Successful in 24s Details Test / Sandbox (race detector) (push) Successful in 37s Details Test / Sandbox (push) Successful in 37s Details Test / Fortify (push) Successful in 40s Details Test / Fortify (race detector) (push) Successful in 40s Details Test / Fpkg (push) Successful in 38s Details Test / Flake checks (push) Successful in 1m5s Details This allows apps with the same identity to access the same runtime dir. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-08 03:24:48 +09:00
Ophestra	bf5772bd8a	nix: deduplicate home-manager merging All checks were successful Test / Create distribution (push) Successful in 44s Details Test / Sandbox (push) Successful in 55s Details Test / Sandbox (race detector) (push) Successful in 53s Details Test / Fortify (race detector) (push) Successful in 50s Details Test / Fpkg (push) Successful in 54s Details Test / Fortify (push) Successful in 2m8s Details Test / Flake checks (push) Successful in 1m7s Details This becomes a problem when extraHomeConfig defines nixos module options. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-08 01:12:18 +09:00
Ophestra	9a7c81a44e	nix: go generate in src derivation All checks were successful Test / Sandbox (push) Successful in 40s Details Test / Fortify (race detector) (push) Successful in 49s Details Test / Fortify (push) Successful in 50s Details Test / Create distribution (push) Successful in 24s Details Test / Sandbox (race detector) (push) Successful in 45s Details Test / Fpkg (push) Successful in 39s Details Test / Flake checks (push) Successful in 1m12s Details This saves the generated files in the nix store and exposes them for use by external tools. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-07 03:10:36 +09:00
Ophestra	b7e991de5b	nix: update flake lock All checks were successful Test / Create distribution (push) Successful in 51s Details Test / Sandbox (push) Successful in 15m56s Details Test / Sandbox (race detector) (push) Successful in 16m5s Details Test / Fpkg (push) Successful in 17m33s Details Test / Fortify (race detector) (push) Successful in 2m28s Details Test / Fortify (push) Successful in 40s Details Test / Flake checks (push) Successful in 2m58s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-05 04:05:39 +09:00
Ophestra	6c1205106d	release: 0.4.1 All checks were successful Release / Create release (push) Successful in 59s Details Test / Sandbox (push) Successful in 1m2s Details Test / Sandbox (race detector) (push) Successful in 5m25s Details Test / Create distribution (push) Successful in 28s Details Test / Fpkg (push) Successful in 8m35s Details Test / Fortify (push) Successful in 8m57s Details Test / Fortify (race detector) (push) Successful in 10m5s Details Test / Flake checks (push) Successful in 1m45s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-05-26 02:55:19 +09:00
Ophestra	2ffca6984a	nix: use reverse-DNS style id as unique identifier All checks were successful Test / Create distribution (push) Successful in 19s Details Test / Sandbox (push) Successful in 31s Details Test / Fortify (push) Successful in 35s Details Test / Sandbox (race detector) (push) Successful in 31s Details Test / Fortify (race detector) (push) Successful in 35s Details Test / Fpkg (push) Successful in 33s Details Test / Flake checks (push) Successful in 1m7s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-05-25 20:12:30 +09:00
Ophestra	dde2516304	dbus: handle bizarre dbus proxy behaviour All checks were successful Test / Create distribution (push) Successful in 28s Details Test / Sandbox (push) Successful in 1m53s Details Test / Fortify (push) Successful in 2m44s Details Test / Sandbox (race detector) (push) Successful in 3m2s Details Test / Fpkg (push) Successful in 3m36s Details Test / Fortify (race detector) (push) Successful in 4m16s Details Test / Flake checks (push) Successful in 1m17s Details There is a strange behaviour in xdg-dbus-proxy where if any interface string when stripped of a single ".*" suffix does not contain a '.' byte anywhere, the program will exit with code 1 without any output. This checks for such conditions to make the failure less confusing. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-05-25 19:50:06 +09:00
Ophestra	f30a439bcd	nix: improve common usability All checks were successful Test / Create distribution (push) Successful in 19s Details Test / Sandbox (push) Successful in 31s Details Test / Fortify (push) Successful in 35s Details Test / Sandbox (race detector) (push) Successful in 31s Details Test / Fortify (race detector) (push) Successful in 35s Details Test / Fpkg (push) Successful in 33s Details Test / Flake checks (push) Successful in 1m7s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-05-16 04:40:12 +09:00
Ophestra	008e9e7fc5	nix: update flake lock All checks were successful Test / Create distribution (push) Successful in 28s Details Test / Fortify (push) Successful in 38s Details Test / Fortify (race detector) (push) Successful in 37s Details Test / Fpkg (push) Successful in 35s Details Test / Sandbox (push) Successful in 1m18s Details Test / Sandbox (race detector) (push) Successful in 1m27s Details Test / Flake checks (push) Successful in 2m47s Details	2025-05-07 21:35:37 +09:00
