security/hakurei
security/hakurei
4
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Compare commits

base: security:43c3f9d8d590e696e61f32696b99727d4f97a8a1
Branches Tags
security:master
security:staging
security:develop
security:v0.1.1
security:v0.1.0
..
compare: security:6c1205106d7ac9702464e274502303d2b6df1dc3
Branches Tags
security:staging
security:develop
security:master
security:v0.1.1
security:v0.1.0

No commits in common. "43c3f9d8d590e696e61f32696b99727d4f97a8a1" and "6c1205106d7ac9702464e274502303d2b6df1dc3" have entirely different histories.
43c3f9d8d5 ... 6c1205106d

17 changed files with 55 additions and 124 deletions
Show Stats Expand all files Collapse all files

2
cmd/fsu/package.nix
View File

@ -10,7 +10,7 @@ buildGoModule {
src = ./.; src = ./.;
inherit (fortify) vendorHash; inherit (fortify) vendorHash;
env.CGO_ENABLED = 0; CGO_ENABLED = 0;
preBuild = '' preBuild = ''
go mod init fsu >& /dev/null go mod init fsu >& /dev/null

6
dbus/dbus_test.go
View File

@ -90,9 +90,9 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
t.Run("invalid start", func(t *testing.T) { t.Run("invalid start", func(t *testing.T) {
if !useSandbox { if !useSandbox {
p = dbus.NewDirect(t.Context(), nil, nil) p = dbus.NewDirect(context.TODO(), nil, nil)
} else { } else {
p = dbus.New(t.Context(), nil, nil) p = dbus.New(context.TODO(), nil, nil)
} }
if err := p.Start(); !errors.Is(err, syscall.ENOTRECOVERABLE) { if err := p.Start(); !errors.Is(err, syscall.ENOTRECOVERABLE) {
@ -120,7 +120,7 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
} }
}) })
ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second) ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
defer cancel() defer cancel()
if !useSandbox { if !useSandbox {
p = dbus.NewDirect(ctx, final, nil) p = dbus.NewDirect(ctx, final, nil)

16
flake.lock generated
View File

@ -7,32 +7,32 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748665073, "lastModified": 1746171682,
"narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=", "narHash": "sha256-EyXUNSa+H+YvGVuQJP1nZskXAowxKYp79RNUsNdQTj4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "282e1e029cb6ab4811114fc85110613d72771dea", "rev": "50eee705bbdbac942074a8c120e8194185633675",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.05", "ref": "release-24.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1749024892, "lastModified": 1746557022,
"narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=", "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef", "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-25.05", "ref": "nixos-24.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }

4
flake.nix
View File

@ -2,10 +2,10 @@
description = "fortify sandbox tool and nixos module"; description = "fortify sandbox tool and nixos module";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-25.05"; url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };

4
helper/cmd_test.go
View File

@ -13,7 +13,7 @@ import (
func TestCmd(t *testing.T) { func TestCmd(t *testing.T) {
t.Run("start non-existent helper path", func(t *testing.T) { t.Run("start non-existent helper path", func(t *testing.T) {
h := helper.NewDirect(t.Context(), "/proc/nonexistent", argsWt, false, argF, nil, nil) h := helper.NewDirect(context.Background(), "/proc/nonexistent", argsWt, false, argF, nil, nil)
if err := h.Start(); !errors.Is(err, os.ErrNotExist) { if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
t.Errorf("Start: error = %v, wantErr %v", t.Errorf("Start: error = %v, wantErr %v",
@ -22,7 +22,7 @@ func TestCmd(t *testing.T) {
}) })
t.Run("valid new helper nil check", func(t *testing.T) { t.Run("valid new helper nil check", func(t *testing.T) {
if got := helper.NewDirect(t.Context(), "fortify", argsWt, false, argF, nil, nil); got == nil { if got := helper.NewDirect(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil {
t.Errorf("NewDirect(%q, %q) got nil", t.Errorf("NewDirect(%q, %q) got nil",
argsWt, "fortify") argsWt, "fortify")
return return

