kat/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
1,851 Commits 4 Branches 14 Tags
67b11335d60dba1ee9615ca447101acd09fcfea6
Commit Graph

89 Commits

Author SHA1 Message Date
Ophestra
620062cca9 hst: expose scheduling priority 
This is useful when limits are configured to allow it.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-03-12 02:15:14 +09:00
Ophestra
04e6bc3c5c hst: expose scheduling policy 
This is primarily useful for poorly written music players for now.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-03-12 00:52:18 +09:00
Ophestra
330a344845 hst: improve doc comments 
These now read a lot better both in source and on pkgsite.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-03-11 19:21:55 +09:00
Ophestra
0c0e3d6fc2 hst: add direct hardware option 
This is unfortunately the only possible setup to securely expose PipeWire to the container. Further explanation explained in the doc comment and #29.

This will be implemented in a future commit.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-15 12:29:32 +09:00
Ophestra
87781c7658 treewide: include PipeWire op and enforce PulseAudio check 
This fully replaces PulseAudio with PipeWire and enforces the PulseAudio check and error message. The pipewire-pulse daemon is handled in the NixOS module.

Closes #26.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-08 08:53:04 +09:00
Ophestra
0c38fb7b6a hst: expose daemon as fs entry 
This is slightly counterintuitive, but it turned out well under this framework since the daemon backs its target file.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-08 07:38:47 +09:00
Ophestra
422efcf258 hst: check for insecure PulseAudio enablement 
This is currently still a noop, but required for #26.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-08 03:13:02 +09:00
Ophestra
1931b54600 hst: add pipewire flag 
These are for #26. None of them are implemented yet. This fixes up test cases for the change to happen. Existing source code and JSON configuration continue to have the same effect. Existing flags get its EPulse bit replaced by EPipeWire.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-07 22:34:40 +09:00
Ophestra
3afca2bd5b internal/wayland: expose WAYLAND_VERSION 
This might be useful troubleshooting information.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-17 01:46:01 +09:00
Ophestra
abeb67964f treewide: document linkname uses 
These provide justification for each use of linkname. Poorly thought out uses of linkname are removed.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-13 07:14:16 +09:00
Ophestra
9fd97e71d0 treewide: fit test untyped int literals in 32-bit 
This enables hakurei test suite to run on 32-bit targets.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-05 20:13:19 +09:00
Ophestra
c1399f5030 std: rename from comp 
Seccomp lookup tables are going to be relocated here, and PNR constants.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-05 02:47:43 +09:00
Ophestra
9ac63aac0c hst/grp_pwd: add extra test cases 
Does not change coverage but this helps me crosscheck with my phone.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-05 01:42:42 +09:00
Ophestra
cb9ebf0e15 hst/grp_pwd: specify new uid format 
This leaves slots available for additional uid ranges in Rosa OS.

This breaks all existing installations! Users are required to fix ownership manually.

Closes #18.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-04 08:24:41 +09:00
Ophestra
24435694a5 hst/config: make identifier omitempty 
This is an optional field. Serialise it as such.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-03 01:23:15 +09:00
Ophestra
2442eda8d9 hst/instance: embed config struct 
This makes the resulting json easier to parse since it can now be deserialised into the config struct.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-24 00:42:16 +09:00
Ophestra
05488bfb8f hst/instance: store priv side pid 
This can receive signals, so is more useful to the caller.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-23 23:19:55 +09:00
Ophestra
dd94818f20 hst/instance: define instance state 
This is now part of the hst API. This change also improves identifier generation and serialisation.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-23 22:59:02 +09:00
Ophestra
e94acc424c container/comp: rename from bits 
This package will also hold syscall lookup tables for seccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-21 20:54:03 +09:00
Ophestra
b1a4d801be hst/container: flags string representation 
This is useful for a user-facing representation other than JSON. This also gets rid of the ugly, outdated flags string builder in cmd/hakurei.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-21 20:29:52 +09:00
Ophestra
5063b774c1 hst: expose version string 
The hst API is tied to this version string.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-21 01:56:44 +09:00
Ophestra
699c19e972 hst/container: optional runtime and tmpdir sharing 
Sharing and persisting these directories do not always make sense. Make it optional here.

