maemachinebroke/hakurei
1
0
Fork 0
forked from rosa/hakurei
Code Pull Requests Activity
2,444 Commits 7 Branches 12 Tags
94173eafffbc198d7e011613af77cc75f6c6d2a5
Commit Graph

2444 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
cat a102178019 sys: update doc comment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 22:43:17 +09:00
cat e400862a12 state/multi: fix backend cache population race 
This race is never able to happen since no caller concurrently requests the same aid yet.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 22:37:08 +09:00
cat 184e9db2b2 sandbox: support privileged container 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 19:40:19 +09:00
cat 605d018be2 app/seal: check for '=' in envv 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 18:25:23 +09:00
cat 78aaae7ee0 helper/args: copy args on wt creation 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 18:22:07 +09:00
cat 5c82f1ed3e helper/stub: output to stdout 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 17:25:10 +09:00
cat f8502c3ece test/sandbox: check environment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:16:33 +09:00
cat 996b42634d test/sandbox: invoke check program directly 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:11:50 +09:00
cat 300571af47 app: pass through $SHELL 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 01:22:40 +09:00
cat 32c90ef4e7 nix: pass through exec arguments 
This is useful for when a wrapper script is unnecessary.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:04:46 +09:00
cat 2a4e2724a3 release: 0.3.1 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:48:50 +09:00
cat d613257841 sandbox/init: clear inheritable set 
Inheritable should not be able to affect anything regardless of its value, due to no_new_privs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:46:13 +09:00
cat 18644d90be sandbox: wrap capset syscall 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:44:07 +09:00
cat 52fcc48ac1 sandbox/init: drop capabilities 
During development the syscall filter caused me to make an incorrect assumption about SysProcAttr.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:32:08 +09:00
cat 8b69bcd215 sandbox: cache kernel.cap_last_cap value 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:19:19 +09:00
cat 2dd49c437c app: create XDG_RUNTIME_DIR with perm 0700 
Many programs complain about this.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:49:37 +09:00
cat 92852d8235 release: 0.3.0 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:18:59 +09:00
cat 371dd5b938 nix: create current-system symlink 
This is copied at runtime because it appears to be impossible to obtain this path in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:06:11 +09:00
cat 4836d570ae test: raise long timeout to 15 seconds 
The race detector really slows down container tooling.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 01:59:05 +09:00
cat 985f9442e6 sandbox: copy symlink with magic prefix 
This does not dereference the symlink, but only reads one level of it. This is useful for symlink targets that are not yet known at the time the configuration is emitted.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 01:42:39 +09:00
cat 67eb28466d nix: create opengl-driver symlink 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:52:20 +09:00
cat c326c3f97d fst/sandbox: do not create /etc in advance 
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:00:34 +09:00
cat 971c79bb80 sandbox: remove hardcoded parent perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:49:51 +09:00
cat f86d868274 sandbox: wrap error with its own text message 
PathError has a pretty good text message, many of them are wrapped with its own text message. This change adds a function to do just that to improve readability.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:42:20 +09:00
cat 33940265a6 sandbox: do not ensure symlink target 
This masks EEXIST on target and might clobber filesystems and lead to other confusing behaviour. Create its parent instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:30:53 +09:00
cat b39f3aeb59 helper: remove bubblewrap wrapper 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 05:35:02 +09:00
cat 61dbfeffe7 sandbox/wl: move into sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 05:26:37 +09:00
cat 532feb4bfa app: merge shim into app package 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 05:21:47 +09:00
cat ec5e91b8c9 system: optimise string formatting 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 04:42:30 +09:00
cat ee51320abf test: check revert type selection 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 04:37:58 +09:00
cat 5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
cat e732dca762 wl: fix sync pipe keepalive 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:33:37 +09:00
cat a9adcd914b fortify/parse: omit try fd fallthrough message 
This reduces noise in verbose output.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:21:11 +09:00
cat 3dd4ff29c8 test/sandbox: check mount table length 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:36:53 +09:00
cat 61d86c5e10 test/sandbox: fix stdout tty check 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:23:50 +09:00
cat d097eaa28f test/sandbox: unquote fail messages 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:03:53 +09:00
cat ad3576c164 sandbox: resolve tty name 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:03:07 +09:00
cat b989a4601a test/sandbox: fail on mismatched mount entry 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 13:43:32 +09:00
cat a11237b158 sandbox/vfs: add doc comments 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 13:21:55 +09:00
cat 40f00d570e sandbox: set mkdir perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 12:51:39 +09:00
cat 0eb1bc6301 test/sandbox: verify outcome via mountinfo 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 01:42:38 +09:00
cat 1eb837eab8 test/sandbox: warn about misuse in doc comment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 23:28:28 +09:00
cat 0a4e633db2 nix: filter test from source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 22:20:19 +09:00
cat e8809125d4 sandbox: verify outcome via mountinfo 
This contains much more information than /proc/mounts and allows for more fields to be checked. This also removes the dependency on the test package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 22:17:36 +09:00
cat 806ce18c0a test/sandbox: check mapuid outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:56:07 +09:00
cat b71d2bf534 test/sandbox: check tty outcome 
This makes no difference currently but has different behaviour in the native sandbox.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:28:57 +09:00
cat 46059b1840 test/sandbox: print mismatching file content 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:24:52 +09:00
cat d2c329bcea test: format path aid offsets 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:21:14 +09:00
cat 2d379b5a38 test/sandbox: pass want file as argument 
This avoids building the check program multiple times.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 15:00:59 +09:00
cat 75e0c5d406 test/sandbox: parse full test case 
This makes declaring multiple tests much cleaner.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 14:53:50 +09:00