Ophestra	23aefcd759	fortify: update help strings All checks were successful Test / Create distribution (push) Successful in 30s Details Test / Sandbox (push) Successful in 1m58s Details Test / Sandbox (race detector) (push) Successful in 3m11s Details Test / Fpkg (push) Successful in 4m24s Details Test / Fortify (race detector) (push) Successful in 4m58s Details Test / Fortify (push) Successful in 3m44s Details Test / Flake checks (push) Successful in 1m34s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-05-07 19:06:36 +09:00
Ophestra	cb8b886446	nix: update flake lock All checks were successful Test / Create distribution (push) Successful in 1m28s Details Test / Fortify (push) Successful in 49m23s Details Test / Fortify (race detector) (push) Successful in 49m56s Details Test / Fpkg (push) Successful in 50m14s Details Test / Sandbox (push) Successful in 1m18s Details Test / Sandbox (race detector) (push) Successful in 1m20s Details Test / Flake checks (push) Successful in 3m0s Details	2025-04-22 22:23:21 +09:00
Ophestra	5979d8b1e0	dbus: clean up wrapper implementation All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Sandbox (push) Successful in 1m50s Details Test / Fortify (push) Successful in 2m49s Details Test / Sandbox (race detector) (push) Successful in 3m4s Details Test / Fpkg (push) Successful in 3m35s Details Test / Fortify (race detector) (push) Successful in 4m13s Details Test / Flake checks (push) Successful in 1m3s Details The dbus proxy wrapper haven't been updated much ever since the helper interface was introduced. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-16 23:35:17 +09:00
Ophestra	e587112e63	test: check xdg-dbus-proxy termination All checks were successful Test / Sandbox (race detector) (push) Successful in 31s Details Test / Sandbox (push) Successful in 33s Details Test / Create distribution (push) Successful in 28s Details Test / Fpkg (push) Successful in 35s Details Test / Fortify (push) Successful in 2m9s Details Test / Fortify (race detector) (push) Successful in 2m37s Details Test / Flake checks (push) Successful in 1m2s Details This process runs outside the application container's pid namespace, so it is a good idea to check whether its lifecycle becomes decoupled from the application. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-15 20:45:31 +09:00
Ophestra	d6cf736abf	release: 0.4.0 All checks were successful Release / Create release (push) Successful in 54s Details Test / Sandbox (push) Successful in 47s Details Test / Sandbox (race detector) (push) Successful in 4m44s Details Test / Create distribution (push) Successful in 20s Details Test / Fortify (race detector) (push) Successful in 6m42s Details Test / Fpkg (push) Successful in 2m18s Details Test / Fortify (push) Successful in 5m18s Details Test / Flake checks (push) Successful in 2m42s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-13 11:10:45 +09:00
Ophestra	15011c4173	app/instance/common: optimise ops allocation All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m55s Details Test / Fortify (push) Successful in 2m46s Details Test / Sandbox (race detector) (push) Successful in 3m10s Details Test / Fpkg (push) Successful in 3m52s Details Test / Fortify (race detector) (push) Successful in 4m23s Details Test / Flake checks (push) Successful in 1m2s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-13 03:49:07 +09:00
Ophestra	31b7ddd122	fst: improve config All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m50s Details Test / Fortify (push) Successful in 2m46s Details Test / Sandbox (race detector) (push) Successful in 2m59s Details Test / Fortify (race detector) (push) Successful in 4m23s Details Test / Fpkg (push) Successful in 5m25s Details Test / Flake checks (push) Successful in 1m1s Details The config struct more or less "grew" to what it is today. This change moves things around to make more sense and fixes nonsensical comments describing obsolete behaviour. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-13 03:30:19 +09:00
Ophestra	c460892cbd	fst: check template All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m51s Details Test / Fortify (push) Successful in 2m39s Details Test / Sandbox (race detector) (push) Successful in 3m7s Details Test / Fpkg (push) Successful in 3m36s Details Test / Fortify (race detector) (push) Successful in 4m14s Details Test / Flake checks (push) Successful in 1m6s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-12 18:00:25 +09:00
Ophestra	6309469e93	app/instance: wrap internal implementation All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m44s Details Test / Fortify (push) Successful in 2m37s Details Test / Sandbox (race detector) (push) Successful in 2m59s Details Test / Fpkg (push) Successful in 3m34s Details Test / Fortify (race detector) (push) Successful in 4m6s Details Test / Flake checks (push) Successful in 59s Details This reduces the scope of the fst package, which was growing questionably large. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-12 13:56:41 +09:00
