maemachinebroke/hakurei
1
0
Fork 0
forked from rosa/hakurei
Code Pull Requests Activity
1,809 Commits 7 Branches 12 Tags
19a2737148609f0b40ea31cf5cd0cb809b60722f
Commit Graph

187 Commits

Author SHA1 Message Date
cat f1a53d6116 container: raise CAP_DAC_OVERRIDE 
This is required for upperdir and workdir checks in overlayfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-08 00:43:19 +09:00
cat fde5f1ca64 container: buffer test output 
This further reduces noise on test failure by only passing through output of the failed test.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-07 02:55:58 +09:00
cat 4d0bdd84b5 container: test respect verbose flag 
This reduces noise on test failure.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-07 02:50:00 +09:00
cat 9a25542c6d container/init: use mount string constants 
These literals were missed when the constants were first defined.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-04 04:00:05 +09:00
cat c6be82bcf9 container/path: fhs path constants 
This increases readability since this can help disambiguate absolute paths from similarly named path segments.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 21:16:45 +09:00
cat 38245559dc container/ops: mount dev readonly 
There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 19:18:53 +09:00
cat 7b416d47dc container/ops: merge mqueue and dev Ops 
There is no reason to mount mqueue anywhere else, and these Ops usually follow each other. This change merges them. This helps decrease IPC overhead and also enables mounting dev readonly.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 19:13:46 +09:00
cat 15170735ba container/mount: move tmpfs sysroot prefixing to caller 
The mountTmpfs helper is a relatively low level function that is not exposed as part of the API. Prefixing sysroot here not only introduces overhead but is also quite error-prone.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 18:06:41 +09:00
cat 6a3886e9db container/op: unexport bind resolved source field 
This is used for symlink resolution and is only used internally.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 17:57:37 +09:00
cat ff66296378 container/mount: mount data escape helper function 
For formatting user-supplied path strings into overlayfs mount data.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 17:46:14 +09:00
cat 347a79df72 container: improve clone flags readability 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-02 18:19:44 +09:00
cat 0f78864a67 container/mount: export mount string constants 
This improves code readability and should also be useful for callers choosing to preserve CAP_SYS_ADMIN.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-02 17:20:09 +09:00
cat c5d24979f5 container/ops: expose remount as Op 
This is useful for building a filesystem hierarchy then remounting it readonly.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:48:02 +09:00
cat 1dc780bca7 container/mount: separate remount from bind 
Remount turns out to be useful in other places.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:32:38 +09:00
cat 547a2adaa4 container/mount: pass tmpfs flags 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 18:59:06 +09:00
cat 4e85643865 container: implement autoroot as setup op 
This code is useful beyond just pd behaviour, and implementing it this way also reduces IPC overhead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:04:36 +09:00
cat f14e7255be container/ops: use correct flags value in bind string 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 00:54:08 +09:00
cat 4e518f11d8 container/ops: autoetc implementation to separate file 
This is not a general purpose setup Op. Separate it so it is easier to find.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-31 19:54:03 +09:00
cat 940ee00ffe container/init: configurable lingering process wait delay 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 02:38:17 +09:00
cat d6b07f12ff container: forward context cancellation 
This allows container processes to exit gracefully.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-28 01:45:38 +09:00
cat 65fe09caf9 container: check cancel signal delivery 
This change also makes some parts of the test more robust.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-28 01:04:29 +09:00
cat a1e5f020f4 container: improve doc comments 
Putting them on the builder methods is more useful.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-27 12:27:42 +09:00
cat bd3fa53a55 container: access test case by index in helper 
This is more elegant and allows for much easier extension of the tests. Mountinfo is still serialised however due to libPaths nondeterminism.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-26 18:59:19 +09:00
cat e71ae3b8c5 container: remove custom cmd initialisation 
This part of the interface is very unintuitive and only used for testing, even in testing it is inelegant and can be done better.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-25 00:45:10 +09:00
cat 9d7a19d162 container: use more reliable nonexistence 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-18 23:18:26 +09:00
cat 749a2779f5 test/sandbox: add arm64 constants 
Most of these are differences in qemu.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 05:36:35 +09:00
cat e574042d76 test/sandbox: verify seccomp on all test cases 
This change also makes seccomp hashes cross-platform.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 04:21:35 +09:00
cat d90da1c8f5 container/seccomp: add arm64 constants 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 14:58:03 +09:00
cat 5853d7700f container/seccomp: move bpf hashes 
Filter programs are different across platforms. This representation is also much more readable.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 14:41:47 +09:00
cat d5c7523726 container/init: fix prctl call 
This is a very silly typo. Luckily has no effect due to an upper layer doing PR_SET_NO_NEW_PRIVS already.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 14:06:14 +09:00
cat ddfcc51b91 container: move capset implementation 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 13:47:13 +09:00
cat 8ebedbd88a container: move syscall constants 
These aren't missing from all targets.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 13:23:01 +09:00
cat 84e8142a2d container/seccomp: move personality constants 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 12:44:32 +09:00
cat 2c7b7ad845 container/seccomp: cross-platform sysnum cutoff 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 12:27:00 +09:00
cat 356b42a406 container/init: use /proc/self as intermediate 
Setting up via /tmp is okay, /proc/self/fd makes a lot more sense though for reasons described in the comment.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-06 02:14:35 +09:00
cat d2f9a9b83b treewide: migrate to hakurei.app 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 03:30:39 +09:00
cat 1b5ecd9eaf container: move out of toplevel 
This allows slightly easier use of the vanity url. This also provides some disambiguation between low level containers and hakurei app containers.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 02:59:43 +09:00