hakurei

Author	SHA1	Message	Date
Clayton Gilmer	5db0714072	container: optionally isolate host abstract UNIX domain sockets via landlock	2025-08-18 16:28:14 +09:00
Ophestra	83a1c75f1a	app: set up acl on X11 socket The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging security/hakurei#1. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-18 11:30:58 +09:00
Ophestra	38245559dc	container/ops: mount dev readonly There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-03 19:18:53 +09:00
Ophestra	3b8a3d3b00	app: remount root readonly This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-01 23:56:28 +09:00
Ophestra	ec33061c92	nix: remove nscd cover This is a pd workaround that does nothing in the nixos module. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-01 22:04:58 +09:00
Ophestra	547a2adaa4	container/mount: pass tmpfs flags Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-01 18:59:06 +09:00
Ophestra	625632c593	nix: update flake lock Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-26 18:57:54 +09:00
Ophestra	749a2779f5	test/sandbox: add arm64 constants Most of these are differences in qemu. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-09 05:36:35 +09:00
Ophestra	e574042d76	test/sandbox: verify seccomp on all test cases This change also makes seccomp hashes cross-platform. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-09 04:21:35 +09:00

9 Commits