hst: optionally reject insecure options

This prevents inadvertent use of insecure compatibility features. Closes #30. Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-04-10 19:12:45 +09:00
parent 952082bd9b
commit c33a6a5b7e
9 changed files with 128 additions and 39 deletions
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -38,8 +38,9 @@ var errSuccess = errors.New("success")

 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
-		flagVerbose bool
-		flagJSON    bool
+		flagVerbose  bool
+		flagInsecure bool
+		flagJSON     bool
 	)
 	c := command.New(out, log.Printf, "hakurei", func([]string) error {
 		msg.SwapVerbose(flagVerbose)
@@ -57,6 +58,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
+		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")

 	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
@@ -75,7 +77,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}

-			outcome.Main(ctx, msg, config, flagIdentifierFile)
+			var flags int
+			if flagInsecure {
+				flags |= hst.VAllowInsecure
+			}
+
+			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
@@ -282,7 +289,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}

-			outcome.Main(ctx, msg, &config, -1)
+			outcome.Main(ctx, msg, &config, 0, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
--- a/cmd/hakurei/command_test.go
+++ b/cmd/hakurei/command_test.go
@@ -20,7 +20,7 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]

 Commands:
    run         Load and start container from configuration file
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@@ -56,7 +56,7 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()

-	if err := config.Validate(); err != nil {
+	if err := config.Validate(hst.VAllowInsecure); err != nil {
 		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")