maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
1,114 Commits 2 Branches 12 Tags
2442eda8d960681d53e5f463a974a7f44ffe312e
Commit Graph

137 Commits

Author SHA1 Message Date
Ophestra
0fd357e7f6 container/init: do not suspend output 
Init is not very talkative after process start even when verbose. Suspending output here is pointless and does more harm than good.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-23 08:11:00 +09:00
Ophestra
57231d4acf container/init: improve signal handling 
The SIGTERM signal is delivered in many other cases and can lead to strange behaviour. The unconditional resume of the logger also causes strange behaviour in the cancellation forwarding path. This change also passes through additional signals.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-23 08:02:03 +09:00
Ophestra
c5f59c5488 container/syscall: export prctl wrapper 
This is useful as package "syscall" does not provide such a wrapper. This change also improves error handling to fully conform to the manpage.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-22 05:26:54 +09:00
Ophestra
622f945c22 container/init: check msg in entrypoint 
This covers invalid call to Init.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-22 04:20:08 +09:00
Ophestra
e94acc424c container/comp: rename from bits 
This package will also hold syscall lookup tables for seccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-21 20:54:03 +09:00
Ophestra
b9459a80c7 container/init: check use constants for open flags 
These bits are arch-specific.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-21 03:13:58 +09:00
Ophestra
f8189d1488 container/syscall: dot-import syscall 
This avoids having arch-specific constants for arm64.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-21 03:09:14 +09:00
Ophestra
ae65491223 container/init: use one channel for wait4 
When using two channels it is possible for the other case to be reached before all pending winfo are consumed, causing incorrect reporting.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-15 21:35:19 +09:00
Ophestra
e5ff40e7d3 container: synchronise after notify 
This should eliminate intermittent failures in the forward test.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-13 19:17:19 +09:00
Ophestra
123d7fbfd5 container/seccomp: remove export pipe 
This was only useful when wrapping bwrap.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-13 18:51:35 +09:00
Ophestra
7638a44fa6 treewide: parallel tests 
Most tests already had no global state, however parallel was never enabled. This change enables it for all applicable tests.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-13 04:38:48 +09:00
Ophestra
bff2a1e748 container/initplace: remove indirect method 
This is no longer useful and is highly error-prone.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-13 01:06:45 +09:00
Ophestra
f5a597c406 hst: rename /.hakurei constant 
This provides disambiguation from fhs.AbsTmp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-11 14:32:35 +09:00
Ophestra
50f6fcb326 container/stub: mark test overrides as helper 
This fixes line information in test reporting messages.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-10 22:15:20 +09:00
Ophestra
a941ac025f container/init: unwrap descriptive fatal error 
These errors are printed with a descriptive message prefixed to them, so it is more readable to expose the underlying errno.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-09 22:04:35 +09:00
Ophestra
87b5c30ef6 message: relocate from container 
This package is quite useful. This change allows it to be imported without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-09 05:18:19 +09:00
Ophestra
1f0226f7e0 container/check: relocate overlay escape 
This is used in hst to format strings.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 23:56:19 +09:00
Ophestra
584ce3da68 container/bits: move bind bits 
This allows referring to the bits without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 21:38:31 +09:00
Ophestra
5d18af0007 container/fhs: move pathname constants 
This allows referencing FHS pathnames without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 21:29:16 +09:00
Ophestra
0e6c1a5026 container/check: move absolute pathname 
This allows use of absolute pathname values without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 20:57:58 +09:00
Ophestra
3ce63e95d7 container: move seccomp preset bits 
This allows holding the bits without cgo.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 18:28:20 +09:00
Ophestra
46cd3a28c8 container: remove global msg 
This frees all container instances of side effects.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-29 06:11:47 +09:00
Ophestra
e55822c62f container/init: reduce verbose noise 
This makes it possible to optionally omit the identifying verbose message, for when the Op implementation can provide a much more useful message in its case, using information not yet available to the String method.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-28 21:51:10 +09:00
Ophestra
802e6afa34 container/output: move global output to msg 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-27 19:55:37 +09:00
Ophestra
e906cae9ee container/output: export suspendable writer 
This is quite useful for other packages as well. This change prepares internal/hlog for removal.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-27 19:46:35 +09:00
