maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

container/init: measure init behaviour

Browse Source 
This used to be entirely done via integration tests, with almost no hope of error injection and coverage profile. These tests significantly increase confidence of future work in this area.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-08-24 02:28:24 +09:00
parent 0166833431
commit 2baa2d7063
3 changed files with 2628 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
container/init.go
View File

@@ -127,7 +127,7 @@ func initEntrypoint(k syscallDispatcher, prepareLogger func(prefix string), setV
// write uid/gid map here so parent does not need to set dumpable
if err := k.setDumpable(SUID_DUMP_USER); err != nil {
k.fatalf("cannot set SUID_DUMP_USER: %s", err)
k.fatalf("cannot set SUID_DUMP_USER: %v", err)
}
if err := k.writeFile(FHSProc+"self/uid_map",
append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
@@ -145,7 +145,7 @@ func initEntrypoint(k syscallDispatcher, prepareLogger func(prefix string), setV
k.fatalf("%v", err)
}
if err := k.setDumpable(SUID_DUMP_DISABLE); err != nil {
k.fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
k.fatalf("cannot set SUID_DUMP_DISABLE: %v", err)
}
oldmask := k.umask(0)
@@ -178,7 +178,6 @@ func initEntrypoint(k syscallDispatcher, prepareLogger func(prefix string), setV
fmt.Sprintf("cannot prepare op at index %d:", i))
k.beforeExit()
k.exit(1)
return
}
}
@@ -219,7 +218,6 @@ func initEntrypoint(k syscallDispatcher, prepareLogger func(prefix string), setV
fmt.Sprintf("cannot apply op at index %d:", i))
k.beforeExit()
k.exit(1)
return
}
}
@@ -250,7 +248,7 @@ func initEntrypoint(k syscallDispatcher, prepareLogger func(prefix string), setV
k.fatalf("cannot re-enter intermediate root: %v", err)
}
if err := k.unmount(".", MNT_DETACH); err != nil {
k.fatalf("cannot unmount intemediate root: %v", err)
k.fatalf("cannot unmount intermediate root: %v", err)
}
if err := k.chdir(FHSRoot); err != nil {
k.fatalf("cannot enter root: %v", err)
@@ -389,7 +387,6 @@ func initEntrypoint(k syscallDispatcher, prepareLogger func(prefix string), setV
}
k.beforeExit()
k.exit(0)
return
case w := <-info:
if w.wpid == cmd.Process.Pid {
@@ -416,13 +413,11 @@ func initEntrypoint(k syscallDispatcher, prepareLogger func(prefix string), setV
case <-done:
k.beforeExit()
k.exit(r)
return
case <-timeout:
k.printf("timeout exceeded waiting for lingering processes")
k.beforeExit()
k.exit(r)
return
}
}
}