This allows any fstype supported by hst to be directly mounted on sysroot. A special case in internal/app applies the matching entry early and excludes it from path hiding.
Closes#5.
Signed-off-by: Ophestra <cat@gensokyo.uk>
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging security/hakurei#1.
Signed-off-by: Ophestra <cat@gensokyo.uk>
Having the bit field value here (in decimal, no less) is unfriendly to text editors. Use a bunch of booleans here to improve ease of use.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This is simultaneously more efficient and less error-prone. This change caused minor API changes in multiple other packages.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This increases readability since this can help disambiguate absolute paths from similarly named path segments.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.
Signed-off-by: Ophestra <cat@gensokyo.uk>
Doing this instead of mounting directly on / because it's impossible to ensure a parent is available for every path hakurei wants to mount to. This situation is similar to autoetc hence the similar name, however a symlink mirror will not work in this case.
Signed-off-by: Ophestra <cat@gensokyo.uk>
It is completely nonsensical and highly error-prone to have multiple implementations of this in the same build. This should be switched at compile time instead therefore the split packages are pointless.
Signed-off-by: Ophestra <cat@gensokyo.uk>
