maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
644 Commits 2 Branches 12 Tags
770b37ae166a18f495865e96ccafc6f9fb9f4e88
Commit Graph

22 Commits

Author SHA1 Message Date
Ophestra
770b37ae16 sandbox/vfs: match MS_NOSYMFOLLOW flag 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 13:57:30 +09:00
Ophestra
c638193268 sandbox: apply vfs options to bind mounts 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 05:27:57 +09:00
Ophestra
8c3a817881 sandbox/vfs: unfold mount hierarchy 
This presents all visible mount points under path. This is useful for applying extra vfs options to bind mounts.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 05:23:31 +09:00
Ophestra
e2fce321c1 sandbox/vfs: expose mountinfo line scanning 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 02:46:58 +09:00
Ophestra
d21d9c5b1d sandbox/vfs: parse vfs options 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 17:12:10 +09:00
Ophestra
a70daf2250 sandbox: resolve inverted flags in op 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 12:58:38 +09:00
Ophestra
5098b12e4a sandbox/vfs: count mountinfo entries 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 12:14:33 +09:00
Ophestra
9ddf5794dd sandbox/vfs: implement proc_pid_mountinfo(5) parser 
Test cases are mostly taken from util-linux. This implementation is more correct and slightly faster than the one found in github:kubernetes/utils.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 00:35:49 +09:00
Ophestra
b74a08dda9 sandbox: prepare ops early 
Some setup code needs to run in host root. This change allows that to happen.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-18 02:17:46 +09:00
Ophestra
1b9408864f sandbox: pass cmd to cancel function 
This is not usually in scope otherwise.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:36:39 +09:00
Ophestra
cc89dbdf63 sandbox: place files with content 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:13:22 +09:00
Ophestra
228f3301f2 sandbox: create directories 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:03:06 +09:00
Ophestra
07181138e5 sandbox/mount: pass absolute path 
This should never be used unless there is a good reason to, like using a file in the intermediate root.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:53:31 +09:00
Ophestra
816b372f14 sandbox: cancel process on serve error 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:49:45 +09:00
Ophestra
d7eddd54a2 sandbox: rename params struct 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:45:08 +09:00
Ophestra
af3619d440 sandbox: create symlinks 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:37:56 +09:00
Ophestra
528674cb6e sandbox/init: fail early on nil op 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:17:03 +09:00
Ophestra
70c9757e26 sandbox/mount: rename device flag 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 16:10:55 +09:00
Ophestra
c83a7e2efc sandbox: mount container /dev/mqueue 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 15:42:40 +09:00
Ophestra
904208b87f sandbox: unwrap path string 
Mount proc and dev takes no additional parameters.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 15:33:20 +09:00
Ophestra
007b52d81f sandbox/seccomp: check for both partial read outcomes 
This eliminates intermittent test failures.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 12:51:21 +09:00
Ophestra
24618ab9a1 sandbox: move out of internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 02:55:36 +09:00