9ed3ba85ea
hst/fs: implement overlay fstype
...
This finally exposes overlay mounts in the high level hakurei API.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-15 04:00:55 +09:00
4433c993fa
nix: check config via hakurei
...
This is unfortunately the only feasible way of doing this in nix.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-15 03:27:54 +09:00
38245559dc
container/ops: mount dev readonly
...
There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-03 19:18:53 +09:00
3b8a3d3b00
app: remount root readonly
...
This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 23:56:28 +09:00
ec33061c92
nix: remove nscd cover
...
This is a pd workaround that does nothing in the nixos module.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 22:04:58 +09:00
af0899de96
hst/container: mount tmpfs via magic src string
...
There's often good reason to mount tmpfs in the container.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 21:23:52 +09:00
547a2adaa4
container/mount: pass tmpfs flags
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 18:59:06 +09:00
387b86bcdd
app: integrate container autoroot
...
Doing this instead of mounting directly on / because it's impossible to ensure a parent is available for every path hakurei wants to mount to. This situation is similar to autoetc hence the similar name, however a symlink mirror will not work in this case.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 04:21:54 +09:00
987981df73
test/sandbox: check pd behaviour
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 03:27:02 +09:00
625632c593
nix: update flake lock
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-26 18:57:54 +09:00
749a2779f5
test/sandbox: add arm64 constants
...
Most of these are differences in qemu.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-09 05:36:35 +09:00
e574042d76
test/sandbox: verify seccomp on all test cases
...
This change also makes seccomp hashes cross-platform.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-09 04:21:35 +09:00
2b44493e8a
test/sandbox: guard on testtool tag
...
This tool should not show up when building hakurei normally.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-07 20:11:29 +09:00
c30dd4e630
test/sandbox/seccomp: remove uselib
...
This syscall is not wired on all platforms. This test barely does anything anyway and seccomp is covered by the privileged test instrumentation.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-07 15:28:55 +09:00
d2f9a9b83b
treewide: migrate to hakurei.app
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-03 03:30:39 +09:00
87e008d56d
treewide: rename to hakurei
...
Fortify makes little sense for a container tool.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-25 04:57:41 +09:00
717771ae80
app: share runtime dir
...
This allows apps with the same identity to access the same runtime dir.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-08 03:24:48 +09:00
b7e991de5b
nix: update flake lock
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-05 04:05:39 +09:00
2ffca6984a
nix: use reverse-DNS style id as unique identifier
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-05-25 20:12:30 +09:00
f30a439bcd
nix: improve common usability
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-05-16 04:40:12 +09:00
008e9e7fc5
nix: update flake lock
2025-05-07 21:35:37 +09:00
ae6f5ede19
fst: mount passthrough /dev writable
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 20:01:54 +09:00
807d511c8b
test/sandbox: check device outcome
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 19:55:16 +09:00
9967909460
sandbox: relative autoetc links
...
This allows nested containers to use autoetc, and increases compatibility with other implementations.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 18:54:00 +09:00
297b444dfb
test: separate app and sandbox
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 22:09:46 +09:00
89a05909a4
test: move test program to sandbox directory
...
This prepares for the separation of app and sandbox tests.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 21:09:16 +09:00
f772940768
test/sandbox: treat ESRCH as temporary failure
...
This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 03:50:59 +09:00
8886c40974
test/sandbox: separate check filter
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 02:15:08 +09:00
8b62e08b44
test: build test program in nixos config
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-29 19:33:17 +09:00
ff3cfbb437
test/sandbox: check seccomp outcome
...
This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 02:24:27 +09:00
389402f955
test/sandbox/ptrace: generic filter block type
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 01:47:24 +09:00
660a2898dc
test/sandbox/ptrace: dump seccomp bpf program
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 01:35:56 +09:00
faf59e12c0
test/sandbox: expose test tool
...
Some test elements implemented in the test tool might need to run outside the sandbox. This change allows that to happen.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 00:08:47 +09:00
d97a03c7c6
test/sandbox: separate test tool source
...
This improves readability and allows gofmt to format the file.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 23:43:13 +09:00
f8502c3ece
test/sandbox: check environment
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 03:16:33 +09:00
996b42634d
test/sandbox: invoke check program directly
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 03:11:50 +09:00
2dd49c437c
app: create XDG_RUNTIME_DIR with perm 0700
...
Many programs complain about this.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 02:49:37 +09:00
371dd5b938
nix: create current-system symlink
...
This is copied at runtime because it appears to be impossible to obtain this path in nix.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 02:06:11 +09:00
67eb28466d
nix: create opengl-driver symlink
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 20:52:20 +09:00
c326c3f97d
fst/sandbox: do not create /etc in advance
...
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 20:00:34 +09:00
5c4058d5ac
app: run in native sandbox
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 01:52:49 +09:00
3dd4ff29c8
test/sandbox: check mount table length
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-24 16:36:53 +09:00
61d86c5e10
test/sandbox: fix stdout tty check
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-24 16:23:50 +09:00
d097eaa28f
test/sandbox: unquote fail messages
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-24 16:03:53 +09:00
b989a4601a
test/sandbox: fail on mismatched mount entry
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-24 13:43:32 +09:00
0eb1bc6301
test/sandbox: verify outcome via mountinfo
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-24 01:42:38 +09:00
1eb837eab8
test/sandbox: warn about misuse in doc comment
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-23 23:28:28 +09:00
806ce18c0a
test/sandbox: check mapuid outcome
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-23 17:56:07 +09:00
b71d2bf534
test/sandbox: check tty outcome
...
This makes no difference currently but has different behaviour in the native sandbox.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-23 17:28:57 +09:00
46059b1840
test/sandbox: print mismatching file content
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-23 17:24:52 +09:00
