maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
904 Commits 1 Branch 12 Tags
2baa2d7063468e6da2ae68348737cee33ffbda9f
Commit Graph

86 Commits

Author SHA1 Message Date
Ophestra
2baa2d7063 container/init: measure init behaviour 
This used to be entirely done via integration tests, with almost no hope of error injection and coverage profile. These tests significantly increase confidence of future work in this area.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-24 04:52:32 +09:00
Ophestra
0166833431 container/dispatcher: start goroutine in dispatcher 
This allows instrumentation of calls from goroutine without relying on finalizers.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-23 21:58:40 +09:00
Ophestra
b3da3da525 container/init: avoid multiple lastcap calls 
This reduces the size of []kexpect in the test suite.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-23 11:09:11 +09:00
Ophestra
1b3902df78 container/dispatcher: instrument each goroutine individually 
Scheduler nondeterminism cannot be accounted for, so do this instead.

There should not be any performance penalty as these calls are optimised out for direct.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-23 11:07:16 +09:00
Ophestra
ea1e3ebae9 container/params: pass fd instead of file 
The file is very difficult to stub. Pass fd instead as it is the value that is actually useful.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-23 00:16:46 +09:00
Ophestra
1c692bfb79 container/init: call lockOSThread through dispatcher 
This degrades test performance if not stubbed out.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-22 22:24:14 +09:00
Ophestra
141a18999f container: move integration test helpers 
With the new instrumentation it is now possible to run init code outside integration tests.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-22 22:07:19 +09:00
Ophestra
afe23600d2 container/path: use syscall dispatcher 
This allows path and mount functions to be instrumented.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-22 22:02:21 +09:00
Ophestra
09d2844981 container/init: wrap syscall helper functions 
This allows tests to stub all kernel behaviour, enabling measurement of all function call arguments and error injection.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-22 19:27:31 +09:00
Ophestra
5b73316ae0 container/syscall: doc comments from manpages 
These are pulled straight from the manpages.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-21 00:33:46 +09:00
Ophestra
5d8a2199b6 container/init: op interface valid method 
Check ops early and eliminate duplicate checks.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-21 00:18:50 +09:00
Ophestra
a1482ecdd0 container/inittmpfs: check path equivalence by value 
Fixes regression introduced while integrating Absolute.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 20:17:28 +09:00
Ophestra
a07f9ed84c container/initsymlink: check path equivalence by value 
Fixes regression introduced while integrating Absolute.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 20:03:02 +09:00
Ophestra
51304b03af container/initremount: check path equivalence by value 
Fixes regression introduced while integrating Absolute.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 19:55:51 +09:00
Ophestra
c6397b941f container/initproc: check path equivalence by value 
Fixes regression introduced while integrating Absolute.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 19:29:45 +09:00
Ophestra
d65e5f817a container/initplace: check path equivalence by value 
Fixes regression introduced while integrating Absolute.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 19:19:27 +09:00
Ophestra
696e593898 container/initoverlay: check path equivalence by value 
Fixes regression introduced while integrating Absolute.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 17:33:15 +09:00
Ophestra
97ab24feef container/init: use absolute compare method 
More checks are also added.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 17:14:36 +09:00
Ophestra
31f0dd36df absolute: efficient equivalence check method 
This is more efficient and makes the call site cleaner.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 17:06:38 +09:00
Ophestra
9aec2f46fe container/initdev: check path equivalence by value 
Fixes regression introduced while integrating Absolute.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 02:55:45 +09:00
Ophestra
022cc26b2e container/capability: check CAP_TO_INDEX and CAP_TO_MASK 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 02:45:00 +09:00
Ophestra
b4c018da8f container/autoetc: do not bypass absolute check 
This can now be done cleanly via path function wrappers.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 02:37:11 +09:00
Ophestra
66f52407d3 container/initmkdir: check path equivalence by value 
Fixes regression introduced while integrating Absolute.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 02:32:22 +09:00
Ophestra
e463faf649 container/initbind: check path equivalence by value 
Same problem as autoroot, never updated the checks after integrating Absolute.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 02:22:04 +09:00
Ophestra
375acb476d container/autoroot: check host path equivalence by value 
This will never return true otherwise unless the equivalent paths happen to be interned by the caller.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 02:14:39 +09:00
Ophestra
c81c9a9d75 container/init: split setup ops into individual files 
This significantly increases readability.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 01:28:31 +09:00
Ophestra
339e4080dc container/ops: move Op type to init file 
This helps with the eventual separation of all setup ops into individual files.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 01:11:24 +09:00
Ophestra
e0533aaa68 container/autoroot: filter dentry with empty name 
This is unreachable, but nice to have just in case.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 01:03:49 +09:00
Ophestra
13c7083bc0 container: ptrace protection via Yama LSM 
This is only a nice to have feature as the init process has no additional privileges and the monitor process was never reachable anyway.

