maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
727 Commits 2 Branches 12 Tags
807d511c8b87b9a173bd89ee49c73330fa8b93c7
Commit Graph

16 Commits

Author SHA1 Message Date
Ophestra
2f4f21fb18 fst: rename device field 
Dev is very ambiguous. Rename it here alongside upcoming config changes.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 19:32:15 +09:00
Ophestra
9967909460 sandbox: relative autoetc links 
This allows nested containers to use autoetc, and increases compatibility with other implementations.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 18:54:00 +09:00
Ophestra
c806f43881 sandbox: implement autoetc as setup op 
This significantly reduces setup op count and the readdir call now happens in the context of the init process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-10 18:54:25 +09:00
Ophestra
584405f7cc sandbox/seccomp: rename flag type and constants 
The names are ambiguous. Rename them to make more sense.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-08 01:59:45 +09:00
Ophestra
7f2c0af5ad fst: set multiarch bit 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 22:55:00 +09:00
Ophestra
c326c3f97d fst/sandbox: do not create /etc in advance 
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:00:34 +09:00
Ophestra
5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
Ophestra
7c063833e0 internal/sys: wrap getuid/getgid 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 17:10:03 +09:00
Ophestra
ef81828e0c app: remove share method 
This is yet another implementation detail from before system.I, getting rid of this vastly cuts down on redundant seal state.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-19 16:20:25 +09:00
Ophestra
648e1d641a app: separate interface from implementation 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-18 23:07:28 +09:00
Ophestra
3c327084d3 fst: declare wrappers for sandbox config 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-18 23:04:13 +09:00
Ophestra
e0f321b2c4 sys: rename from linux 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-18 18:47:48 +09:00
Ophestra
e599b5583d fmsg: implement suspend in writer 
This removes the requirement to call fmsg.Exit on every exit path, and enables direct use of the "log" package. However, fmsg.BeforeExit is still encouraged when possible to catch exit on suspended output.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-16 18:51:53 +09:00
Ophestra
9a239fa1a5 helper/bwrap: integrate seccomp into helper interface 
This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-22 01:52:57 +09:00
Ophestra
562f5ed797 fst: hide sockets exposed via Filesystem 
This is mostly useful for permissive defaults.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-15 10:13:18 +09:00
Ophestra
db03565614 fst: move sandbox struct to separate file 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-15 09:42:44 +09:00