maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
869 Commits 1 Branch 12 Tags
5db07140726e6e1bf615ed075e9a8b653508c2a7
Commit Graph

29 Commits

Author SHA1 Message Date
Clayton Gilmer
5db0714072 container: optionally isolate host abstract UNIX domain sockets via landlock 2025-08-18 16:28:14 +09:00
Ophestra
83a1c75f1a app: set up acl on X11 socket 
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging security/hakurei#1.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-18 11:30:58 +09:00
Ophestra
9ed3ba85ea hst/fs: implement overlay fstype 
This finally exposes overlay mounts in the high level hakurei API.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-15 04:00:55 +09:00
Ophestra
38245559dc container/ops: mount dev readonly 
There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 19:18:53 +09:00
Ophestra
3b8a3d3b00 app: remount root readonly 
This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:56:28 +09:00
Ophestra
ec33061c92 nix: remove nscd cover 
This is a pd workaround that does nothing in the nixos module.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 22:04:58 +09:00
Ophestra
547a2adaa4 container/mount: pass tmpfs flags 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 18:59:06 +09:00
Ophestra
625632c593 nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-26 18:57:54 +09:00
Ophestra
749a2779f5 test/sandbox: add arm64 constants 
Most of these are differences in qemu.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 05:36:35 +09:00
Ophestra
e574042d76 test/sandbox: verify seccomp on all test cases 
This change also makes seccomp hashes cross-platform.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 04:21:35 +09:00
Ophestra
87e008d56d treewide: rename to hakurei 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
Ophestra
717771ae80 app: share runtime dir 
This allows apps with the same identity to access the same runtime dir.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-08 03:24:48 +09:00
Ophestra
b7e991de5b nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-05 04:05:39 +09:00
Ophestra
f30a439bcd nix: improve common usability 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-05-16 04:40:12 +09:00
Ophestra
008e9e7fc5 nix: update flake lock 2025-05-07 21:35:37 +09:00
Ophestra
807d511c8b test/sandbox: check device outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 19:55:16 +09:00
Ophestra
9967909460 sandbox: relative autoetc links 
This allows nested containers to use autoetc, and increases compatibility with other implementations.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 18:54:00 +09:00
Ophestra
297b444dfb test: separate app and sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 22:09:46 +09:00
Ophestra
f8502c3ece test/sandbox: check environment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:16:33 +09:00
Ophestra
2dd49c437c app: create XDG_RUNTIME_DIR with perm 0700 
Many programs complain about this.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:49:37 +09:00
Ophestra
371dd5b938 nix: create current-system symlink 
This is copied at runtime because it appears to be impossible to obtain this path in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:06:11 +09:00
Ophestra
67eb28466d nix: create opengl-driver symlink 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:52:20 +09:00
Ophestra
c326c3f97d fst/sandbox: do not create /etc in advance 
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:00:34 +09:00
Ophestra
5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
Ophestra
61d86c5e10 test/sandbox: fix stdout tty check 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:23:50 +09:00
Ophestra
b989a4601a test/sandbox: fail on mismatched mount entry 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 13:43:32 +09:00
Ophestra
0eb1bc6301 test/sandbox: verify outcome via mountinfo 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 01:42:38 +09:00
Ophestra
806ce18c0a test/sandbox: check mapuid outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:56:07 +09:00
Ophestra
b71d2bf534 test/sandbox: check tty outcome 
This makes no difference currently but has different behaviour in the native sandbox.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:28:57 +09:00