maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
769 Commits 1 Branch 12 Tags
31aef905fa819310ee7694775a836c294ff742e4
Commit Graph

17 Commits

Author SHA1 Message Date
Ophestra
31aef905fa sandbox: expose seccomp interface 
There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 04:47:13 +09:00
Ophestra
a6887f7253 sandbox/seccomp: import dot for syscall 
This significantly increases readability in some places.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 02:30:35 +09:00
Ophestra
26b7afc890 sandbox/seccomp: prepare -> export 
Export makes a lot more sense, and also matches the libseccomp function.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 00:32:48 +09:00
Ophestra
1a8840bebc sandbox/seccomp: resolve rules natively 
This enables loading syscall filter policies from external cross-platform config files.

This also removes a significant amount of C code.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 22:11:32 +09:00
Ophestra
87e008d56d treewide: rename to hakurei 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
Ophestra
584405f7cc sandbox/seccomp: rename flag type and constants 
The names are ambiguous. Rename them to make more sense.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-08 01:59:45 +09:00
Ophestra
0ba8be659f sandbox: document less obvious parts of setup 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 01:21:04 +09:00
Ophestra
184e9db2b2 sandbox: support privileged container 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 19:40:19 +09:00
Ophestra
52fcc48ac1 sandbox/init: drop capabilities 
During development the syscall filter caused me to make an incorrect assumption about SysProcAttr.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:32:08 +09:00
Ophestra
971c79bb80 sandbox: remove hardcoded parent perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:49:51 +09:00
Ophestra
61dbfeffe7 sandbox/wl: move into sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 05:26:37 +09:00
Ophestra
b74a08dda9 sandbox: prepare ops early 
Some setup code needs to run in host root. This change allows that to happen.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-18 02:17:46 +09:00
Ophestra
1b9408864f sandbox: pass cmd to cancel function 
This is not usually in scope otherwise.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:36:39 +09:00
Ophestra
816b372f14 sandbox: cancel process on serve error 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:49:45 +09:00
Ophestra
d7eddd54a2 sandbox: rename params struct 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:45:08 +09:00
Ophestra
af3619d440 sandbox: create symlinks 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:37:56 +09:00
Ophestra
24618ab9a1 sandbox: move out of internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 02:55:36 +09:00