kat/hakurei
1
0
Fork 0
forked from rosa/hakurei
Code Pull Requests Activity
719 Commits 2 Branches 14 Tags
f885dede9b10c06004be0eac19d80b7bc718100a
Commit Graph

42 Commits

Author SHA1 Message Date
cat f885dede9b sandbox/seccomp: unexport println wrapper 
This is an implementation detail that was exported for the bwrap argument builder. The removal of that package allows it to be unexported.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-07 04:07:20 +09:00
cat 0ba8be659f sandbox: document less obvious parts of setup 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 01:21:04 +09:00
cat 2a46f5bb12 sandbox/seccomp: update doc comment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 23:00:20 +09:00
cat c13eb70d7d sandbox/seccomp: add fortify default sample 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 02:02:02 +09:00
cat 184e9db2b2 sandbox: support privileged container 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 19:40:19 +09:00
cat d613257841 sandbox/init: clear inheritable set 
Inheritable should not be able to affect anything regardless of its value, due to no_new_privs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:46:13 +09:00
cat 18644d90be sandbox: wrap capset syscall 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:44:07 +09:00
cat 52fcc48ac1 sandbox/init: drop capabilities 
During development the syscall filter caused me to make an incorrect assumption about SysProcAttr.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:32:08 +09:00
cat 8b69bcd215 sandbox: cache kernel.cap_last_cap value 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:19:19 +09:00
cat 985f9442e6 sandbox: copy symlink with magic prefix 
This does not dereference the symlink, but only reads one level of it. This is useful for symlink targets that are not yet known at the time the configuration is emitted.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 01:42:39 +09:00
cat 971c79bb80 sandbox: remove hardcoded parent perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:49:51 +09:00
cat f86d868274 sandbox: wrap error with its own text message 
PathError has a pretty good text message, many of them are wrapped with its own text message. This change adds a function to do just that to improve readability.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:42:20 +09:00
cat 33940265a6 sandbox: do not ensure symlink target 
This masks EEXIST on target and might clobber filesystems and lead to other confusing behaviour. Create its parent instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:30:53 +09:00
cat 61dbfeffe7 sandbox/wl: move into sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 05:26:37 +09:00
cat 5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
cat ad3576c164 sandbox: resolve tty name 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:03:07 +09:00
cat a11237b158 sandbox/vfs: add doc comments 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 13:21:55 +09:00
cat 40f00d570e sandbox: set mkdir perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 12:51:39 +09:00
cat e8809125d4 sandbox: verify outcome via mountinfo 
This contains much more information than /proc/mounts and allows for more fields to be checked. This also removes the dependency on the test package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 22:17:36 +09:00
cat 75e0c5d406 test/sandbox: parse full test case 
This makes declaring multiple tests much cleaner.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 14:53:50 +09:00
cat 770b37ae16 sandbox/vfs: match MS_NOSYMFOLLOW flag 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 13:57:30 +09:00
cat c638193268 sandbox: apply vfs options to bind mounts 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 05:27:57 +09:00
cat 8c3a817881 sandbox/vfs: unfold mount hierarchy 
This presents all visible mount points under path. This is useful for applying extra vfs options to bind mounts.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 05:23:31 +09:00
cat e2fce321c1 sandbox/vfs: expose mountinfo line scanning 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 02:46:58 +09:00
cat d21d9c5b1d sandbox/vfs: parse vfs options 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 17:12:10 +09:00
cat a70daf2250 sandbox: resolve inverted flags in op 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 12:58:38 +09:00
cat 5098b12e4a sandbox/vfs: count mountinfo entries 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 12:14:33 +09:00
cat 9ddf5794dd sandbox/vfs: implement proc_pid_mountinfo(5) parser 
Test cases are mostly taken from util-linux. This implementation is more correct and slightly faster than the one found in github:kubernetes/utils.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 00:35:49 +09:00
cat b74a08dda9 sandbox: prepare ops early 
Some setup code needs to run in host root. This change allows that to happen.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-18 02:17:46 +09:00
cat 1b9408864f sandbox: pass cmd to cancel function 
This is not usually in scope otherwise.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:36:39 +09:00
cat cc89dbdf63 sandbox: place files with content 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:13:22 +09:00
cat 228f3301f2 sandbox: create directories 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:03:06 +09:00
cat 07181138e5 sandbox/mount: pass absolute path 
This should never be used unless there is a good reason to, like using a file in the intermediate root.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:53:31 +09:00
cat 816b372f14 sandbox: cancel process on serve error 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:49:45 +09:00
cat d7eddd54a2 sandbox: rename params struct 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:45:08 +09:00
cat af3619d440 sandbox: create symlinks 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:37:56 +09:00
cat 528674cb6e sandbox/init: fail early on nil op 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:17:03 +09:00
cat 70c9757e26 sandbox/mount: rename device flag 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:10:55 +09:00
cat c83a7e2efc sandbox: mount container /dev/mqueue 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 15:42:40 +09:00
cat 904208b87f sandbox: unwrap path string 
Mount proc and dev takes no additional parameters.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 15:33:20 +09:00
cat 007b52d81f sandbox/seccomp: check for both partial read outcomes 
This eliminates intermittent test failures.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 12:51:21 +09:00
cat 24618ab9a1 sandbox: move out of internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 02:55:36 +09:00