4
helper/container_test.go
View File

@ -15,7 +15,7 @@ import (
func TestContainer(t *testing.T) { func TestContainer(t *testing.T) {
t.Run("start empty container", func(t *testing.T) { t.Run("start empty container", func(t *testing.T) {
h := helper.New(t.Context(), "/nonexistent", argsWt, false, argF, nil, nil) h := helper.New(context.Background(), "/nonexistent", argsWt, false, argF, nil, nil)
wantErr := "sandbox: starting an empty container" wantErr := "sandbox: starting an empty container"
if err := h.Start(); err == nil || err.Error() != wantErr { if err := h.Start(); err == nil || err.Error() != wantErr {
@ -25,7 +25,7 @@ func TestContainer(t *testing.T) {
}) })
t.Run("valid new helper nil check", func(t *testing.T) { t.Run("valid new helper nil check", func(t *testing.T) {
if got := helper.New(t.Context(), "fortify", argsWt, false, argF, nil, nil); got == nil { if got := helper.New(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil {
t.Errorf("New(%q, %q) got nil", t.Errorf("New(%q, %q) got nil",
argsWt, "fortify") argsWt, "fortify")
return return

4
helper/helper_test.go
View File

@ -55,7 +55,7 @@ func testHelper(t *testing.T, createHelper func(ctx context.Context, setOutput f
t.Cleanup(func() { helper.WaitDelay = oldWaitDelay }) t.Cleanup(func() { helper.WaitDelay = oldWaitDelay })
t.Run("start helper with status channel and wait", func(t *testing.T) { t.Run("start helper with status channel and wait", func(t *testing.T) {
ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
stdout := new(strings.Builder) stdout := new(strings.Builder)
h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, true) h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, true)
@ -109,7 +109,7 @@ func testHelper(t *testing.T, createHelper func(ctx context.Context, setOutput f
}) })
t.Run("start helper and wait", func(t *testing.T) { t.Run("start helper and wait", func(t *testing.T) {
ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel() defer cancel()
stdout := new(strings.Builder) stdout := new(strings.Builder)
h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, false) h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, false)

26
nixos.nix
View File

@ -9,7 +9,6 @@ packages:
let let
inherit (lib) inherit (lib)
lists lists
attrsets
mkMerge mkMerge
mkIf mkIf
mapAttrs mapAttrs
@ -239,22 +238,15 @@ in
++ foldlAttrs ( ++ foldlAttrs (
acc': _: app: acc': _: app:
acc' acc'
++ ( ++ [
let {
key = getsubname fid app.identity; ${getsubname fid app.identity} = mkMerge [
in cfg.extraHomeConfig
[ app.extraConfig
{ { home.packages = app.packages; }
${key} = mkMerge ( ];
[ }
cfg.extraHomeConfig ]
{ home.packages = app.packages; }
]
++ (if (attrsets.hasAttrByPath [ key ] acc) then (if !app.shareUid then throw "unexpected username collision" else [ ]) else [ app.extraConfig ])
);
}
]
)
) [ { ${getsubname fid 0} = cfg.extraHomeConfig; } ] cfg.apps ) [ { ${getsubname fid 0} = cfg.extraHomeConfig; } ] cfg.apps
) [ privPackages ] cfg.users ) [ privPackages ] cfg.users
); );

