maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
1,263 Commits 2 Branches 12 Tags
32fb137bb2e6eed465e94fd791abfaaab40bf674
Commit Graph

13 Commits

Author SHA1 Message Date
Ophestra
ac34635890 container: set FD_CLOEXEC on all open files 
While fd created from this side always has the FD_CLOEXEC flag, the same is not true for files left open by the parent. This change prevents those files from leaking into the container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-12 00:18:29 +09:00
Ophestra
9dec9dbc4b container/init: close setup pipe early 
This prevents leaking the setup pipe.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-11 07:31:58 +09:00
Ophestra
cb9ebf0e15 hst/grp_pwd: specify new uid format 
This leaves slots available for additional uid ranges in Rosa OS.

This breaks all existing installations! Users are required to fix ownership manually.

Closes #18.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-04 08:24:41 +09:00
Ophestra
773253fdf5 test/sandbox: raise timeout 
The integration vm is being very slow for some reason. This change should reduce spurious timeouts.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-24 19:41:59 +09:00
Ophestra
1cdc6b4246 test/sandbox: create marker in /var/tmp 
This prepares the test suite for private TMPDIR.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-14 16:45:17 +09:00
Ophestra
4cf694d2b3 hst: use hsu userid for share path suffix 
The privileged user is identifier to hakurei through its hsu userid. Using the kernel uid here makes little sense and is a leftover design choice from before hsu was implemented.

Closes #7.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 02:16:33 +09:00
Ophestra
22d577ab49 test/sandbox: do not discard stderr getting hash 
This is the first hakurei run in the test, if the container outright fails to start this is often where it happens, so throwing away the output is very unhelpful.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-18 11:36:13 +09:00
Ophestra
9ed3ba85ea hst/fs: implement overlay fstype 
This finally exposes overlay mounts in the high level hakurei API.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-15 04:00:55 +09:00
Ophestra
987981df73 test/sandbox: check pd behaviour 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 03:27:02 +09:00
Ophestra
e574042d76 test/sandbox: verify seccomp on all test cases 
This change also makes seccomp hashes cross-platform.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 04:21:35 +09:00
Ophestra
87e008d56d treewide: rename to hakurei 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
Ophestra
807d511c8b test/sandbox: check device outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 19:55:16 +09:00
Ophestra
297b444dfb test: separate app and sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 22:09:46 +09:00