maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
1,297 Commits 1 Branch 12 Tags
87781c765844409226804157546753b84ef3c6b4
Commit Graph

40 Commits

Author SHA1 Message Date
Ophestra
87781c7658 treewide: include PipeWire op and enforce PulseAudio check 
This fully replaces PulseAudio with PipeWire and enforces the PulseAudio check and error message. The pipewire-pulse daemon is handled in the NixOS module.

Closes #26.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-08 08:53:04 +09:00
Ophestra
cb9ebf0e15 hst/grp_pwd: specify new uid format 
This leaves slots available for additional uid ranges in Rosa OS.

This breaks all existing installations! Users are required to fix ownership manually.

Closes #18.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-04 08:24:41 +09:00
Ophestra
699c19e972 hst/container: optional runtime and tmpdir sharing 
Sharing and persisting these directories do not always make sense. Make it optional here.

Closes #16.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-19 04:11:38 +09:00
Ophestra
e47aebb7a0 internal/app/outcome: apply configured filesystems late 
This enables configured filesystems to cover system mount points.

Closes #8.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-19 01:41:52 +09:00
Ophestra
d4284c109d internal/app/spruntime: emulate pam_systemd type 
This sets XDG_SESSION_TYPE to the corresponding values specified in pam_systemd(8) according to enablements.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-18 04:33:04 +09:00
Ophestra
83c4f8b767 test/sandbox: check extra writable paths 
This is not always obvious from mountinfo.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-14 15:12:51 +09:00
Ophestra
d0ddd71934 test/sandbox: bind /var/tmp writable 
This makes it possible to place markers with private tmpdir.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-14 14:59:53 +09:00
Ophestra
ca247b8037 internal/app: mount /dev/shm early 
This avoids covering /dev/shm mounts from hst.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-09-14 01:49:42 +09:00
Ophestra
acb6931f3e app/seal: leave $DISPLAY as is on host abstract 
This helps work around faulty software that misinterprets unix: DISPLAY string.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-27 20:42:03 +09:00
Ophestra
9bc8532d56 container/initdev: mount tmpfs on shm for ro dev 
Programs expect /dev/shm to be a writable tmpfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 03:27:07 +09:00
Ophestra
4cf694d2b3 hst: use hsu userid for share path suffix 
The privileged user is identifier to hakurei through its hsu userid. Using the kernel uid here makes little sense and is a leftover design choice from before hsu was implemented.

Closes #7.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 02:16:33 +09:00
Ophestra
c9facb746b hst/config: remove data field, rename dir to home 
There is no reason to give the home directory special treatment, as this behaviour can be quite confusing. The home directory also does not necessarily require its own mount point, it could be provided by a parent or simply be ephemeral.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 00:56:10 +09:00
Clayton Gilmer
5db0714072 container: optionally isolate host abstract UNIX domain sockets via landlock 2025-08-18 16:28:14 +09:00
Ophestra
83a1c75f1a app: set up acl on X11 socket 
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging security/hakurei#1.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-18 11:30:58 +09:00
Ophestra
9ed3ba85ea hst/fs: implement overlay fstype 
This finally exposes overlay mounts in the high level hakurei API.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-15 04:00:55 +09:00
Ophestra
38245559dc container/ops: mount dev readonly 
There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 19:18:53 +09:00
Ophestra
3b8a3d3b00 app: remount root readonly 
This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:56:28 +09:00
Ophestra
ec33061c92 nix: remove nscd cover 
This is a pd workaround that does nothing in the nixos module.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 22:04:58 +09:00
Ophestra
547a2adaa4 container/mount: pass tmpfs flags 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 18:59:06 +09:00
Ophestra
625632c593 nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-26 18:57:54 +09:00
Ophestra
749a2779f5 test/sandbox: add arm64 constants 
Most of these are differences in qemu.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 05:36:35 +09:00
Ophestra
e574042d76 test/sandbox: verify seccomp on all test cases 
This change also makes seccomp hashes cross-platform.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 04:21:35 +09:00
Ophestra
87e008d56d treewide: rename to hakurei 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
Ophestra
717771ae80 app: share runtime dir 
This allows apps with the same identity to access the same runtime dir.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-08 03:24:48 +09:00
Ophestra
b7e991de5b nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-05 04:05:39 +09:00
Ophestra
f30a439bcd nix: improve common usability 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-05-16 04:40:12 +09:00
Ophestra
008e9e7fc5 nix: update flake lock 2025-05-07 21:35:37 +09:00
Ophestra
807d511c8b test/sandbox: check device outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 19:55:16 +09:00
Ophestra
9967909460 sandbox: relative autoetc links 
This allows nested containers to use autoetc, and increases compatibility with other implementations.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 18:54:00 +09:00
Ophestra
297b444dfb test: separate app and sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 22:09:46 +09:00
Ophestra
f8502c3ece test/sandbox: check environment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:16:33 +09:00
Ophestra
2dd49c437c app: create XDG_RUNTIME_DIR with perm 0700 
Many programs complain about this.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:49:37 +09:00
Ophestra
371dd5b938 nix: create current-system symlink 
This is copied at runtime because it appears to be impossible to obtain this path in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:06:11 +09:00
Ophestra
67eb28466d nix: create opengl-driver symlink 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:52:20 +09:00
Ophestra
c326c3f97d fst/sandbox: do not create /etc in advance 
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:00:34 +09:00
Ophestra
5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
Ophestra
61d86c5e10 test/sandbox: fix stdout tty check 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:23:50 +09:00
Ophestra
b989a4601a test/sandbox: fail on mismatched mount entry 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 13:43:32 +09:00
Ophestra
0eb1bc6301 test/sandbox: verify outcome via mountinfo 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 01:42:38 +09:00
Ophestra
806ce18c0a test/sandbox: check mapuid outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:56:07 +09:00