33
package.nix
View File

@ -33,34 +33,13 @@ buildGoModule rec {
pname = "fortify"; pname = "fortify";
version = "0.4.1"; version = "0.4.1";
srcFiltered = builtins.path { src = builtins.path {
name = "${pname}-src"; name = "${pname}-src";
path = lib.cleanSource ./.; path = lib.cleanSource ./.;
filter = path: type: !(type == "regular" && (lib.hasSuffix ".nix" path || lib.hasSuffix ".py" path)) && !(type == "directory" && lib.hasSuffix "/test" path) && !(type == "directory" && lib.hasSuffix "/cmd/fsu" path); filter = path: type: !(type == "regular" && (lib.hasSuffix ".nix" path || lib.hasSuffix ".py" path)) && !(type == "directory" && lib.hasSuffix "/test" path) && !(type == "directory" && lib.hasSuffix "/cmd/fsu" path);
}; };
vendorHash = null; vendorHash = null;
src = stdenv.mkDerivation {
name = "${pname}-src-full";
inherit version;
enableParallelBuilding = true;
src = srcFiltered;
buildInputs = [
wayland
wayland-protocols
];
nativeBuildInputs = [
go
pkg-config
wayland-scanner
];
buildPhase = "GOCACHE=$(mktemp -d) go generate ./...";
installPhase = "cp -r . $out";
};
ldflags = ldflags =
lib.attrsets.foldlAttrs lib.attrsets.foldlAttrs
( (
@ -88,6 +67,7 @@ buildGoModule rec {
libseccomp libseccomp
acl acl
wayland wayland
wayland-protocols
] ]
++ (with xorg; [ ++ (with xorg; [
libxcb libxcb
@ -97,9 +77,14 @@ buildGoModule rec {
nativeBuildInputs = [ nativeBuildInputs = [
pkg-config pkg-config
wayland-scanner
makeBinaryWrapper makeBinaryWrapper
]; ];
preBuild = ''
HOME="$(mktemp -d)" PATH="${pkg-config}/bin:$PATH" go generate ./...
'';
postInstall = postInstall =
let let
appPackages = [ appPackages = [
@ -135,10 +120,6 @@ buildGoModule rec {
gcc gcc
xorg.xorgproto xorg.xorgproto
util-linux util-linux
# for go generate
wayland-protocols
wayland-scanner
] ]
++ buildInputs ++ buildInputs
++ nativeBuildInputs; ++ nativeBuildInputs;

4
sandbox/container_test.go
View File

@ -70,7 +70,7 @@ func TestContainer(t *testing.T) {
for _, tc := range testCases { for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel() defer cancel()
container := sandbox.New(ctx, "/usr/bin/sandbox.test", "-test.v", container := sandbox.New(ctx, "/usr/bin/sandbox.test", "-test.v",
@ -162,7 +162,7 @@ func e(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoE
} }
func TestContainerString(t *testing.T) { func TestContainerString(t *testing.T) {
container := sandbox.New(t.Context(), "ldd", "/usr/bin/env") container := sandbox.New(context.TODO(), "ldd", "/usr/bin/env")
container.Flags |= sandbox.FAllowDevel container.Flags |= sandbox.FAllowDevel
container.Seccomp |= seccomp.FilterMultiarch container.Seccomp |= seccomp.FilterMultiarch
want := `argv: ["ldd" "/usr/bin/env"], flags: 0x2, seccomp: 0x2e` want := `argv: ["ldd" "/usr/bin/env"], flags: 0x2, seccomp: 0x2e`

11
test/configuration.nix
View File

@ -96,19 +96,13 @@
users.alice = 0; users.alice = 0;
extraHomeConfig = { extraHomeConfig = {
# To test merge deduplication: home.stateVersion = "23.05";
options._fortify.noop = lib.mkEnableOption "nothing";
config = {
home.stateVersion = "23.05";
};
}; };
apps = { apps = {
"cat.gensokyo.extern.foot.noEnablements" = { "cat.gensokyo.extern.foot.noEnablements" = {
name = "ne-foot"; name = "ne-foot";
identity = 1; identity = 1;
shareUid = true;
verbose = true; verbose = true;
share = pkgs.foot; share = pkgs.foot;
packages = with pkgs; [ packages = with pkgs; [
@ -136,8 +130,7 @@
"cat.gensokyo.extern.Alacritty.x11" = { "cat.gensokyo.extern.Alacritty.x11" = {
name = "x11-alacritty"; name = "x11-alacritty";
identity = 1; identity = 3;
shareUid = true;
verbose = true; verbose = true;
share = pkgs.alacritty; share = pkgs.alacritty;
packages = with pkgs; [ packages = with pkgs; [

