maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
765 Commits 2 Branches 12 Tags
d5532aade0c3f042c5daa7d1c16e7cce2f4b524a
Commit Graph

58 Commits

Author SHA1 Message Date
Ophestra
d5532aade0 sandbox/seccomp: native rule slice in helpers 
These helper functions took FilterPreset as input for ease of integration. This moves them to []NativeRule.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 00:22:27 +09:00
Ophestra
0c5409aec7 sandbox/seccomp: native rule type alias 
This makes it easier to keep API stable.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 00:00:08 +09:00
Ophestra
1a8840bebc sandbox/seccomp: resolve rules natively 
This enables loading syscall filter policies from external cross-platform config files.

This also removes a significant amount of C code.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 22:11:32 +09:00
Ophestra
1fb453dffe sandbox/seccomp: extra constants 
These all resolve to pseudo syscall numbers in libseccomp, but are necessary anyway for other platforms.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 20:15:42 +09:00
Ophestra
e03d702d08 sandbox/seccomp: implement syscall lookup 
This uses the Go map and is verified against libseccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 00:35:27 +09:00
Ophestra
241dc964a6 sandbox/seccomp: wire extra syscall 
These values are only useful for libseccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 00:32:08 +09:00
Ophestra
8ef71e14d5 sandbox/seccomp: emit syscall constants 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-30 20:34:33 +09:00
Ophestra
972f4006f0 treewide: switch to hakurei.app 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-26 04:01:02 +09:00
Ophestra
9a8a047908 sandbox/seccomp: syscall name lookup table 
The script is from Go source of same name. The result is checked against libseccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-26 03:49:07 +09:00
Ophestra
863bf69ad3 treewide: reapply clang-format 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 23:43:42 +09:00
Ophestra
87e008d56d treewide: rename to hakurei 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
Ophestra
ef80b19f2f treewide: switch to clang-format 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-18 13:45:34 +09:00
Ophestra
b7e991de5b nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-05 04:05:39 +09:00
Ophestra
9967909460 sandbox: relative autoetc links 
This allows nested containers to use autoetc, and increases compatibility with other implementations.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 18:54:00 +09:00
Ophestra
c806f43881 sandbox: implement autoetc as setup op 
This significantly reduces setup op count and the readdir call now happens in the context of the init process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-10 18:54:25 +09:00
Ophestra
584405f7cc sandbox/seccomp: rename flag type and constants 
The names are ambiguous. Rename them to make more sense.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-08 01:59:45 +09:00
Ophestra
f885dede9b sandbox/seccomp: unexport println wrapper 
This is an implementation detail that was exported for the bwrap argument builder. The removal of that package allows it to be unexported.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-07 04:07:20 +09:00
Ophestra
0ba8be659f sandbox: document less obvious parts of setup 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-01 01:21:04 +09:00
Ophestra
2a46f5bb12 sandbox/seccomp: update doc comment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 23:00:20 +09:00
Ophestra
c13eb70d7d sandbox/seccomp: add fortify default sample 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 02:02:02 +09:00
Ophestra
184e9db2b2 sandbox: support privileged container 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 19:40:19 +09:00
Ophestra
d613257841 sandbox/init: clear inheritable set 
Inheritable should not be able to affect anything regardless of its value, due to no_new_privs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:46:13 +09:00
Ophestra
18644d90be sandbox: wrap capset syscall 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 07:44:07 +09:00
Ophestra
52fcc48ac1 sandbox/init: drop capabilities 
During development the syscall filter caused me to make an incorrect assumption about SysProcAttr.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:32:08 +09:00
Ophestra
8b69bcd215 sandbox: cache kernel.cap_last_cap value 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 06:19:19 +09:00
Ophestra
985f9442e6 sandbox: copy symlink with magic prefix 
This does not dereference the symlink, but only reads one level of it. This is useful for symlink targets that are not yet known at the time the configuration is emitted.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 01:42:39 +09:00
Ophestra
971c79bb80 sandbox: remove hardcoded parent perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:49:51 +09:00
Ophestra
f86d868274 sandbox: wrap error with its own text message 
PathError has a pretty good text message, many of them are wrapped with its own text message. This change adds a function to do just that to improve readability.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:42:20 +09:00
Ophestra
33940265a6 sandbox: do not ensure symlink target 
This masks EEXIST on target and might clobber filesystems and lead to other confusing behaviour. Create its parent instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 19:30:53 +09:00
Ophestra
61dbfeffe7 sandbox/wl: move into sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 05:26:37 +09:00
Ophestra
5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
Ophestra
ad3576c164 sandbox: resolve tty name 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:03:07 +09:00
Ophestra
a11237b158 sandbox/vfs: add doc comments 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 13:21:55 +09:00
Ophestra
40f00d570e sandbox: set mkdir perm 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 12:51:39 +09:00
Ophestra
e8809125d4 sandbox: verify outcome via mountinfo 
This contains much more information than /proc/mounts and allows for more fields to be checked. This also removes the dependency on the test package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 22:17:36 +09:00
Ophestra
75e0c5d406 test/sandbox: parse full test case 
This makes declaring multiple tests much cleaner.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 14:53:50 +09:00
Ophestra
770b37ae16 sandbox/vfs: match MS_NOSYMFOLLOW flag 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 13:57:30 +09:00
Ophestra
c638193268 sandbox: apply vfs options to bind mounts 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 05:27:57 +09:00
Ophestra
8c3a817881 sandbox/vfs: unfold mount hierarchy 
This presents all visible mount points under path. This is useful for applying extra vfs options to bind mounts.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 05:23:31 +09:00
Ophestra
e2fce321c1 sandbox/vfs: expose mountinfo line scanning 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 02:46:58 +09:00
Ophestra
d21d9c5b1d sandbox/vfs: parse vfs options 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 17:12:10 +09:00
Ophestra
a70daf2250 sandbox: resolve inverted flags in op 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 12:58:38 +09:00
Ophestra
5098b12e4a sandbox/vfs: count mountinfo entries 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 12:14:33 +09:00
Ophestra
9ddf5794dd sandbox/vfs: implement proc_pid_mountinfo(5) parser 
Test cases are mostly taken from util-linux. This implementation is more correct and slightly faster than the one found in github:kubernetes/utils.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 00:35:49 +09:00
Ophestra
b74a08dda9 sandbox: prepare ops early 
Some setup code needs to run in host root. This change allows that to happen.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-18 02:17:46 +09:00
Ophestra
1b9408864f sandbox: pass cmd to cancel function 
This is not usually in scope otherwise.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:36:39 +09:00
Ophestra
cc89dbdf63 sandbox: place files with content 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:13:22 +09:00
Ophestra
228f3301f2 sandbox: create directories 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 22:03:06 +09:00
Ophestra
07181138e5 sandbox/mount: pass absolute path 
This should never be used unless there is a good reason to, like using a file in the intermediate root.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:53:31 +09:00
Ophestra
816b372f14 sandbox: cancel process on serve error 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 21:49:45 +09:00