maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
821 Commits 1 Branch 12 Tags
3b8a3d3b004695d79745c34821b33cfbe41048a9
Commit Graph

821 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ophestra
3b8a3d3b00 app: remount root readonly 
This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:56:28 +09:00
Ophestra
c5d24979f5 container/ops: expose remount as Op 
This is useful for building a filesystem hierarchy then remounting it readonly.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:48:02 +09:00
Ophestra
1dc780bca7 container/mount: separate remount from bind 
Remount turns out to be useful in other places.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:32:38 +09:00
Ophestra
ec33061c92 nix: remove nscd cover 
This is a pd workaround that does nothing in the nixos module.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 22:04:58 +09:00
Ophestra
af0899de96 hst/container: mount tmpfs via magic src string 
There's often good reason to mount tmpfs in the container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 21:23:52 +09:00
Ophestra
547a2adaa4 container/mount: pass tmpfs flags 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 18:59:06 +09:00
Ophestra
c02948e155 cmd/hakurei: print autoroot configuration 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:29:01 +09:00
Ophestra
387b86bcdd app: integrate container autoroot 
Doing this instead of mounting directly on / because it's impossible to ensure a parent is available for every path hakurei wants to mount to. This situation is similar to autoetc hence the similar name, however a symlink mirror will not work in this case.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:21:54 +09:00
Ophestra
4e85643865 container: implement autoroot as setup op 
This code is useful beyond just pd behaviour, and implementing it this way also reduces IPC overhead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:04:36 +09:00
Ophestra
987981df73 test/sandbox: check pd behaviour 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 03:27:02 +09:00
Ophestra
f14e7255be container/ops: use correct flags value in bind string 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 00:54:08 +09:00
Ophestra
a8a79a8664 cmd/hpkg: rename from planterette 
Planterette is now developed in another repository, so rename this proof of concept to avoid confusion.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-31 23:57:11 +09:00
Ophestra
3ae0cec000 test: increase vm memory 
This hopefully fixes the intermittent failures.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-31 22:08:01 +09:00
Ophestra
4e518f11d8 container/ops: autoetc implementation to separate file 
This is not a general purpose setup Op. Separate it so it is easier to find.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-31 19:54:03 +09:00
Ophestra
cb513bb1cd release: 0.1.2 
Signed-off-by: Ophestra <cat@gensokyo.uk>
v0.1.2 		2025-07-29 03:11:33 +09:00
Ophestra
f7bd28118c hst: configurable wait delay 
This is useful for programs that take a long time to clean up.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 03:06:49 +09:00
Ophestra
940ee00ffe container/init: configurable lingering process wait delay 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 02:38:17 +09:00
Ophestra
b43d104680 app: integrate interrupt forwarding 
This significantly increases usability of command line tools running through hakurei.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 02:23:06 +09:00
Ophestra
ddf48a6c22 app/shim: implement signal handler outcome in Go 
This needs to be done from the Go side eventually anyway to integrate the signal forwarding behaviour now supported by the container package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-28 23:39:30 +09:00
Ophestra
a0f499e30a app/shim: separate signal handler implementation 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-28 21:52:53 +09:00
Ophestra
d6b07f12ff container: forward context cancellation 
This allows container processes to exit gracefully.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-28 01:45:38 +09:00
Ophestra
65fe09caf9 container: check cancel signal delivery 
This change also makes some parts of the test more robust.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-28 01:04:29 +09:00
Ophestra
a1e5f020f4 container: improve doc comments 
Putting them on the builder methods is more useful.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-27 12:27:42 +09:00
Ophestra
bd3fa53a55 container: access test case by index in helper 
This is more elegant and allows for much easier extension of the tests. Mountinfo is still serialised however due to libPaths nondeterminism.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-26 18:59:19 +09:00
Ophestra
625632c593 nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-26 18:57:54 +09:00
Ophestra
e71ae3b8c5 container: remove custom cmd initialisation 
This part of the interface is very unintuitive and only used for testing, even in testing it is inelegant and can be done better.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-25 00:45:10 +09:00
Ophestra
9d7a19d162 container: use more reliable nonexistence 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-18 23:18:26 +09:00
Ophestra
6ba19a7ba5 release: 0.1.1 
Signed-off-by: Ophestra <cat@gensokyo.uk>
v0.1.1 		2025-07-09 05:42:31 +09:00
Ophestra
749a2779f5 test/sandbox: add arm64 constants 
Most of these are differences in qemu.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 05:36:35 +09:00
Ophestra
e574042d76 test/sandbox: verify seccomp on all test cases 
This change also makes seccomp hashes cross-platform.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 04:21:35 +09:00
Ophestra
2b44493e8a test/sandbox: guard on testtool tag 
This tool should not show up when building hakurei normally.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 20:11:29 +09:00
Ophestra
c30dd4e630 test/sandbox/seccomp: remove uselib 
This syscall is not wired on all platforms. This test barely does anything anyway and seccomp is covered by the privileged test instrumentation.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 15:28:55 +09:00
Ophestra
d90da1c8f5 container/seccomp: add arm64 constants 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 14:58:03 +09:00
Ophestra
5853d7700f container/seccomp: move bpf hashes 
Filter programs are different across platforms. This representation is also much more readable.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 14:41:47 +09:00
Ophestra
d5c7523726 container/init: fix prctl call 
This is a very silly typo. Luckily has no effect due to an upper layer doing PR_SET_NO_NEW_PRIVS already.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 14:06:14 +09:00
Ophestra
ddfcc51b91 container: move capset implementation 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 13:47:13 +09:00
Ophestra
8ebedbd88a container: move syscall constants 
These aren't missing from all targets.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 13:23:01 +09:00
Ophestra
84e8142a2d container/seccomp: move personality constants 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 12:44:32 +09:00
Ophestra
2c7b7ad845 container/seccomp: cross-platform sysnum cutoff 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 12:27:00 +09:00
Ophestra
72c2b66fc0 nix: cross-platform syscall wrapper 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 04:22:55 +09:00
Ophestra
356b42a406 container/init: use /proc/self as intermediate 
Setting up via /tmp is okay, /proc/self/fd makes a lot more sense though for reasons described in the comment.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-06 02:14:35 +09:00
Ophestra
d9b6d48e7c add miscellaneous badges 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 18:04:09 +09:00
Ophestra
087959e81b app: remove split implementation 
It is completely nonsensical and highly error-prone to have multiple implementations of this in the same build. This should be switched at compile time instead therefore the split packages are pointless.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 04:36:59 +09:00
Ophestra
e6967b8bbb release: 0.1.0 
Signed-off-by: Ophestra <cat@gensokyo.uk>
v0.1.0 		2025-07-03 03:42:58 +09:00
Ophestra
d2f9a9b83b treewide: migrate to hakurei.app 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 03:30:39 +09:00
Ophestra
1b5ecd9eaf container: move out of toplevel 
This allows slightly easier use of the vanity url. This also provides some disambiguation between low level containers and hakurei app containers.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 02:59:43 +09:00
Ophestra
82561d62b6 system: move system access packages 
These packages loosely belong in the "system" package and "system" provides high level wrappers for all of them.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 21:52:07 +09:00
Ophestra
eec021cc4b hakurei: move container helpers toplevel 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 21:31:29 +09:00
Ophestra
a1d98823f8 hakurei: move container toplevel 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 21:23:55 +09:00
Ophestra
255b77d91d cmd/hakurei: move command handlers 
The hakurei command is a bit ugly since it's also used for validating the command package. This alleviates some of the ugliness.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 20:59:17 +09:00