maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
802 Commits 1 Branch 12 Tags
a0f499e30a2f2a43b7a86ad081fc6703d67a6e36
Commit Graph

79 Commits

Author SHA1 Message Date
Ophestra
625632c593 nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-26 18:57:54 +09:00
Ophestra
749a2779f5 test/sandbox: add arm64 constants 
Most of these are differences in qemu.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 05:36:35 +09:00
Ophestra
e574042d76 test/sandbox: verify seccomp on all test cases 
This change also makes seccomp hashes cross-platform.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-09 04:21:35 +09:00
Ophestra
2b44493e8a test/sandbox: guard on testtool tag 
This tool should not show up when building hakurei normally.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 20:11:29 +09:00
Ophestra
c30dd4e630 test/sandbox/seccomp: remove uselib 
This syscall is not wired on all platforms. This test barely does anything anyway and seccomp is covered by the privileged test instrumentation.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-07 15:28:55 +09:00
Ophestra
d2f9a9b83b treewide: migrate to hakurei.app 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 03:30:39 +09:00
Ophestra
87e008d56d treewide: rename to hakurei 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
Ophestra
717771ae80 app: share runtime dir 
This allows apps with the same identity to access the same runtime dir.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-08 03:24:48 +09:00
Ophestra
bf5772bd8a nix: deduplicate home-manager merging 
This becomes a problem when extraHomeConfig defines nixos module options.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-08 01:12:18 +09:00
Ophestra
9a7c81a44e nix: go generate in src derivation 
This saves the generated files in the nix store and exposes them for use by external tools.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-07 03:10:36 +09:00
Ophestra
b7e991de5b nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-05 04:05:39 +09:00
Ophestra
2ffca6984a nix: use reverse-DNS style id as unique identifier 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-05-25 20:12:30 +09:00
Ophestra
f30a439bcd nix: improve common usability 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-05-16 04:40:12 +09:00
Ophestra
008e9e7fc5 nix: update flake lock 2025-05-07 21:35:37 +09:00
Ophestra
e587112e63 test: check xdg-dbus-proxy termination 
This process runs outside the application container's pid namespace, so it is a good idea to check whether its lifecycle becomes decoupled from the application.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-15 20:45:31 +09:00
Ophestra
31b7ddd122 fst: improve config 
The config struct more or less "grew" to what it is today. This change moves things around to make more sense and fixes nonsensical comments describing obsolete behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-13 03:30:19 +09:00
Ophestra
ae6f5ede19 fst: mount passthrough /dev writable 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 20:01:54 +09:00
Ophestra
807d511c8b test/sandbox: check device outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 19:55:16 +09:00
Ophestra
9967909460 sandbox: relative autoetc links 
This allows nested containers to use autoetc, and increases compatibility with other implementations.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 18:54:00 +09:00
Ophestra
e9a7cd526f app: improve shim process management 
This ensures a signal gets delivered to the process instead of relying on parent death behaviour.

SIGCONT was chosen as it is the only signal an unprivileged process is allowed to send to processes with different credentials.

A custom signal handler is installed because the Go runtime does not expose signal information other than which signal was received, and shim must check pid to ensure reasonable behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-07 03:55:17 +09:00
Ophestra
8aeb06f53c app: share path setup on demand 
This removes the unnecessary creation and destruction of share paths when none of the enablements making use of them are set.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 00:47:32 +09:00
Ophestra
297b444dfb test: separate app and sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 22:09:46 +09:00
Ophestra
89a05909a4 test: move test program to sandbox directory 
This prepares for the separation of app and sandbox tests.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 21:09:16 +09:00
Ophestra
f772940768 test/sandbox: treat ESRCH as temporary failure 
This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 03:50:59 +09:00
Ophestra
8886c40974 test/sandbox: separate check filter 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 02:15:08 +09:00
Ophestra
8b62e08b44 test: build test program in nixos config 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-29 19:33:17 +09:00
Ophestra
ff3cfbb437 test/sandbox: check seccomp outcome 
This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 02:24:27 +09:00
Ophestra
389402f955 test/sandbox/ptrace: generic filter block type 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 01:47:24 +09:00
Ophestra
660a2898dc test/sandbox/ptrace: dump seccomp bpf program 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 01:35:56 +09:00
Ophestra
faf59e12c0 test/sandbox: expose test tool 
Some test elements implemented in the test tool might need to run outside the sandbox. This change allows that to happen.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 00:08:47 +09:00
Ophestra
d97a03c7c6 test/sandbox: separate test tool source 
This improves readability and allows gofmt to format the file.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 23:43:13 +09:00
Ophestra
f8502c3ece test/sandbox: check environment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:16:33 +09:00
Ophestra
996b42634d test/sandbox: invoke check program directly 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:11:50 +09:00
Ophestra
d613257841 sandbox/init: clear inheritable set 
Inheritable should not be able to affect anything regardless of its value, due to no_new_privs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:46:13 +09:00
Ophestra
52fcc48ac1 sandbox/init: drop capabilities 
During development the syscall filter caused me to make an incorrect assumption about SysProcAttr.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:32:08 +09:00
Ophestra
2dd49c437c app: create XDG_RUNTIME_DIR with perm 0700 
Many programs complain about this.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:49:37 +09:00
Ophestra
371dd5b938 nix: create current-system symlink 
This is copied at runtime because it appears to be impossible to obtain this path in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:06:11 +09:00
Ophestra
4836d570ae test: raise long timeout to 15 seconds 
The race detector really slows down container tooling.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 01:59:05 +09:00
Ophestra
67eb28466d nix: create opengl-driver symlink 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:52:20 +09:00
Ophestra
c326c3f97d fst/sandbox: do not create /etc in advance 
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:00:34 +09:00
Ophestra
ee51320abf test: check revert type selection 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 04:37:58 +09:00
Ophestra
5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
Ophestra
3dd4ff29c8 test/sandbox: check mount table length 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:36:53 +09:00
Ophestra
61d86c5e10 test/sandbox: fix stdout tty check 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:23:50 +09:00
Ophestra
d097eaa28f test/sandbox: unquote fail messages 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:03:53 +09:00
Ophestra
b989a4601a test/sandbox: fail on mismatched mount entry 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 13:43:32 +09:00
Ophestra
0eb1bc6301 test/sandbox: verify outcome via mountinfo 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 01:42:38 +09:00
Ophestra
1eb837eab8 test/sandbox: warn about misuse in doc comment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 23:28:28 +09:00
Ophestra
806ce18c0a test/sandbox: check mapuid outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:56:07 +09:00
Ophestra
b71d2bf534 test/sandbox: check tty outcome 
This makes no difference currently but has different behaviour in the native sandbox.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:28:57 +09:00