Ophestra	0d7c1a9a43	app: rename app implementation package All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m48s Details Test / Fortify (push) Successful in 2m36s Details Test / Sandbox (race detector) (push) Successful in 2m52s Details Test / Fpkg (push) Successful in 3m32s Details Test / Fortify (race detector) (push) Successful in 4m9s Details Test / Flake checks (push) Successful in 1m4s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-12 10:54:24 +09:00
Ophestra	ae6f5ede19	fst: mount passthrough /dev writable All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m50s Details Test / Fortify (push) Successful in 2m39s Details Test / Sandbox (race detector) (push) Successful in 3m1s Details Test / Fpkg (push) Successful in 3m30s Details Test / Fortify (race detector) (push) Successful in 4m13s Details Test / Flake checks (push) Successful in 59s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-11 20:01:54 +09:00
Ophestra	807d511c8b	test/sandbox: check device outcome All checks were successful Test / Fortify (push) Successful in 35s Details Test / Create distribution (push) Successful in 26s Details Test / Fortify (race detector) (push) Successful in 35s Details Test / Fpkg (push) Successful in 34s Details Test / Sandbox (push) Successful in 1m22s Details Test / Sandbox (race detector) (push) Successful in 1m41s Details Test / Flake checks (push) Successful in 1m5s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-11 19:55:16 +09:00
Ophestra	2f4f21fb18	fst: rename device field All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m46s Details Test / Fortify (push) Successful in 2m39s Details Test / Sandbox (race detector) (push) Successful in 3m1s Details Test / Fpkg (push) Successful in 3m38s Details Test / Fortify (race detector) (push) Successful in 4m10s Details Test / Flake checks (push) Successful in 1m5s Details Dev is very ambiguous. Rename it here alongside upcoming config changes. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-11 19:32:15 +09:00
Ophestra	9967909460	sandbox: relative autoetc links All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m44s Details Test / Fortify (push) Successful in 2m41s Details Test / Sandbox (race detector) (push) Successful in 2m48s Details Test / Fpkg (push) Successful in 3m35s Details Test / Fortify (race detector) (push) Successful in 4m13s Details Test / Flake checks (push) Successful in 1m3s Details This allows nested containers to use autoetc, and increases compatibility with other implementations. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-11 18:54:00 +09:00
Ophestra	c806f43881	sandbox: implement autoetc as setup op All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Sandbox (push) Successful in 1m48s Details Test / Fortify (push) Successful in 2m42s Details Test / Sandbox (race detector) (push) Successful in 2m51s Details Test / Fpkg (push) Successful in 3m37s Details Test / Fortify (race detector) (push) Successful in 4m9s Details Test / Flake checks (push) Successful in 1m4s Details This significantly reduces setup op count and the readdir call now happens in the context of the init process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-10 18:54:25 +09:00
Ophestra	584405f7cc	sandbox/seccomp: rename flag type and constants All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Sandbox (push) Successful in 1m38s Details Test / Fortify (push) Successful in 2m39s Details Test / Sandbox (race detector) (push) Successful in 2m55s Details Test / Fpkg (push) Successful in 3m26s Details Test / Fortify (race detector) (push) Successful in 4m5s Details Test / Flake checks (push) Successful in 56s Details The names are ambiguous. Rename them to make more sense. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-08 01:59:45 +09:00
Ophestra	50127ed5f9	fortify: print synthesised id in ps All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m48s Details Test / Fortify (push) Successful in 2m42s Details Test / Sandbox (race detector) (push) Successful in 2m53s Details Test / Fpkg (push) Successful in 3m30s Details Test / Fortify (race detector) (push) Successful in 4m7s Details Test / Flake checks (push) Successful in 1m2s Details This is not the full synthesised id so it does not get too long. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-07 21:55:07 +09:00
Ophestra	b5eff27c40	fortify: check fst id string length All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 1m44s Details Test / Fortify (push) Successful in 2m42s Details Test / Sandbox (race detector) (push) Successful in 2m49s Details Test / Fpkg (push) Successful in 3m25s Details Test / Fortify (race detector) (push) Successful in 4m9s Details Test / Flake checks (push) Successful in 1m3s Details This should never be a problem, however in case it happens printing a warning message is better than relying on the runtime to panic. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-07 21:39:46 +09:00
