security
/
fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 14 Wiki Activity
216 Commits 3 Branches 14 Tags 896 KiB
Commit Graph

216 Commits

Author SHA1 Message Date
Ophestra Umiker 65af1684e3
migrate to git.ophivana.moe/security/fortify
test / test (push) Successful in 14s Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-20 19:50:13 +09:00
Ophestra Umiker cdda33555c
update README document 
We have a highly configurable sandbox now, just not really the Android sandbox.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-20 00:24:50 +09:00
Ophestra Umiker ad0034b09a
app: move app ID to app struct 
App ID is inherent to App, and it makes no sense to generate it as part of the app sealing process.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-20 00:22:18 +09:00
Ophestra Umiker 1da845d78b
workflows: call apt-get without sudo 
Workflow scripts run as root in act-runner containers, so calling sudo is redundant and pointless.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-18 22:56:49 +09:00
Ophestra Umiker 55bb348d5f
state: store launch method instead of launcher path 
Launcher path is constant for each launch method on the same system.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-18 22:25:09 +09:00
Ophestra Umiker ecce832d93
release: 0.0.6
release / release (push) Successful in 1m46s Details
test / test (push) Successful in 1m39s Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-18 01:26:42 +09:00
Ophestra Umiker 65bd7d18db
app/share: fix order to ensure SharePath before any of its subdirectories 
shareTmpdirChild happened to request an ephemeral dir within SharePath and was called before shareRuntime which ensures that path. This commit moves SharePath initialisation to shareSystem and moves shareTmpdirChild into ShareSystem. Further cleanup and tests are desperately needed for the app package but for now this fix will have to do.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-18 01:21:58 +09:00
Ophestra Umiker 4ebb98649e
release: 0.0.5
release / release (push) Successful in 1m26s Details
test / test (push) Successful in 3m6s Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 20:48:41 +09:00
Ophestra Umiker 919e5b5cd5
init: start timeout only if reaped PID is the initial process 
Fix a very obvious bug introduced in 5401882ed0.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 20:46:48 +09:00
Ophestra Umiker 40161c5938
nix: remove fortify package from default devShell 
This change makes it possible to start a devShell when tests aren't passing.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 20:35:10 +09:00
Ophestra Umiker 679e719f9e
system: tests for all Op implementations except DBus 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 20:28:55 +09:00
Ophestra Umiker 064db9f020
system/mkdir: type label in String method 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 16:37:23 +09:00
Ophestra Umiker 73a698c7cb
ldd: run ldd with read-only filesystem and unshared net 
This is only called on trusted programs, however extra hardening is never a bad idea.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 15:37:27 +09:00
Ophestra Umiker 57c1b3eda6
system: handle invalid enablement in String method 
Invalid enablement is only caused by bad API usage, however panicking on the spot leaves behind messy state that has to be manually cleaned up.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 14:31:13 +09:00
Ophestra Umiker 5401882ed0
init: post initial process death exit timeout 
Wait for 5 seconds before printing a message and exiting after picking up the initial process's wait status. This also kills any lingering processes.This behaviour is helpful for applications launched without a terminal attached.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 02:38:24 +09:00
Ophestra Umiker dd78728fb3
workflows: test workflow to run tests every commit 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 00:18:20 +09:00
Ophestra Umiker 354c23dd28
workflows: add lines between steps 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-17 00:17:40 +09:00
Ophestra Umiker c21168a741
system: move enablements from state package 
This removes the unnecessary import of the state package.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-16 14:38:57 +09:00
Ophestra Umiker 084cd84f36
app: port app to use the system package 
This commit does away with almost all baggage left over from the Ego port. Error wrapping also got simplified. All API changes happens to be internal which means no changes to main except renaming of the BaseError type.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-16 01:38:59 +09:00
Ophestra Umiker 430f1a5b4e
system: isolate app/system into generic implementation 
This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-16 01:31:23 +09:00
Ophestra Umiker 0fd63e85e7
fmsg/errors: isolate app/error into a separate package 
These functions are not in any way specific to the app package.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-16 01:29:44 +09:00
Ophestra Umiker 33cf0bed54
dbus: various accessors for dbus.Proxy internal fields 
These values are useful during sandbox setup and exporting them makes more sense than storing them twice.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-16 01:27:49 +09:00
