kat/hakurei
1
0
Fork 0
forked from rosa/hakurei
Code Pull Requests Activity
774 Commits 2 Branches 14 Tags
eec021cc4b4eb42bc9c8311755826828bfba1996
Commit Graph

66 Commits

Author SHA1 Message Date
cat eec021cc4b hakurei: move container helpers toplevel 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 21:31:29 +09:00
cat a1d98823f8 hakurei: move container toplevel 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 21:23:55 +09:00
cat f84ec5a3f8 sandbox/wl: track generated files 
This allows the package to be imported.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 20:52:22 +09:00
cat eb22a8bcc1 cmd/hakurei: move to cmd 
Having it at the project root never made sense since the "ego" name was deprecated. This change finally addresses it.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 20:42:51 +09:00
cat 31aef905fa sandbox: expose seccomp interface 
There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 04:47:13 +09:00
cat a6887f7253 sandbox/seccomp: import dot for syscall 
This significantly increases readability in some places.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 02:30:35 +09:00
cat 69bd581af7 sandbox/seccomp: append suffix to ops 
This avoids clashes with stdlib names to allow for . imports.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 01:09:04 +09:00
cat 26b7afc890 sandbox/seccomp: prepare -> export 
Export makes a lot more sense, and also matches the libseccomp function.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 00:32:48 +09:00
cat d5532aade0 sandbox/seccomp: native rule slice in helpers 
These helper functions took FilterPreset as input for ease of integration. This moves them to []NativeRule.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 00:22:27 +09:00
cat 0c5409aec7 sandbox/seccomp: native rule type alias 
This makes it easier to keep API stable.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 00:00:08 +09:00
cat 1a8840bebc sandbox/seccomp: resolve rules natively 
This enables loading syscall filter policies from external cross-platform config files.

This also removes a significant amount of C code.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 22:11:32 +09:00
cat 1fb453dffe sandbox/seccomp: extra constants 
These all resolve to pseudo syscall numbers in libseccomp, but are necessary anyway for other platforms.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 20:15:42 +09:00
cat e03d702d08 sandbox/seccomp: implement syscall lookup 
This uses the Go map and is verified against libseccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 00:35:27 +09:00
cat 241dc964a6 sandbox/seccomp: wire extra syscall 
These values are only useful for libseccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 00:32:08 +09:00
cat 8ef71e14d5 sandbox/seccomp: emit syscall constants 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-30 20:34:33 +09:00
cat 972f4006f0 treewide: switch to hakurei.app 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-26 04:01:02 +09:00
cat 9a8a047908 sandbox/seccomp: syscall name lookup table 
The script is from Go source of same name. The result is checked against libseccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-26 03:49:07 +09:00
cat 863bf69ad3 treewide: reapply clang-format 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 23:43:42 +09:00
cat 87e008d56d treewide: rename to hakurei 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
cat ef80b19f2f treewide: switch to clang-format 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-18 13:45:34 +09:00
cat b7e991de5b nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-05 04:05:39 +09:00
cat 9967909460 sandbox: relative autoetc links 
This allows nested containers to use autoetc, and increases compatibility with other implementations.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 18:54:00 +09:00
cat c806f43881 sandbox: implement autoetc as setup op 
This significantly reduces setup op count and the readdir call now happens in the context of the init process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-10 18:54:25 +09:00
cat 584405f7cc sandbox/seccomp: rename flag type and constants 
The names are ambiguous. Rename them to make more sense.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-08 01:59:45 +09:00
cat f885dede9b sandbox/seccomp: unexport println wrapper 
This is an implementation detail that was exported for the bwrap argument builder. The removal of that package allows it to be unexported.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-07 04:07:20 +09:00
cat 0ba8be659f sandbox: document less obvious parts of setup 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 01:21:04 +09:00
cat 2a46f5bb12 sandbox/seccomp: update doc comment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 23:00:20 +09:00
cat c13eb70d7d sandbox/seccomp: add fortify default sample 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 02:02:02 +09:00
cat 184e9db2b2 sandbox: support privileged container 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 19:40:19 +09:00
cat d613257841 sandbox/init: clear inheritable set 
Inheritable should not be able to affect anything regardless of its value, due to no_new_privs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:46:13 +09:00
cat 18644d90be sandbox: wrap capset syscall 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:44:07 +09:00
cat 52fcc48ac1 sandbox/init: drop capabilities 
During development the syscall filter caused me to make an incorrect assumption about SysProcAttr.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:32:08 +09:00
cat 8b69bcd215 sandbox: cache kernel.cap_last_cap value 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:19:19 +09:00
cat 985f9442e6 sandbox: copy symlink with magic prefix 
This does not dereference the symlink, but only reads one level of it. This is useful for symlink targets that are not yet known at the time the configuration is emitted.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 01:42:39 +09:00
cat 971c79bb80 sandbox: remove hardcoded parent perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:49:51 +09:00
cat f86d868274 sandbox: wrap error with its own text message 
PathError has a pretty good text message, many of them are wrapped with its own text message. This change adds a function to do just that to improve readability.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:42:20 +09:00
cat 33940265a6 sandbox: do not ensure symlink target 
This masks EEXIST on target and might clobber filesystems and lead to other confusing behaviour. Create its parent instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:30:53 +09:00
cat 61dbfeffe7 sandbox/wl: move into sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 05:26:37 +09:00
cat 5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
cat ad3576c164 sandbox: resolve tty name 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:03:07 +09:00
cat a11237b158 sandbox/vfs: add doc comments 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 13:21:55 +09:00
cat 40f00d570e sandbox: set mkdir perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 12:51:39 +09:00
cat e8809125d4 sandbox: verify outcome via mountinfo 
This contains much more information than /proc/mounts and allows for more fields to be checked. This also removes the dependency on the test package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 22:17:36 +09:00
cat 75e0c5d406 test/sandbox: parse full test case 
This makes declaring multiple tests much cleaner.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 14:53:50 +09:00
cat 770b37ae16 sandbox/vfs: match MS_NOSYMFOLLOW flag 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 13:57:30 +09:00
cat c638193268 sandbox: apply vfs options to bind mounts 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 05:27:57 +09:00
cat 8c3a817881 sandbox/vfs: unfold mount hierarchy 
This presents all visible mount points under path. This is useful for applying extra vfs options to bind mounts.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 05:23:31 +09:00
cat e2fce321c1 sandbox/vfs: expose mountinfo line scanning 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 02:46:58 +09:00
cat d21d9c5b1d sandbox/vfs: parse vfs options 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 17:12:10 +09:00
cat a70daf2250 sandbox: resolve inverted flags in op 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 12:58:38 +09:00