a1d98823f8
hakurei: move container toplevel
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-02 21:23:55 +09:00
eb22a8bcc1
cmd/hakurei: move to cmd
...
Having it at the project root never made sense since the "ego" name was deprecated. This change finally addresses it.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-02 20:42:51 +09:00
31aef905fa
sandbox: expose seccomp interface
...
There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-02 04:47:13 +09:00
d5532aade0
sandbox/seccomp: native rule slice in helpers
...
These helper functions took FilterPreset as input for ease of integration. This moves them to []NativeRule.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-02 00:22:27 +09:00
1a8840bebc
sandbox/seccomp: resolve rules natively
...
This enables loading syscall filter policies from external cross-platform config files.
This also removes a significant amount of C code.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-01 22:11:32 +09:00
972f4006f0
treewide: switch to hakurei.app
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-26 04:01:02 +09:00
aa454b158f
cmd/planterette: remove hsu special case
...
Remove special case and invoke hakurei out of process.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-25 20:50:24 +09:00
87e008d56d
treewide: rename to hakurei
...
Fortify makes little sense for a container tool.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-25 04:57:41 +09:00
717771ae80
app: share runtime dir
...
This allows apps with the same identity to access the same runtime dir.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-08 03:24:48 +09:00
15011c4173
app/instance/common: optimise ops allocation
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-13 03:49:07 +09:00
31b7ddd122
fst: improve config
...
The config struct more or less "grew" to what it is today. This change moves things around to make more sense and fixes nonsensical comments describing obsolete behaviour.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-13 03:30:19 +09:00
6309469e93
app/instance: wrap internal implementation
...
This reduces the scope of the fst package, which was growing questionably large.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-12 13:56:41 +09:00
0d7c1a9a43
app: rename app implementation package
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-12 10:54:24 +09:00
9967909460
sandbox: relative autoetc links
...
This allows nested containers to use autoetc, and increases compatibility with other implementations.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 18:54:00 +09:00
c806f43881
sandbox: implement autoetc as setup op
...
This significantly reduces setup op count and the readdir call now happens in the context of the init process.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-10 18:54:25 +09:00
584405f7cc
sandbox/seccomp: rename flag type and constants
...
The names are ambiguous. Rename them to make more sense.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-08 01:59:45 +09:00
74ba183256
app: install seccomp filter to shim
...
This does not necessarily reduce attack surface but does not affect functionality or introduce any side effects, so is nice to have.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-07 04:13:08 +09:00
e9a7cd526f
app: improve shim process management
...
This ensures a signal gets delivered to the process instead of relying on parent death behaviour.
SIGCONT was chosen as it is the only signal an unprivileged process is allowed to send to processes with different credentials.
A custom signal handler is installed because the Go runtime does not expose signal information other than which signal was received, and shim must check pid to ensure reasonable behaviour.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-07 03:55:17 +09:00
022242a84a
app: wayland socket in process share
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-01 00:53:04 +09:00
8aeb06f53c
app: share path setup on demand
...
This removes the unnecessary creation and destruction of share paths when none of the enablements making use of them are set.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-01 00:47:32 +09:00
4036da3b5c
fst: optional configured shell path
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-31 21:27:31 +09:00
a102178019
sys: update doc comment
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 22:43:17 +09:00
e400862a12
state/multi: fix backend cache population race
...
This race is never able to happen since no caller concurrently requests the same aid yet.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 22:37:08 +09:00
605d018be2
app/seal: check for '=' in envv
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 18:25:23 +09:00
300571af47
app: pass through $SHELL
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 01:22:40 +09:00
2dd49c437c
app: create XDG_RUNTIME_DIR with perm 0700
...
Many programs complain about this.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 02:49:37 +09:00
c326c3f97d
fst/sandbox: do not create /etc in advance
...
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 20:00:34 +09:00
61dbfeffe7
sandbox/wl: move into sandbox
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 05:26:37 +09:00
532feb4bfa
app: merge shim into app package
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 05:21:47 +09:00
ec5e91b8c9
system: optimise string formatting
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 04:42:30 +09:00
5c4058d5ac
app: run in native sandbox
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-25 01:52:49 +09:00
7c063833e0
internal/sys: wrap getuid/getgid
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 17:10:03 +09:00
24618ab9a1
sandbox: move out of internal
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 02:55:36 +09:00
9ce4706a07
sandbox: move params setup functions
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 02:48:32 +09:00
9a1f8e129f
sandbox: wrap fmsg interface
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 02:44:07 +09:00
ee10860357
seccomp: install output atomically
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 01:10:27 +09:00
48feca800f
sandbox: check command function pointer
...
Setting default CommandContext on initialisation is somewhat of a footgun.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-16 23:29:14 +09:00
273d97af85
ldd: lib paths resolve function
...
This is what always happens right after a ldd call, so implement it here.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-16 01:20:09 +09:00
9f5dad1998
sandbox: return on zero length ops
...
This dodges potentially confusing behaviour where init fails due to Ops being clobbered during transfer.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-16 00:32:36 +09:00
bac4e67867
sandbox/init: early params nil check
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-15 04:03:10 +09:00
4230281194
sandbox: return error on doubled start
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-15 03:30:14 +09:00
e64e7608ca
sandbox: expose cancel behaviour
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-15 03:04:27 +09:00
10a21ce3ef
helper: expose extra files to direct
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-15 02:27:40 +09:00
f9bf20a3c7
helper: rearrange initialisation args
...
This improves consistency across two different helper implementations.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-15 01:06:31 +09:00
f443d315ad
helper: clean up interface
...
The helper interface was messy due to odd context acquisition order. That has changed, so this cleans it up.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-15 00:27:44 +09:00
9e18d1de77
helper/proc: pass extra files and start
...
For integration with native container tooling.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-14 23:23:57 +09:00
2647a71be1
seccomp: move out of helper
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-14 22:42:40 +09:00
7c60a4d8e8
helper: embed context on creation
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-14 18:30:22 +09:00
4bb5d9780f
ldd: run in native sandbox
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-14 17:55:55 +09:00
f41fd94628
sandbox: write uid/gid map as init
...
This avoids PR_SET_DUMPABLE in the parent process.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-14 17:42:22 +09:00