Closes #4.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-20 00:43:55 +09:00
Ophestra
140fe21237 container/params: check setup/receive behaviour 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-18 22:30:34 +09:00
Ophestra
f52d2c7db6 container/path: check create and mountinfo helpers 
These can quite easily be checked within the framework. The scanner fault injection might require updating at some point if the implementation changes.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-18 21:30:28 +09:00
Clayton Gilmer
5db0714072 container: optionally isolate host abstract UNIX domain sockets via landlock 2025-08-18 16:28:14 +09:00
Ophestra
69a4ab8105 container: move PR_SET_NO_NEW_PRIVS to parent 
This allows some LSM setup in the parent.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-18 11:46:02 +09:00
Ophestra
0ac6e99818 container: start from locked thread 
This allows setup that relies on per-thread state like securebits and landlock, from the parent side.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-17 17:42:22 +09:00
Ophestra
f35733810e container: check output helper functions 
The container test suite has always been somewhat inadequate due to the inability of coverage tooling to reach into containers. This has become an excuse for not testing non-container code as well, which lead to the general lack of confidence when working with container code. This change aims to be one of many to address that to some extent.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-17 02:59:37 +09:00
Ophestra
9c1a5d43ba container: enforce nonrepeatable autoetc and autoroot 
These keep track of some internal state, and they don't make sense to have multiple instances of anyway, so instead of dealing with that, just make them nonrepetable.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-17 01:43:11 +09:00
Ophestra
8aa65f28c6 container: allow additional state between ops 
This is useful for ops that need to be aware of previous instances of themselves.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-17 01:32:07 +09:00
Ophestra
ba3227bf15 container: export overlay escape 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-14 23:44:11 +09:00
Ophestra
332d90d6c7 container/path: remove unused path 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-14 05:00:09 +09:00
Ophestra
e99d7affb0 container: use absolute for pathname 
This is simultaneously more efficient and less error-prone. This change caused minor API changes in multiple other packages.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-11 04:56:42 +09:00
Ophestra
41ac2be965 container/absolute: wrap safe stdlib functions 
These functions do not change the absoluteness of a pathname.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-10 03:11:10 +09:00
Ophestra
02271583fb container: remove PATH lookup behaviour 
This is way higher level than the container package and does not even work unless every path is mounted in the exact same location.

This behaviour causes nothing but confusion and problems,

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-09 19:08:54 +09:00
Ophestra
ef54b2cd08 container/absolute: early absolute pathname check 
This is less error-prone, and allows pathname to be checked once.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-09 18:53:46 +09:00
Ophestra
82608164f6 container/params: remove confusingly named error 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-09 17:37:46 +09:00
Ophestra
edd6f2cfa9 container: document ambient capabilities 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-08 02:11:55 +09:00
Ophestra
acffa76812 container/ops: implement overlay op 
There are significant limitations to using the overlay mount, and the implementation in the kernel is quite quirky. For now the Op is quite robust, however a higher level interface for it has not been decided yet.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-08 01:54:48 +09:00
Ophestra
8da76483e6 container/path: fix typo "paths" 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-08 01:32:48 +09:00
Ophestra
534c932906 container: test case runtime initialisation 
This allows for more sophisticated test setup.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-08 01:03:35 +09:00
Ophestra
fee10fed4d container: test bypass output buffer on verbose 
This restores verbose behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-08 00:57:27 +09:00
Ophestra
f1a53d6116 container: raise CAP_DAC_OVERRIDE 
This is required for upperdir and workdir checks in overlayfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-08 00:43:19 +09:00