hakurei

Author	SHA1	Message	Date
Ophestra	a1e5f020f4	container: improve doc comments Putting them on the builder methods is more useful. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-27 12:27:42 +09:00
Ophestra	bd3fa53a55	container: access test case by index in helper This is more elegant and allows for much easier extension of the tests. Mountinfo is still serialised however due to libPaths nondeterminism. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-26 18:59:19 +09:00
Ophestra	625632c593	nix: update flake lock Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-26 18:57:54 +09:00
Ophestra	e71ae3b8c5	container: remove custom cmd initialisation This part of the interface is very unintuitive and only used for testing, even in testing it is inelegant and can be done better. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-25 00:45:10 +09:00
Ophestra	9d7a19d162	container: use more reliable nonexistence Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-18 23:18:26 +09:00
Ophestra	6ba19a7ba5	release: 0.1.1 Signed-off-by: Ophestra <cat@gensokyo.uk> v0.1.1	2025-07-09 05:42:31 +09:00
Ophestra	749a2779f5	test/sandbox: add arm64 constants Most of these are differences in qemu. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-09 05:36:35 +09:00
Ophestra	e574042d76	test/sandbox: verify seccomp on all test cases This change also makes seccomp hashes cross-platform. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-09 04:21:35 +09:00
Ophestra	2b44493e8a	test/sandbox: guard on testtool tag This tool should not show up when building hakurei normally. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 20:11:29 +09:00
Ophestra	c30dd4e630	test/sandbox/seccomp: remove uselib This syscall is not wired on all platforms. This test barely does anything anyway and seccomp is covered by the privileged test instrumentation. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 15:28:55 +09:00
Ophestra	d90da1c8f5	container/seccomp: add arm64 constants Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 14:58:03 +09:00
Ophestra	5853d7700f	container/seccomp: move bpf hashes Filter programs are different across platforms. This representation is also much more readable. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 14:41:47 +09:00
Ophestra	d5c7523726	container/init: fix prctl call This is a very silly typo. Luckily has no effect due to an upper layer doing PR_SET_NO_NEW_PRIVS already. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 14:06:14 +09:00
Ophestra	ddfcc51b91	container: move capset implementation Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 13:47:13 +09:00
Ophestra	8ebedbd88a	container: move syscall constants These aren't missing from all targets. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 13:23:01 +09:00
Ophestra	84e8142a2d	container/seccomp: move personality constants Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 12:44:32 +09:00
Ophestra	2c7b7ad845	container/seccomp: cross-platform sysnum cutoff Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 12:27:00 +09:00
Ophestra	72c2b66fc0	nix: cross-platform syscall wrapper Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 04:22:55 +09:00
Ophestra	356b42a406	container/init: use /proc/self as intermediate Setting up via /tmp is okay, /proc/self/fd makes a lot more sense though for reasons described in the comment. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-06 02:14:35 +09:00
Ophestra	d9b6d48e7c	add miscellaneous badges Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-03 18:04:09 +09:00
Ophestra	087959e81b	app: remove split implementation It is completely nonsensical and highly error-prone to have multiple implementations of this in the same build. This should be switched at compile time instead therefore the split packages are pointless. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-03 04:36:59 +09:00
Ophestra	e6967b8bbb	release: 0.1.0 Signed-off-by: Ophestra <cat@gensokyo.uk> v0.1.0	2025-07-03 03:42:58 +09:00
Ophestra	d2f9a9b83b	treewide: migrate to hakurei.app Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-03 03:30:39 +09:00
Ophestra	1b5ecd9eaf	container: move out of toplevel This allows slightly easier use of the vanity url. This also provides some disambiguation between low level containers and hakurei app containers. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-03 02:59:43 +09:00
Ophestra	82561d62b6	system: move system access packages These packages loosely belong in the "system" package and "system" provides high level wrappers for all of them. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 21:52:07 +09:00
Ophestra	eec021cc4b	hakurei: move container helpers toplevel Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 21:31:29 +09:00
Ophestra	a1d98823f8	hakurei: move container toplevel Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 21:23:55 +09:00
Ophestra	255b77d91d	cmd/hakurei: move command handlers The hakurei command is a bit ugly since it's also used for validating the command package. This alleviates some of the ugliness. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 20:59:17 +09:00
Ophestra	f84ec5a3f8	sandbox/wl: track generated files This allows the package to be imported. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 20:52:22 +09:00
Ophestra	eb22a8bcc1	cmd/hakurei: move to cmd Having it at the project root never made sense since the "ego" name was deprecated. This change finally addresses it. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 20:42:51 +09:00
Ophestra	31aef905fa	sandbox: expose seccomp interface There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 04:47:13 +09:00
Ophestra	a6887f7253	sandbox/seccomp: import dot for syscall This significantly increases readability in some places. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 02:30:35 +09:00
Ophestra	69bd581af7	sandbox/seccomp: append suffix to ops This avoids clashes with stdlib names to allow for . imports. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 01:09:04 +09:00
Ophestra	26b7afc890	sandbox/seccomp: prepare -> export Export makes a lot more sense, and also matches the libseccomp function. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 00:32:48 +09:00
Ophestra	d5532aade0	sandbox/seccomp: native rule slice in helpers These helper functions took FilterPreset as input for ease of integration. This moves them to []NativeRule. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 00:22:27 +09:00
Ophestra	0c5409aec7	sandbox/seccomp: native rule type alias This makes it easier to keep API stable. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-02 00:00:08 +09:00
Ophestra	1a8840bebc	sandbox/seccomp: resolve rules natively This enables loading syscall filter policies from external cross-platform config files. This also removes a significant amount of C code. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-01 22:11:32 +09:00
Ophestra	1fb453dffe	sandbox/seccomp: extra constants These all resolve to pseudo syscall numbers in libseccomp, but are necessary anyway for other platforms. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-01 20:15:42 +09:00
Ophestra	e03d702d08	sandbox/seccomp: implement syscall lookup This uses the Go map and is verified against libseccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-01 00:35:27 +09:00
Ophestra	241dc964a6	sandbox/seccomp: wire extra syscall These values are only useful for libseccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-01 00:32:08 +09:00
Ophestra	8ef71e14d5	sandbox/seccomp: emit syscall constants Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-30 20:34:33 +09:00
Ophestra	972f4006f0	treewide: switch to hakurei.app Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-26 04:01:02 +09:00
Ophestra	9a8a047908	sandbox/seccomp: syscall name lookup table The script is from Go source of same name. The result is checked against libseccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-26 03:49:07 +09:00
Ophestra	863bf69ad3	treewide: reapply clang-format Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 23:43:42 +09:00
Ophestra	0e957cc9c1	release: 0.0.2 Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 21:11:11 +09:00
Ophestra	aa454b158f	cmd/planterette: remove hsu special case Remove special case and invoke hakurei out of process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 20:50:24 +09:00
Ophestra	7007bd6a1c	workflows: port release workflow to github Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 20:17:53 +09:00
Ophestra	00efc95ee7	workflows: port test workflow to github This is a much less useful port of the test workflow and runs much slower due to runner limitations. Still better than nothing though. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 19:37:45 +09:00
Ophestra	b380bb248c	release: 0.0.1 Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 05:05:06 +09:00
Ophestra	87e008d56d	treewide: rename to hakurei Fortify makes little sense for a container tool. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 04:57:41 +09:00

1 2 3 4 5 ...

799 Commits