Commit Graph

28 Commits

Author SHA1 Message Date
Ophestra Umiker 08ce7f4a1f
cmd/fuserdb: systemd userdb drop-in entries generator
test / test (push) Successful in 21s Details
This provides user records via nss-systemd. Static drop-in entries are generated to reduce complexity and attack surface.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 02:03:18 +09:00
Ophestra Umiker df33123bd7
app: integrate fsu
test / test (push) Successful in 21s Details
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-16 21:19:45 +09:00
Ophestra Umiker 3962705126
nix: keep fshim and finit names
test / test (push) Successful in 22s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 14:59:28 +09:00
Ophestra Umiker f831948bca
release: 0.1.0
release / release (push) Successful in 28s Details
test / test (push) Successful in 21s Details
This release significantly changes the command line interface, and updates the NixOS module to finally produce meaningful sandbox configuration.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 04:37:43 +09:00
Ophestra Umiker cfd05b10f1
release: 0.0.11
release / release (push) Successful in 28s Details
test / test (push) Successful in 19s Details
This will be the final release before major command line interface changes. This version is tagged as it contains many fixes that still impacts the permissive defaults usage pattern.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 13:46:47 +09:00
Ophestra Umiker 88abcbe0b2
cmd/fsu: remove import of internal package
test / test (push) Successful in 24s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 12:32:14 +09:00
Ophestra Umiker 584732f80a
cmd: shim and init into separate binaries
test / test (push) Successful in 19s Details
This change also fixes a deadlock when shim fails to connect and complete the setup.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-02 03:13:57 +09:00
Ophestra Umiker 563c39c2d9
release: 0.0.10
release / release (push) Successful in 24s Details
test / test (push) Successful in 19s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 20:38:10 +09:00
Ophestra Umiker aa1f96eeeb
fsu: check parent executable path
test / test (push) Successful in 19s Details
Only allow main program to launch fsu. This change and further checks in the main program reduces attack surface.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 18:52:23 +09:00
Ophestra Umiker d9cb2a9f2b
fsu: implement simple setuid user switcher
Contains path to fortify, set at compile time, authenticates based on a simple uid range assignment file which also acts as the allow list.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 00:02:34 +09:00
Ophestra Umiker 6d8bcb63f2
release: 0.0.9
release / release (push) Successful in 27s Details
test / test (push) Successful in 22s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-27 01:25:24 +09:00
Ophestra Umiker 2f34627d37
release: 0.0.8
release / release (push) Successful in 31s Details
test / test (push) Successful in 20s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-27 00:49:50 +09:00
Ophestra Umiker 133f23e0de
release: 0.0.7
release / release (push) Successful in 21s Details
test / test (push) Successful in 11s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-20 19:50:59 +09:00
Ophestra Umiker ecce832d93
release: 0.0.6
release / release (push) Successful in 1m46s Details
test / test (push) Successful in 1m39s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-18 01:26:42 +09:00
Ophestra Umiker 4ebb98649e
release: 0.0.5
release / release (push) Successful in 1m26s Details
test / test (push) Successful in 3m6s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-17 20:48:41 +09:00
Ophestra Umiker 689f5bed57
release: 0.0.4
release / release (push) Successful in 1m32s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-15 02:56:49 +09:00
Ophestra Umiker 41a7eb567e
release: 0.0.3
release / release (push) Successful in 2m38s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-14 02:31:11 +09:00
Ophestra Umiker f4c44a9441
release: 0.0.2
release / release (push) Successful in 2m15s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-10 00:13:06 +09:00
Ophestra Umiker 22dfa73efe
release: 0.0.1
release / release (push) Successful in 1m51s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-09 20:48:38 +09:00
Ophestra Umiker 996bf67ac2
release: 0.0.0-beta.5
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-28 00:25:16 +09:00
Ophestra Umiker a75229991c
nix: make bubblewrap available in PATH
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-23 18:21:12 +09:00
Ophestra Umiker 9a9fcdb9ec
release: 0.0.0-beta.4
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-22 01:18:47 +09:00
Ophestra Umiker 2763ec730e
release: 0.0.0-beta.3
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-17 23:17:39 +09:00
Ophestra Umiker 6a6f62efa6
release: 0.0.0-beta.2
This project started as a Go implementation of https://github.com/intgr/ego. That is clearly no longer what it is anymore and the tagged releases no longer made sense, so we're going back to v0.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-16 20:41:02 +09:00
Ophestra Umiker c1bfe2cd74
release: 1.1.0
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-09 05:14:53 +09:00
Ophestra Umiker cdc08817a7
nix: add xdg-dbus-proxy to PATH via wrapProgram
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-09 04:37:12 +09:00
Ophestra Umiker 58d3a1fbc7
release: 1.0.4
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 19:57:47 +09:00
Ophestra Umiker 945cce2f5e
nix: implement nixos module
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 17:03:21 +09:00