kat/hakurei
1
0
Fork 0
forked from rosa/hakurei
Code Pull Requests Activity
2,430 Commits 2 Branches 14 Tags
1490b32387e52a21dc19495e15d32ee635bef710
Commit Graph

2430 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
cat 228f3301f2 sandbox: create directories 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:03:06 +09:00
cat 07181138e5 sandbox/mount: pass absolute path 
This should never be used unless there is a good reason to, like using a file in the intermediate root.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:53:31 +09:00
cat 816b372f14 sandbox: cancel process on serve error 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:49:45 +09:00
cat d7eddd54a2 sandbox: rename params struct 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:45:08 +09:00
cat 7c063833e0 internal/sys: wrap getuid/getgid 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 17:10:03 +09:00
cat af3619d440 sandbox: create symlinks 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:37:56 +09:00
cat 528674cb6e sandbox/init: fail early on nil op 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:17:03 +09:00
cat 70c9757e26 sandbox/mount: rename device flag 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:10:55 +09:00
cat c83a7e2efc sandbox: mount container /dev/mqueue 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 15:42:40 +09:00
cat 904208b87f sandbox: unwrap path string 
Mount proc and dev takes no additional parameters.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 15:33:20 +09:00
cat 007b52d81f sandbox/seccomp: check for both partial read outcomes 
This eliminates intermittent test failures.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 12:51:21 +09:00
cat 3385538142 nix: clean up flake outputs 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 12:26:19 +09:00
cat 24618ab9a1 sandbox: move out of internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 02:55:36 +09:00
cat 9ce4706a07 sandbox: move params setup functions 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 02:48:32 +09:00
cat 9a1f8e129f sandbox: wrap fmsg interface 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 02:44:07 +09:00
cat ee10860357 seccomp: install output atomically 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 01:10:27 +09:00
cat 44277dc0f1 dbus: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 00:13:14 +09:00
cat bc54db54d2 ldd: always copy stderr 
Dropping the buffer on success is unhelpful and could hide some useful information.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 00:08:00 +09:00
cat bf07b7cd9e ldd: mount /proc in container 
This covers host /proc.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 00:01:03 +09:00
cat 5d3c8dcc92 test: raise timeout 
Native container tooling is severely slowed down by race detector. Raise timeout so it reliably completes.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 23:51:17 +09:00
cat 48feca800f sandbox: check command function pointer 
Setting default CommandContext on initialisation is somewhat of a footgun.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 23:29:14 +09:00
cat 42de09e896 helper: implement native container backend 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 02:57:46 +09:00
cat 1576fea8a3 helper: raise WaitDelay during tests 
Helper runs very slowly with race detector. This prevents it from timing out.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 02:49:41 +09:00
cat ae522ab364 test: run go tests with race detector 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 02:07:42 +09:00
cat 273d97af85 ldd: lib paths resolve function 
This is what always happens right after a ldd call, so implement it here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 01:20:09 +09:00
cat 891316d924 helper/stub: copy args to stderr 
Some helpers are implemented via go test itself in tests, and as a result stdout gets clobbered.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 00:39:42 +09:00
cat 9f5dad1998 sandbox: return on zero length ops 
This dodges potentially confusing behaviour where init fails due to Ops being clobbered during transfer.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 00:32:36 +09:00
cat 6e7ddb2d2e helper: eliminate commandContext replacement 
This is done more cleanly by modifying Args in cmdF.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-16 00:01:25 +09:00
cat bac4e67867 sandbox/init: early params nil check 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 04:03:10 +09:00
cat 4230281194 sandbox: return error on doubled start 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 03:30:14 +09:00
cat e64e7608ca sandbox: expose cancel behaviour 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 03:04:27 +09:00
cat 10a21ce3ef helper: expose extra files to direct 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 02:27:40 +09:00
cat 0f1f0e4364 helper: combine helper ipc setup 
The two-step args call is no longer necessary since stat is passed on initialisation.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 02:10:22 +09:00
cat f9bf20a3c7 helper: rearrange initialisation args 
This improves consistency across two different helper implementations.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 01:06:31 +09:00
cat 73c1a83032 helper: move process wrapper to direct 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 00:33:25 +09:00
cat f443d315ad helper: clean up interface 
The helper interface was messy due to odd context acquisition order. That has changed, so this cleans it up.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-15 00:27:44 +09:00
cat 9e18d1de77 helper/proc: pass extra files and start 
For integration with native container tooling.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 23:23:57 +09:00
cat 2647a71be1 seccomp: move out of helper 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 22:42:40 +09:00
cat 7c60a4d8e8 helper: embed context on creation 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 18:30:22 +09:00
cat 4bb5d9780f ldd: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 17:55:55 +09:00
cat f41fd94628 sandbox: write uid/gid map as init 
This avoids PR_SET_DUMPABLE in the parent process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 17:42:22 +09:00
cat 94895bbacb sandbox: invert seccomp ruleset defaults 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:38:32 +09:00
cat f332200ca4 sandbox: mount container /dev 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:18:44 +09:00
cat 2eff470091 sandbox/mount: pass custom tmpfs name 
The tmpfs driver allows arbitrary fsname.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:12:35 +09:00
cat a092b042ab sandbox: pass params to setup ops 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:11:38 +09:00
cat e94b09d337 sandbox/mount: fix source flag path 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 02:10:48 +09:00
cat 5d9e669d97 sandbox: separate tmpfs function from op 
This is useful in the implementation of various other ops.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 00:21:20 +09:00
cat f1002157a5 sandbox: separate bind mount function from op 
This is useful in the implementation of various other ops.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 00:16:41 +09:00
cat 4133b555ba internal/app: rename init to init0 
This makes way for the new container init.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-13 21:57:54 +09:00
cat 9b1a60b5c9 sandbox: native container tooling 
This should eventually replace bwrap.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-13 21:36:26 +09:00