Closes #16.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-19 04:11:38 +09:00
Ophestra
d87020f0ca hst/config: validate env early 
This should happen in hst since it requires no system state.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-19 02:39:49 +09:00
Ophestra
425421d9b1 hst/container: rename constants 
The shim is an implementation detail and should not be mentioned in the API.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-16 00:27:00 +09:00
Ophestra
5e0f15d76b hst/container: additional shim exit codes 
These are now considered stable, defined behaviour and can be used by external programs to determine shim outcome.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-15 22:09:33 +09:00
Ophestra
f95e0a7568 hst/config: hold acl struct by value 
Doc comments are also reworded for clarity.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-14 07:02:14 +09:00
Ophestra
4c647add0d hst/container: pack boolean options 
The memory saving is relatively insignificant, however this increases serialisation efficiency.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-14 06:39:00 +09:00
Ophestra
a341466942 hst: separate container config 
The booleans are getting packed into a single field. This requires non-insignificant amount of code for JSON serialisation to stay compatible.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-14 04:23:05 +09:00
Ophestra
7638a44fa6 treewide: parallel tests 
Most tests already had no global state, however parallel was never enabled. This change enables it for all applicable tests.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-13 04:38:48 +09:00
Ophestra
8a91234cb4 hst: reword and improve doc comments 
This corrects minor mistakes in doc comments and adds them for undocumented constants.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-12 05:03:14 +09:00
Ophestra
f5a597c406 hst: rename /.hakurei constant 
This provides disambiguation from fhs.AbsTmp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-11 14:32:35 +09:00
Ophestra
8874aaf81b hst: remove template bind nix store 
This does not add anything meaningful to the template, since there are already prior examples showing src-only bind ops. Remove this since it causes confusion by covering the previous mount point targeting /nix/store.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-11 13:59:10 +09:00
Ophestra
04a27c8e47 hst: use plausible overlay template 
The current value is copied from a test case, and does not resemble its intended use case.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-11 13:51:08 +09:00
Ophestra
776650af01 hst/config: negative WaitDelay bypasses default 
This behaviour might be useful, so do not lock it out. This change also fixes an oversight where the unchecked value is used to determine ForwardCancel.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-10 05:11:32 +09:00
Ophestra
87b5c30ef6 message: relocate from container 
This package is quite useful. This change allows it to be imported without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-09 05:18:19 +09:00
Ophestra
9b507715d4 hst/dbus: validate interface strings 
This is relocated to hst to validate early.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-08 04:57:22 +09:00
Ophestra
12ab7ea3b4 hst/fs: access ops through interface 
This removes the final hakurei.app/container import from hst.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 23:59:48 +09:00
Ophestra
1f0226f7e0 container/check: relocate overlay escape 
This is used in hst to format strings.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 23:56:19 +09:00
Ophestra
584ce3da68 container/bits: move bind bits 
This allows referring to the bits without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 21:38:31 +09:00
Ophestra
5d18af0007 container/fhs: move pathname constants 
This allows referencing FHS pathnames without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 21:29:16 +09:00
Ophestra
0e6c1a5026 container/check: move absolute pathname 
This allows use of absolute pathname values without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 20:57:58 +09:00
Ophestra
d23b4dc9e6 hst/dbus: move dbus config struct 
This allows holding a xdg-dbus-proxy configuration without importing system/dbus.

It also makes more sense in the project structure since the config struct is part of the hst API however the rest of the implementation is not.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 19:03:51 +09:00
Ophestra
2489766efe hst/config: identity bounds check early 
This makes sense to do here instead of in internal/app.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 17:58:28 +09:00
Ophestra
9e48d7f562 hst/config: move container fields from toplevel 
This change also moves pd behaviour to cmd/hakurei, as this does not belong in the hst API.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 04:24:45 +09:00
Ophestra
ae7b343cde hst: reword and move constants 
These values are considered part of the stable, exported API, so move them to hst.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-05 17:40:32 +09:00
Ophestra
16f9001f5f hst/config: update doc comments 
Some information here are horribly out of date. This change updates and improves all doc comments.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-05 04:12:53 +09:00
Ophestra
80ad2e4e23 internal/app: do not offset base value 
This value is applied to the shim, it is incorrect to offset the base value as well.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-05 03:59:52 +09:00
Ophestra
1ba1cb8865 hst/config: remove seccomp bit fields 
These serve little purpose and are not friendly for use from other languages.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-29 07:07:16 +09:00
Ophestra
44ba7a5f02 hst/enablement: move bits from system 
This is part of the hst API, should not be in the implementation package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-29 06:34:29 +09:00
Ophestra
8690419c2d hst: replace internal/app error 
This turns out to still be quite useful across internal/app and its relatives. Perhaps a cleaner replacement for baseError.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-15 01:44:43 +09:00