54610aaddc
internal/outcome: expose pipewire via pipewire-pulse
...
This no longer exposes the pipewire socket to the container, and instead mediates access via pipewire-pulse. This makes insecure parts of the protocol inaccessible as explained in the doc comment in hst.
Closes #29 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-12-15 12:57:06 +09:00
ebc67bb8ad
nix: update flake lock
...
NixOS 25.11 introduces a crash in cage and an intermittent crash in foot.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-12-12 08:39:55 +09:00
87781c7658
treewide: include PipeWire op and enforce PulseAudio check
...
This fully replaces PulseAudio with PipeWire and enforces the PulseAudio check and error message. The pipewire-pulse daemon is handled in the NixOS module.
Closes #26 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-12-08 08:53:04 +09:00
cb9ebf0e15
hst/grp_pwd: specify new uid format
...
This leaves slots available for additional uid ranges in Rosa OS.
This breaks all existing installations! Users are required to fix ownership manually.
Closes #18 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-11-04 08:24:41 +09:00
699c19e972
hst/container: optional runtime and tmpdir sharing
...
Sharing and persisting these directories do not always make sense. Make it optional here.
Closes #16 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-19 04:11:38 +09:00
e47aebb7a0
internal/app/outcome: apply configured filesystems late
...
This enables configured filesystems to cover system mount points.
Closes #8 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-19 01:41:52 +09:00
d4284c109d
internal/app/spruntime: emulate pam_systemd type
...
This sets XDG_SESSION_TYPE to the corresponding values specified in pam_systemd(8) according to enablements.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-18 04:33:04 +09:00
52e3324ef4
test/sandbox: ignore nondeterministic mount point
...
No idea what systemd is doing with this to cause its options to change.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-14 07:08:39 +09:00
9e48d7f562
hst/config: move container fields from toplevel
...
This change also moves pd behaviour to cmd/hakurei, as this does not belong in the hst API.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-07 04:24:45 +09:00
f280994957
internal/app: check nscd socket for path hiding
...
This can seriously break things, and exposes extra host attack surface, so include it here.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-05 20:47:30 +09:00
1cdc6b4246
test/sandbox: create marker in /var/tmp
...
This prepares the test suite for private TMPDIR.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-14 16:45:17 +09:00
83c4f8b767
test/sandbox: check extra writable paths
...
This is not always obvious from mountinfo.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-14 15:12:51 +09:00
d0ddd71934
test/sandbox: bind /var/tmp writable
...
This makes it possible to place markers with private tmpdir.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-14 14:59:53 +09:00
ca247b8037
internal/app: mount /dev/shm early
...
This avoids covering /dev/shm mounts from hst.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-14 01:49:42 +09:00
acb6931f3e
app/seal: leave $DISPLAY as is on host abstract
...
This helps work around faulty software that misinterprets unix: DISPLAY string.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-27 20:42:03 +09:00
9bc8532d56
container/initdev: mount tmpfs on shm for ro dev
...
Programs expect /dev/shm to be a writable tmpfs.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-26 03:27:07 +09:00
4cf694d2b3
hst: use hsu userid for share path suffix
...
The privileged user is identifier to hakurei through its hsu userid. Using the kernel uid here makes little sense and is a leftover design choice from before hsu was implemented.
Closes #7 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-26 02:16:33 +09:00
c9facb746b
hst/config: remove data field, rename dir to home
...
There is no reason to give the home directory special treatment, as this behaviour can be quite confusing. The home directory also does not necessarily require its own mount point, it could be provided by a parent or simply be ephemeral.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-26 00:56:10 +09:00
0dcac55a0c
hst/config: remove container etc field
...
This no longer needs special treatment since it can be specified as a generic filesystem entry.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-25 19:24:33 +09:00
5db0714072
container: optionally isolate host abstract UNIX domain sockets via landlock
2025-08-18 16:28:14 +09:00
83a1c75f1a
app: set up acl on X11 socket
...
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging security/hakurei#1 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-18 11:30:58 +09:00
9ed3ba85ea
hst/fs: implement overlay fstype
...
This finally exposes overlay mounts in the high level hakurei API.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-15 04:00:55 +09:00
38245559dc
container/ops: mount dev readonly
...
There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-03 19:18:53 +09:00
3b8a3d3b00
app: remount root readonly
...
This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 23:56:28 +09:00
ec33061c92
nix: remove nscd cover
...
This is a pd workaround that does nothing in the nixos module.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 22:04:58 +09:00
af0899de96
hst/container: mount tmpfs via magic src string
...
There's often good reason to mount tmpfs in the container.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 21:23:52 +09:00
547a2adaa4
container/mount: pass tmpfs flags
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 18:59:06 +09:00
387b86bcdd
app: integrate container autoroot
...
Doing this instead of mounting directly on / because it's impossible to ensure a parent is available for every path hakurei wants to mount to. This situation is similar to autoetc hence the similar name, however a symlink mirror will not work in this case.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 04:21:54 +09:00
987981df73
test/sandbox: check pd behaviour
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 03:27:02 +09:00
625632c593
nix: update flake lock
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-26 18:57:54 +09:00
749a2779f5
test/sandbox: add arm64 constants
...
Most of these are differences in qemu.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-09 05:36:35 +09:00
e574042d76
test/sandbox: verify seccomp on all test cases
...
This change also makes seccomp hashes cross-platform.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-09 04:21:35 +09:00
87e008d56d
treewide: rename to hakurei
...
Fortify makes little sense for a container tool.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-25 04:57:41 +09:00
717771ae80
app: share runtime dir
...
This allows apps with the same identity to access the same runtime dir.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-08 03:24:48 +09:00
b7e991de5b
nix: update flake lock
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-05 04:05:39 +09:00
2ffca6984a
nix: use reverse-DNS style id as unique identifier
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-05-25 20:12:30 +09:00
f30a439bcd
nix: improve common usability
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-05-16 04:40:12 +09:00
008e9e7fc5
nix: update flake lock
2025-05-07 21:35:37 +09:00
ae6f5ede19
fst: mount passthrough /dev writable
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 20:01:54 +09:00
807d511c8b
test/sandbox: check device outcome
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 19:55:16 +09:00
9967909460
sandbox: relative autoetc links
...
This allows nested containers to use autoetc, and increases compatibility with other implementations.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 18:54:00 +09:00
297b444dfb
test: separate app and sandbox
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 22:09:46 +09:00
8b62e08b44
test: build test program in nixos config
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-29 19:33:17 +09:00
ff3cfbb437
test/sandbox: check seccomp outcome
...
This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 02:24:27 +09:00
faf59e12c0
test/sandbox: expose test tool
...
Some test elements implemented in the test tool might need to run outside the sandbox. This change allows that to happen.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 00:08:47 +09:00
d97a03c7c6
test/sandbox: separate test tool source
...
This improves readability and allows gofmt to format the file.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 23:43:13 +09:00
f8502c3ece
test/sandbox: check environment
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 03:16:33 +09:00
996b42634d
test/sandbox: invoke check program directly
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-27 03:11:50 +09:00
2dd49c437c
app: create XDG_RUNTIME_DIR with perm 0700
...
Many programs complain about this.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 02:49:37 +09:00
371dd5b938
nix: create current-system symlink
...
This is copied at runtime because it appears to be impossible to obtain this path in nix.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-26 02:06:11 +09:00