Ophestra	74ba183256	app: install seccomp filter to shim All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Sandbox (push) Successful in 1m57s Details Test / Fortify (push) Successful in 2m53s Details Test / Sandbox (race detector) (push) Successful in 3m5s Details Test / Fpkg (push) Successful in 3m51s Details Test / Fortify (race detector) (push) Successful in 4m19s Details Test / Flake checks (push) Successful in 1m5s Details This does not necessarily reduce attack surface but does not affect functionality or introduce any side effects, so is nice to have. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-07 04:13:08 +09:00
Ophestra	f885dede9b	sandbox/seccomp: unexport println wrapper All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Sandbox (push) Successful in 1m45s Details Test / Fortify (push) Successful in 2m40s Details Test / Sandbox (race detector) (push) Successful in 2m52s Details Test / Fpkg (push) Successful in 3m25s Details Test / Fortify (race detector) (push) Successful in 4m10s Details Test / Flake checks (push) Successful in 1m6s Details This is an implementation detail that was exported for the bwrap argument builder. The removal of that package allows it to be unexported. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-07 04:07:20 +09:00
Ophestra	e9a7cd526f	app: improve shim process management All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Sandbox (push) Successful in 1m45s Details Test / Fortify (push) Successful in 2m36s Details Test / Sandbox (race detector) (push) Successful in 2m49s Details Test / Fpkg (push) Successful in 3m33s Details Test / Fortify (race detector) (push) Successful in 4m13s Details Test / Flake checks (push) Successful in 1m6s Details This ensures a signal gets delivered to the process instead of relying on parent death behaviour. SIGCONT was chosen as it is the only signal an unprivileged process is allowed to send to processes with different credentials. A custom signal handler is installed because the Go runtime does not expose signal information other than which signal was received, and shim must check pid to ensure reasonable behaviour. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-07 03:55:17 +09:00
Ophestra	12be7bc78e	release: 0.3.3 All checks were successful Release / Create release (push) Successful in 34s Details Test / Create distribution (push) Successful in 19s Details Test / Sandbox (push) Successful in 30s Details Test / Sandbox (race detector) (push) Successful in 29s Details Test / Fortify (push) Successful in 35s Details Test / Fortify (race detector) (push) Successful in 35s Details Test / Fpkg (push) Successful in 33s Details Test / Flake checks (push) Successful in 1m0s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-01 01:42:10 +09:00
Ophestra	0ba8be659f	sandbox: document less obvious parts of setup All checks were successful Test / Create distribution (push) Successful in 29s Details Test / Sandbox (push) Successful in 2m8s Details Test / Fortify (push) Successful in 3m3s Details Test / Sandbox (race detector) (push) Successful in 3m9s Details Test / Fpkg (push) Successful in 4m22s Details Test / Fortify (race detector) (push) Successful in 4m37s Details Test / Flake checks (push) Successful in 1m19s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-01 01:21:04 +09:00
Ophestra	022242a84a	app: wayland socket in process share All checks were successful Test / Create distribution (push) Successful in 29s Details Test / Sandbox (push) Successful in 1m9s Details Test / Fortify (push) Successful in 2m16s Details Test / Sandbox (race detector) (push) Successful in 3m8s Details Test / Fpkg (push) Successful in 3m35s Details Test / Fortify (race detector) (push) Successful in 4m32s Details Test / Flake checks (push) Successful in 1m24s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-01 00:53:04 +09:00
Ophestra	8aeb06f53c	app: share path setup on demand All checks were successful Test / Create distribution (push) Successful in 28s Details Test / Sandbox (race detector) (push) Successful in 34s Details Test / Sandbox (push) Successful in 34s Details Test / Fpkg (push) Successful in 39s Details Test / Fortify (push) Successful in 2m16s Details Test / Fortify (race detector) (push) Successful in 2m58s Details Test / Flake checks (push) Successful in 1m33s Details This removes the unnecessary creation and destruction of share paths when none of the enablements making use of them are set. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-04-01 00:47:32 +09:00
Ophestra	4036da3b5c	fst: optional configured shell path All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Sandbox (push) Successful in 1m45s Details Test / Fortify (push) Successful in 2m28s Details Test / Sandbox (race detector) (push) Successful in 2m45s Details Test / Fpkg (push) Successful in 3m32s Details Test / Fortify (race detector) (push) Successful in 4m5s Details Test / Flake checks (push) Successful in 1m2s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-31 21:27:31 +09:00

... 3 4 5 6 7 ...

962 Commits