Ophestra Umiker 689f5bed57
release: 0.0.4
release / release (push) Successful in 1m32s Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-15 02:56:49 +09:00
Ophestra Umiker 184a5f29fa
helper/bwrap: add fortify permissive default test case 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-15 02:56:13 +09:00
Ophestra Umiker 3015266e5a
helper/bwrap: sort SetEnv arguments 
This guarantees consistency of resulting args.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-15 02:55:48 +09:00
Ophestra Umiker aa5dd2313c
app: filter /tmp from permissive default 
Tmpdir is bind mounted over further along in execution so there is no point sharing it here.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-15 02:54:50 +09:00
Ophestra Umiker 2faf510146
helper/bwrap: ordered filesystem args 
The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-15 02:15:55 +09:00
Ophestra Umiker a0db19b9ad
helper/bwrap: format mode in octal 
Bubblewrap expects an octal representation of mode.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-14 13:47:50 +09:00
Ophestra Umiker aaed5080f4
fortify: move PR_SET_DUMPABLE to the beginning of main 
This call does need flag values.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-14 02:48:37 +09:00
Ophestra Umiker 41a7eb567e
release: 0.0.3
release / release (push) Successful in 2m38s Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-14 02:31:11 +09:00
Ophestra Umiker 1302bcede0
init: custom init process inside sandbox 
Bubblewrap as init is a bit awkward and don't support a few setup actions fortify will need, such as starting/supervising nscd.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-14 02:27:02 +09:00
Ophestra Umiker 315c9b8849
fortify: refuse to run as root 
There is no good reason to run fortify as root and desktop environments typically do not like that either. This check prevents confusion for new users who might mistakenly run it as root or set the setuid bit.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 20:06:47 +09:00
Ophestra Umiker 3739b56504
shim: update payload comment 
Generating permissive default no longer happens in shim.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 17:19:50 +09:00
Ophestra Umiker 77f2c320a6
shim: re-exec self on startup 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 16:56:10 +09:00
Ophestra Umiker b470941911
shim: get rid of insane launch condition 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 12:09:38 +09:00
Ophestra Umiker e4536b87ad
app: generate and replace passwd and group files 
This ensures libc functions get correct user information.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 02:43:00 +09:00
Ophestra Umiker 65a5f8fb08
app/config: map bwrap tmpfs in app config 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 02:39:27 +09:00
Ophestra Umiker aee96b0fdf
helper/bwrap: allow pushing generic arguments to the end of argument stream 
Bwrap argument order determines the order their corresponding actions are performed. This allows generic arguments like tmpfs to the end of the stream to override bind mounts.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 02:26:01 +09:00
Ophestra Umiker 655020eb5d
app/config: always use nobody UID within sandbox 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 00:50:24 +09:00
Ophestra Umiker f320dfc2ee
fortify: set SUID_DUMP_DISABLE after flag parse 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 00:09:14 +09:00
Ophestra Umiker c818ea649a
app/seal: skip /mnt in permissive default 
This directory usually contains temporarily mounted stuff and shouldn't get into the sandbox.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 00:07:48 +09:00
Ophestra Umiker b091260fd3
update README document 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-13 00:07:10 +09:00
Ophestra Umiker b9d5fe49cb
nix: pass $SHELL for shell interpreter 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-12 23:01:06 +09:00
Ophestra Umiker d37dcff2fc
app/seal: allow GPU access in permissive default when either X11/Wayland is enabled 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-12 22:55:53 +09:00
Ophestra Umiker 805ef99f9b
app: filesystem struct that maps to all bwrap bind options 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-12 22:33:04 +09:00
Ophestra Umiker 283bcba05b
fortify/config: flag to print template config serialised as JSON 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-12 19:46:40 +09:00
Ophestra Umiker 2e019e48c1
app: supply template config 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-12 19:46:07 +09:00
Ophestra Umiker d5c26ae593
fortify: move error handling to separate file 
Error handling here is way too monstrous due to terrible design of the internal/app package. Since rewriting internal/app will take a while, error handling is moved out of main to improve readability.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-12 02:11:43 +09:00
Ophestra Umiker 61b473a06f
fortify: clean up config loading 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-12 01:51:06 +09:00
Ophestra Umiker d2575b6708
fortify: move flag handling to separate files 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-12 01:28:22 +09:00