maemachinebroke/hakurei
1
0
Fork 0
forked from rosa/hakurei
Code Pull Requests Activity
2,070 Commits 7 Branches 12 Tags
08dfefb28ddbc6e370743abf9c75275e2e3dcbdc
Commit Graph

2070 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
cat 74ba183256 app: install seccomp filter to shim 
This does not necessarily reduce attack surface but does not affect functionality or introduce any side effects, so is nice to have.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-07 04:13:08 +09:00
cat f885dede9b sandbox/seccomp: unexport println wrapper 
This is an implementation detail that was exported for the bwrap argument builder. The removal of that package allows it to be unexported.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-07 04:07:20 +09:00
cat e9a7cd526f app: improve shim process management 
This ensures a signal gets delivered to the process instead of relying on parent death behaviour.

SIGCONT was chosen as it is the only signal an unprivileged process is allowed to send to processes with different credentials.

A custom signal handler is installed because the Go runtime does not expose signal information other than which signal was received, and shim must check pid to ensure reasonable behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-07 03:55:17 +09:00
cat 12be7bc78e release: 0.3.3 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 01:42:10 +09:00
cat 0ba8be659f sandbox: document less obvious parts of setup 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 01:21:04 +09:00
cat 022242a84a app: wayland socket in process share 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 00:53:04 +09:00
cat 8aeb06f53c app: share path setup on demand 
This removes the unnecessary creation and destruction of share paths when none of the enablements making use of them are set.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 00:47:32 +09:00
cat 4036da3b5c fst: optional configured shell path 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-31 21:27:31 +09:00
cat 986105958c fortify: update show output 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-31 04:54:10 +09:00
cat ecdd4d8202 fortify: clean ps output 
This format never changed ever since it was added. It used to show everything there is in a process state but that is no longer true for a long time. This change cleans it up in favour of `fortify show` displaying extra information.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-31 04:41:08 +09:00
cat bdee0c3921 nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 23:15:18 +09:00
cat 48f634d046 release: 0.3.2 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 23:05:57 +09:00
cat 2a46f5bb12 sandbox/seccomp: update doc comment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 23:00:20 +09:00
cat 7f2c0af5ad fst: set multiarch bit 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 22:55:00 +09:00
cat 297b444dfb test: separate app and sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 22:09:46 +09:00
cat 89a05909a4 test: move test program to sandbox directory 
This prepares for the separation of app and sandbox tests.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 21:09:16 +09:00
cat f772940768 test/sandbox: treat ESRCH as temporary failure 
This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 03:50:59 +09:00
cat 8886c40974 test/sandbox: separate check filter 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 02:15:08 +09:00
cat 8b62e08b44 test: build test program in nixos config 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-29 19:33:17 +09:00
cat 72c59f9229 nix: check share/applications in share package 
This allows share directories without share/applications/ to build correctly.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-29 19:28:20 +09:00
cat ff3cfbb437 test/sandbox: check seccomp outcome 
This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 02:24:27 +09:00
cat c13eb70d7d sandbox/seccomp: add fortify default sample 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 02:02:02 +09:00
cat 389402f955 test/sandbox/ptrace: generic filter block type 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 01:47:24 +09:00
cat 660a2898dc test/sandbox/ptrace: dump seccomp bpf program 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 01:35:56 +09:00
cat faf59e12c0 test/sandbox: expose test tool 
Some test elements implemented in the test tool might need to run outside the sandbox. This change allows that to happen.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 00:08:47 +09:00
cat d97a03c7c6 test/sandbox: separate test tool source 
This improves readability and allows gofmt to format the file.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 23:43:13 +09:00
cat a102178019 sys: update doc comment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 22:43:17 +09:00
cat e400862a12 state/multi: fix backend cache population race 
This race is never able to happen since no caller concurrently requests the same aid yet.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 22:37:08 +09:00
cat 184e9db2b2 sandbox: support privileged container 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 19:40:19 +09:00
cat 605d018be2 app/seal: check for '=' in envv 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 18:25:23 +09:00
cat 78aaae7ee0 helper/args: copy args on wt creation 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 18:22:07 +09:00
cat 5c82f1ed3e helper/stub: output to stdout 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 17:25:10 +09:00
cat f8502c3ece test/sandbox: check environment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:16:33 +09:00
cat 996b42634d test/sandbox: invoke check program directly 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:11:50 +09:00
cat 300571af47 app: pass through $SHELL 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 01:22:40 +09:00
cat 32c90ef4e7 nix: pass through exec arguments 
This is useful for when a wrapper script is unnecessary.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:04:46 +09:00
cat 2a4e2724a3 release: 0.3.1 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:48:50 +09:00
cat d613257841 sandbox/init: clear inheritable set 
Inheritable should not be able to affect anything regardless of its value, due to no_new_privs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:46:13 +09:00
cat 18644d90be sandbox: wrap capset syscall 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:44:07 +09:00
cat 52fcc48ac1 sandbox/init: drop capabilities 
During development the syscall filter caused me to make an incorrect assumption about SysProcAttr.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:32:08 +09:00
cat 8b69bcd215 sandbox: cache kernel.cap_last_cap value 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:19:19 +09:00
cat 2dd49c437c app: create XDG_RUNTIME_DIR with perm 0700 
Many programs complain about this.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:49:37 +09:00
cat 92852d8235 release: 0.3.0 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:18:59 +09:00
cat 371dd5b938 nix: create current-system symlink 
This is copied at runtime because it appears to be impossible to obtain this path in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:06:11 +09:00
cat 4836d570ae test: raise long timeout to 15 seconds 
The race detector really slows down container tooling.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 01:59:05 +09:00
cat 985f9442e6 sandbox: copy symlink with magic prefix 
This does not dereference the symlink, but only reads one level of it. This is useful for symlink targets that are not yet known at the time the configuration is emitted.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 01:42:39 +09:00
cat 67eb28466d nix: create opengl-driver symlink 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:52:20 +09:00
cat c326c3f97d fst/sandbox: do not create /etc in advance 
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:00:34 +09:00
cat 971c79bb80 sandbox: remove hardcoded parent perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:49:51 +09:00
cat f86d868274 sandbox: wrap error with its own text message 
PathError has a pretty good text message, many of them are wrapped with its own text message. This change adds a function to do just that to improve readability.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:42:20 +09:00