Ophestra
3f25c3f0af container: initialise cmd early 
This allows use of more cmd methods.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-13 20:01:33 +09:00
Ophestra
e81a45e849 container/dispatcher: optional stub wait4 signal association 
This synchronises the wait4 return after the toplevel signal call in lowlastcap_signaled_cancel_forward_error.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-04 20:28:49 +09:00
Ophestra
3920acf8c2 container/stub: remove function call in handleExit 
This gets inlined and does not cause problems usually but turns out -coverpkg uninlines it and breaks the recovery.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-04 19:39:12 +09:00
Ophestra
19630a9593 container/dispatcher: remove wait4 test log 
Turns out the reporting methods are not safe for concurrent use, despite the claim in testing.T doc comment.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-04 05:30:57 +09:00
Ophestra
4051577d6b container/stub: override goexit methods 
FailNow, Fatal, Fatalf, SkipNow, Skip and Skipf must be called from the goroutine created by the test.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-04 04:51:49 +09:00
Ophestra
1b5d20a39b container/dispatcher: stub.Call initialisation helper function 
This keeps composites analysis happy without making the test cases (too) bloated.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-02 04:44:08 +09:00
Ophestra
49600a6f46 container/stub: export stub helpers 
These are very useful in many packages containing relatively large amount of code making calls to difficult or impossible to stub functions.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-31 23:11:25 +09:00
Ophestra
780e3e5465 container/msg: optionally provide error messages 
This makes handling of fatal errors a lot less squirmy.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-31 11:57:59 +09:00
Ophestra
712cfc06d7 container: wrap container init start errors 
This helps indicate the exact origin and nature of the error. This eliminates generic WrapErr from container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-30 23:44:48 +09:00
Ophestra
08eeafe817 container/mount: unwrap vfs decoder errors 
These are now handled by init. This eliminates generic WrapErr from mount and procPaths.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 22:15:05 +09:00
Ophestra
d7c7c69a13 container/dispatcher: check simple test errors via reflect 
Again, avoids the errors package concealing unexpected behaviours.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 22:12:21 +09:00
Ophestra
50972096cd container/vfs: wrap decoder errors 
This passes line information and handles strconv errors so it reads better.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 21:51:31 +09:00
Ophestra
905b9f9785 container/initoverlay: invalid argument type 
This eliminates generic WrapErr from overlay.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 02:56:56 +09:00
Ophestra
1c7e634f09 container/dispatcher: check test errors via reflect 
Using the errors package might conceal some incorrect behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 02:35:24 +09:00
Ophestra
8d472ebf2b container/inittmpfs: unwrap out of bounds error 
This eliminates generic WrapErr from tmpfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 02:15:48 +09:00
Ophestra
4da6463135 container/init: unwrap path errors 
These are also now handled by init properly, so wrapping them in self is meaningless and unreachable.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 02:04:09 +09:00
Ophestra
eb3385d490 container/initsymlink: unwrap mount errors 
The mount function now wraps its own errors in a much more descriptive type with proper message formatting. Wrapping them no longer makes any sense.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 01:46:54 +09:00
Ophestra
b8669338da container/initsymlink: unwrap absolute error 
This is now handled properly by the init.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 01:43:11 +09:00
Ophestra
f24dd4ab8c container/init: handle unwrapped errors 
This is much cleaner from both the return statement and the error handling.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 01:37:13 +09:00
Ophestra
a462341a0a container: repeat and impossible state types 
This moves repeated Op errors and impossible internal state errors off of msg.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 01:12:02 +09:00
Ophestra
84ad9791e2 container: wrap mount syscall errno 
This is the first step to deprecating the generalised error wrapping error message pattern.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-29 01:06:12 +09:00
Ophestra
9bc8532d56 container/initdev: mount tmpfs on shm for ro dev 
Programs expect /dev/shm to be a writable tmpfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 03:27:07 +09:00
Ophestra
2e0a4795f6 container/initbind: optional ensure host directory 
This is used for ensuring persistent data directories specific to the container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 00:44:45 +09:00
Ophestra
8db906ee64 container/dispatcher: remove exit stub test log 
Turns out testing.T does not like being called in defer.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-25 17:33:35 +09:00
Ophestra
cedfceded5 container/autoroot: remove prefix field 
This field has been a noop for a long time. Remove it to prevent further confusion.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-25 03:39:20 +09:00