|
|
3c9ff16108
|
neovim: simplify plugin config schema
|
2024-08-26 14:06:49 +00:00 |
|
|
|
0787a3a50e
|
neovim: split plugin configs into their own file
|
2024-08-26 14:06:49 +00:00 |
|
|
|
446e614e9a
|
neovim: split vimrc into own file
|
2024-08-26 14:06:49 +00:00 |
|
|
|
afd0ec09a1
|
nixfmt-rfc-style: ship
|
2024-08-26 14:06:49 +00:00 |
|
|
|
422e8aeb3f
|
sanebox: support existingDir{,OrParent} autodetect option
|
2024-08-26 14:06:49 +00:00 |
|
|
|
ae8e9267c4
|
nixpkgs: 0-unstable-2024-08-21 -> 0-unstable-2024-08-25
|
2024-08-26 08:15:49 +00:00 |
|
|
|
60c4b2e4c0
|
syshud: 2024-08-17 -> 2024-08-24, and apply nixfmt
|
2024-08-26 08:06:43 +00:00 |
|
|
|
289e9182fd
|
bunpen: --bunpen-drop-shell: specify argv0 more correctly
|
2024-08-25 19:24:32 +00:00 |
|
|
|
ec7b87b985
|
bunpen: PARTIAL support for symlinks
|
2024-08-25 19:22:25 +00:00 |
|
|
|
9f5d7f2bb2
|
bunpen: fix mixup between argv0 and the rest of argv
|
2024-08-25 19:10:26 +00:00 |
|
|
|
64697a2cb8
|
bunpen: namespace: bind all requested user paths, and create requisite directories
|
2024-08-25 19:06:28 +00:00 |
|
|
|
1c50ff8fe4
|
bunpen: factor the pivot_root logic into some abstraction
is this really helpful? hard to tell for sure
|
2024-08-25 13:36:11 +00:00 |
|
|
|
3010ff89d0
|
bunpen: clean up mount namespacing so that i could bind any directory -- including /tmp
|
2024-08-25 13:27:31 +00:00 |
|
|
|
7a902cabfe
|
bunpen: proof-of-concept mount namespace, exposing only *some* paths
|
2024-08-25 11:38:08 +00:00 |
|
|
|
64948a497d
|
bunpen: write real uid/gid to /proc/self/uid_map
|
2024-08-24 20:38:33 +00:00 |
|
|
|
ccddc6f8e1
|
bunpen: TODO: calculate uid/gid at runtime
|
2024-08-24 20:12:51 +00:00 |
|
|
|
7d7abc9619
|
bunpen: namespace: simplify
|
2024-08-24 20:05:09 +00:00 |
|
|
|
f0efa0c255
|
bunpen: proof-of-concept mount namespacing
|
2024-08-24 20:01:27 +00:00 |
|
|
|
9ab6d101f6
|
bunpen: no_new_privs: propagate the error & handle it in main
|
2024-08-24 17:18:47 +00:00 |
|
|
|
164275fa59
|
bunpen: bind pivot_root to Hare
|
2024-08-24 12:35:55 +00:00 |
|
|
|
dbdd356691
|
bunpen: mv rtext/namespace -> rtext/unshare, to reflect that it is more limited in scope
|
2024-08-24 06:36:04 +00:00 |
|
|
|
c9157291b9
|
bunpen: namespace: unshare cgroup/ipc/uts, and net where possible
|
2024-08-24 05:20:54 +00:00 |
|
|
|
e315919b54
|
bunpen: run process inside a new user namespace
|
2024-08-24 05:12:27 +00:00 |
|
|
|
5f35eaccd9
|
programs/host: sandbox with bunpen instead of landlock
this just acts as a good proof-of-concept / testing it in the wild
|
2024-08-23 16:00:31 +00:00 |
|
|
|
c86d893a2c
|
modules/programs: sandbox: allow method = "bunpen"
|
2024-08-23 16:00:31 +00:00 |
|
|
|
abb19b1fc9
|
bunpen: fix to allow binding files into the environment -- not just directories
|
2024-08-23 16:00:31 +00:00 |
|
|
|
ab4ebb012a
|
bunpen: implement --bunpen-drop-shell flag
|
2024-08-23 16:00:31 +00:00 |
|
|
|
effec38a99
|
modules/programs: sandbox: introduce an interface which will allow for sandboxers other than sanebox
|
2024-08-23 16:00:31 +00:00 |
|
|
|
c5ed1263dc
|
feeds: subscribe to justine.lol
|
2024-08-23 16:00:31 +00:00 |
|
|
|
e0d33862f0
|
bunpen: implement --bunpen-keep-net CLI arg
|
2024-08-23 16:00:31 +00:00 |
|
|
|
7d097474a3
|
bunpen: implement --bunpen-path cli arg
|
2024-08-23 16:00:31 +00:00 |
|
|
|
7a4a7d613b
|
bunpen: implement basic arg parsing
|
2024-08-23 16:00:31 +00:00 |
|
|
|
e457cf96ae
|
bunpen: break out a resources abstraction
|
2024-08-23 16:00:31 +00:00 |
|
|
|
f323c0f90d
|
bunpen: rename "methods" -> "restrict"
|
2024-08-23 16:00:31 +00:00 |
|
|
|
5525ea4b59
|
bunpen: lift main up to the toplevel
it seems modules *do* support freestanding hare files at the toplevel -- but only if theres just one of them (?)
|
2024-08-23 16:00:31 +00:00 |
|
|
|
daa1783e21
|
bunpen: refactor kernel bindings into a rtext module
additionally, this requires moving all other files into their own directories, else hare doesn't seem to recognize 'rtext' as a module
|
2024-08-23 16:00:31 +00:00 |
|
|
|
27d5928155
|
bunpen: landlock: allow access to all of /
|
2024-08-23 16:00:31 +00:00 |
|
|
|
2f9dd4cd60
|
bunpen: landlock: fully restrict
of course, this means it's unable to 'exec' from disk -- for now
|
2024-08-23 16:00:31 +00:00 |
|
|
|
ba406e912f
|
bunpen: landlock: cleaner bindings
|
2024-08-23 16:00:31 +00:00 |
|
|
|
45ff21822a
|
feeds: sub JRE (we'll see how long this lasts...)
|
2024-08-23 06:09:33 +00:00 |
|
|
|
7ef9f0b455
|
bunpen: implement landlock_add_rule binding
|
2024-08-23 06:09:14 +00:00 |
|
|
|
ec90f5c066
|
bunpen: landlock: negotiate access modes with the running kernel
|
2024-08-22 17:30:07 +00:00 |
|
|
|
57e113137f
|
bunpen: add minimal landlock API
|
2024-08-22 16:08:53 +00:00 |
|
|
|
2c390a8b6d
|
bunpen: set no_new_privs before executing the command
|
2024-08-22 15:42:59 +00:00 |
|
|
|
634f13ba6b
|
bunpen: use stdlib log isntead of raw fmt::printfln
|
2024-08-22 14:40:46 +00:00 |
|
|
|
dab7803cbb
|
bunpen: execute the given argv
|
2024-08-22 14:34:08 +00:00 |
|
|
|
64f53020ee
|
bunpen: explicitly configure 2-space indentation
|
2024-08-22 13:19:39 +00:00 |
|
|
|
e737d2e24b
|
bunpen: run hare test during build
|
2024-08-22 13:19:21 +00:00 |
|
|
|
9b11b64349
|
haredoc: ship
|
2024-08-22 09:00:14 +00:00 |
|
|
|
212f6c0f48
|
bunpen: init at 0.1.0
|
2024-08-22 08:31:21 +00:00 |
|
