This needs to be done from the Go side eventually anyway to integrate the signal forwarding behaviour now supported by the container package.
Signed-off-by: Ophestra <cat@gensokyo.uk>
It is completely nonsensical and highly error-prone to have multiple implementations of this in the same build. This should be switched at compile time instead therefore the split packages are pointless.
Signed-off-by: Ophestra <cat@gensokyo.uk>
Having it at the project root never made sense since the "ego" name was deprecated. This change finally addresses it.
Signed-off-by: Ophestra <cat@gensokyo.uk>
There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This enables loading syscall filter policies from external cross-platform config files.
This also removes a significant amount of C code.
Signed-off-by: Ophestra <cat@gensokyo.uk>
The config struct more or less "grew" to what it is today. This change moves things around to make more sense and fixes nonsensical comments describing obsolete behaviour.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This significantly reduces setup op count and the readdir call now happens in the context of the init process.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This does not necessarily reduce attack surface but does not affect functionality or introduce any side effects, so is nice to have.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This ensures a signal gets delivered to the process instead of relying on parent death behaviour.
SIGCONT was chosen as it is the only signal an unprivileged process is allowed to send to processes with different credentials.
A custom signal handler is installed because the Go runtime does not expose signal information other than which signal was received, and shim must check pid to ensure reasonable behaviour.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This removes the unnecessary creation and destruction of share paths when none of the enablements making use of them are set.
Signed-off-by: Ophestra <cat@gensokyo.uk>
All this error wrapping is getting a bit ridiculous and I might want to do something about that somewhere down the line.
Signed-off-by: Ophestra <cat@gensokyo.uk>
