hst: optionally reject insecure options

This prevents inadvertent use of insecure compatibility features. Closes #30. Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-04-10 19:12:45 +09:00
parent 952082bd9b
commit c33a6a5b7e
9 changed files with 128 additions and 39 deletions
--- a/internal/outcome/finalise.go
+++ b/internal/outcome/finalise.go
@@ -32,7 +32,14 @@ type outcome struct {
 	syscallDispatcher
 }

-func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, config *hst.Config) error {
+// finalise prepares an outcome for main.
+func (k *outcome) finalise(
+	ctx context.Context,
+	msg message.Msg,
+	id *hst.ID,
+	config *hst.Config,
+	flags int,
+) error {
 	if ctx == nil || id == nil {
 		// unreachable
 		panic("invalid call to finalise")
@@ -43,7 +50,7 @@ func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, con
 	}
 	k.ctx = ctx

-	if err := config.Validate(); err != nil {
+	if err := config.Validate(flags); err != nil {
 		return err
 	}

--- a/internal/outcome/run.go
+++ b/internal/outcome/run.go
@@ -18,7 +18,13 @@ import (
 func IsPollDescriptor(fd uintptr) bool

 // Main runs an app according to [hst.Config] and terminates. Main does not return.
-func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
+func Main(
+	ctx context.Context,
+	msg message.Msg,
+	config *hst.Config,
+	flags int,
+	fd int,
+) {
 	// avoids runtime internals or standard streams
 	if fd >= 0 {
 		if IsPollDescriptor(uintptr(fd)) || fd < 3 {
@@ -34,7 +40,7 @@ func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
 	k := outcome{syscallDispatcher: direct{msg}}

 	finaliseTime := time.Now()
-	if err := k.finalise(ctx, msg, &id, config); err != nil {
+	if err := k.finalise(ctx, msg, &id, config, flags); err != nil {
 		printMessageError(msg.GetLogger().Fatalln, "cannot seal app:", err)
 		panic("unreachable")
 	}
--- a/internal/store/data.go
+++ b/internal/store/data.go
@@ -41,7 +41,7 @@ func entryDecode(r io.Reader, p *hst.State) (hst.Enablement, error) {
 		return et, err
 	} else if err = gob.NewDecoder(r).Decode(&p); err != nil {
 		return et, &hst.AppError{Step: "decode state body", Err: err}
-	} else if err = p.Config.Validate(); err != nil {
+	} else if err = p.Config.Validate(hst.VAllowInsecure); err != nil {
 		return et, err
 	} else if p.Enablements.Unwrap() != et {
 		return et, &hst.AppError{Step: "validate state enablement", Err: os.ErrInvalid,