13
test/default.nix
View File

@ -31,13 +31,14 @@ nixosTest {
{ {
environment.systemPackages = [ environment.systemPackages = [
# For go tests: # For go tests:
(writeShellScriptBin "fortify-test" '' (writeShellScriptBin "fortify-go-test" ''
cd ${self.packages.${system}.fortify.src} set -e
WORK="$(mktemp -ud)"
cp -r "${self.packages.${system}.fortify.src}" "$WORK"
chmod -R +w "$WORK"
cd "$WORK"
${fhs}/bin/fortify-fhs -c \ ${fhs}/bin/fortify-fhs -c \
'go test ${if withRace then "-race" else "-count 16"} ./...' \ 'go generate ./... && go test ${if withRace then "-race" else "-count 16"} ./... && touch /tmp/go-test-ok'
&> /tmp/fortify-test.log && \
touch /tmp/fortify-test-ok
touch /tmp/fortify-test-done
'') '')
]; ];

9
test/sandbox/case/device.nix
View File

@ -35,7 +35,6 @@
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
"X11" = fs "80001ff" null null; "X11" = fs "80001ff" null null;
"alsa" = fs "80001ff" null null; "alsa" = fs "80001ff" null null;
"bash_logout" = fs "80001ff" null null;
"bashrc" = fs "80001ff" null null; "bashrc" = fs "80001ff" null null;
"binfmt.d" = fs "80001ff" null null; "binfmt.d" = fs "80001ff" null null;
"dbus-1" = fs "80001ff" null null; "dbus-1" = fs "80001ff" null null;
@ -149,15 +148,7 @@
} null; } null;
} null; } null;
".local" = fs "800001ed" { ".local" = fs "800001ed" {
share = fs "800001ed" {
dbus-1 = fs "800001ed" {
services = fs "800001ed" {
"ca.desrt.dconf.service" = fs "80001ff" null null;
} null;
} null;
} null;
state = fs "800001ed" { state = fs "800001ed" {
".keep" = fs "80001ff" null "";
home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null; home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
nix = fs "800001ed" { nix = fs "800001ed" {
profiles = fs "800001ed" { profiles = fs "800001ed" {

9
test/sandbox/case/mapuid.nix
View File

@ -59,7 +59,6 @@
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
"X11" = fs "80001ff" null null; "X11" = fs "80001ff" null null;
"alsa" = fs "80001ff" null null; "alsa" = fs "80001ff" null null;
"bash_logout" = fs "80001ff" null null;
"bashrc" = fs "80001ff" null null; "bashrc" = fs "80001ff" null null;
"binfmt.d" = fs "80001ff" null null; "binfmt.d" = fs "80001ff" null null;
"dbus-1" = fs "80001ff" null null; "dbus-1" = fs "80001ff" null null;
@ -173,15 +172,7 @@
} null; } null;
} null; } null;
".local" = fs "800001ed" { ".local" = fs "800001ed" {
share = fs "800001ed" {
dbus-1 = fs "800001ed" {
services = fs "800001ed" {
"ca.desrt.dconf.service" = fs "80001ff" null null;
} null;
} null;
} null;
state = fs "800001ed" { state = fs "800001ed" {
".keep" = fs "80001ff" null "";
home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null; home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
nix = fs "800001ed" { nix = fs "800001ed" {
profiles = fs "800001ed" { profiles = fs "800001ed" {

9
test/sandbox/case/preset.nix
View File

@ -59,7 +59,6 @@
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
"X11" = fs "80001ff" null null; "X11" = fs "80001ff" null null;
"alsa" = fs "80001ff" null null; "alsa" = fs "80001ff" null null;
"bash_logout" = fs "80001ff" null null;
"bashrc" = fs "80001ff" null null; "bashrc" = fs "80001ff" null null;
"binfmt.d" = fs "80001ff" null null; "binfmt.d" = fs "80001ff" null null;
"dbus-1" = fs "80001ff" null null; "dbus-1" = fs "80001ff" null null;
@ -173,15 +172,7 @@
} null; } null;
} null; } null;
".local" = fs "800001ed" { ".local" = fs "800001ed" {
share = fs "800001ed" {
dbus-1 = fs "800001ed" {
services = fs "800001ed" {
"ca.desrt.dconf.service" = fs "80001ff" null null;
} null;
} null;
} null;
state = fs "800001ed" { state = fs "800001ed" {
".keep" = fs "80001ff" null "";
home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null; home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
nix = fs "800001ed" { nix = fs "800001ed" {
profiles = fs "800001ed" { profiles = fs "800001ed" {

9
test/sandbox/case/tty.nix
View File

@ -60,7 +60,6 @@
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
"X11" = fs "80001ff" null null; "X11" = fs "80001ff" null null;
"alsa" = fs "80001ff" null null; "alsa" = fs "80001ff" null null;
"bash_logout" = fs "80001ff" null null;
"bashrc" = fs "80001ff" null null; "bashrc" = fs "80001ff" null null;
"binfmt.d" = fs "80001ff" null null; "binfmt.d" = fs "80001ff" null null;
"dbus-1" = fs "80001ff" null null; "dbus-1" = fs "80001ff" null null;
@ -174,15 +173,7 @@
} null; } null;
} null; } null;
".local" = fs "800001ed" { ".local" = fs "800001ed" {
share = fs "800001ed" {
dbus-1 = fs "800001ed" {
services = fs "800001ed" {
"ca.desrt.dconf.service" = fs "80001ff" null null;
} null;
} null;
} null;
state = fs "800001ed" { state = fs "800001ed" {
".keep" = fs "80001ff" null "";
home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null; home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
nix = fs "800001ed" { nix = fs "800001ed" {
profiles = fs "800001ed" { profiles = fs "800001ed" {

16
test/test.py
View File

@ -80,6 +80,9 @@ def fortify(command):
start_all() start_all()
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
# Run fortify Go tests outside of nix build in the background:
machine.succeed("sudo -u untrusted -i fortify-go-test &> /tmp/go-test &")
# To check fortify's version: # To check fortify's version:
print(machine.succeed("sudo -u alice -i fortify version")) print(machine.succeed("sudo -u alice -i fortify version"))
@ -87,9 +90,6 @@ print(machine.succeed("sudo -u alice -i fortify version"))
machine.wait_for_file("/run/user/1000/wayland-1") machine.wait_for_file("/run/user/1000/wayland-1")
machine.wait_for_file("/tmp/sway-ipc.sock") machine.wait_for_file("/tmp/sway-ipc.sock")
# Run fortify Go tests outside of nix build in the background:
swaymsg("exec fortify-test")
# Deny unmapped uid: # Deny unmapped uid:
denyOutput = machine.fail("sudo -u untrusted -i fortify run &>/dev/stdout") denyOutput = machine.fail("sudo -u untrusted -i fortify run &>/dev/stdout")
print(denyOutput) print(denyOutput)
@ -206,9 +206,9 @@ machine.wait_until_fails("pgrep foot", timeout=5)
# Test XWayland (foot does not support X): # Test XWayland (foot does not support X):
swaymsg("exec x11-alacritty") swaymsg("exec x11-alacritty")
wait_for_window(f"u0_a{aid(0)}@machine") wait_for_window(f"u0_a{aid(2)}@machine")
machine.send_chars("clear; glinfo && touch /tmp/x11-ok\n") machine.send_chars("clear; glinfo && touch /tmp/x11-ok\n")
machine.wait_for_file(tmpdir_path(0, "x11-ok"), timeout=15) machine.wait_for_file(tmpdir_path(2, "x11-ok"), timeout=15)
collect_state_ui("alacritty_x11") collect_state_ui("alacritty_x11")
check_state("x11-alacritty", 2) check_state("x11-alacritty", 2)
machine.send_chars("exit\n") machine.send_chars("exit\n")
@ -255,6 +255,6 @@ machine.wait_for_file("/tmp/sway-exit-ok")
print(machine.succeed("find /run/user/1000/fortify")) print(machine.succeed("find /run/user/1000/fortify"))
# Verify go test status: # Verify go test status:
machine.wait_for_file("/tmp/fortify-test-done") machine.wait_for_file("/tmp/go-test", timeout=5)
print(machine.succeed("cat /tmp/fortify-test.log")) print(machine.succeed("cat /tmp/go-test"))
machine.wait_for_file("/tmp/fortify-test-ok", timeout=2) machine.wait_for_file("/tmp/go-test-ok", timeout=5)