This is only a nice to have feature as the init process has no additional privileges and the monitor process was never reachable anyway.
Closes#4.
Signed-off-by: Ophestra <cat@gensokyo.uk>
These can quite easily be checked within the framework. The scanner fault injection might require updating at some point if the implementation changes.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This is the first hakurei run in the test, if the container outright fails to start this is often where it happens, so throwing away the output is very unhelpful.
Signed-off-by: Ophestra <cat@gensokyo.uk>
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging security/hakurei#1.
Signed-off-by: Ophestra <cat@gensokyo.uk>
The container test suite has always been somewhat inadequate due to the inability of coverage tooling to reach into containers. This has become an excuse for not testing non-container code as well, which lead to the general lack of confidence when working with container code. This change aims to be one of many to address that to some extent.
Signed-off-by: Ophestra <cat@gensokyo.uk>
These keep track of some internal state, and they don't make sense to have multiple instances of anyway, so instead of dealing with that, just make them nonrepetable.
Signed-off-by: Ophestra <cat@gensokyo.uk>
Having the bit field value here (in decimal, no less) is unfriendly to text editors. Use a bunch of booleans here to improve ease of use.
Signed-off-by: Ophestra <cat@gensokyo.uk>
Having a method that returns the canonical string representation of its type seemed like a much better idea for an implementation that never made it to staging. Remove it here and clean up marshal type assertions.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This is simultaneously more efficient and less error-prone. This change caused minor API changes in multiple other packages.
Signed-off-by: Ophestra <cat@gensokyo.uk>
This is way higher level than the container package and does not even work unless every path is mounted in the exact same location.
This behaviour causes nothing but confusion and problems,
Signed-off-by: Ophestra <cat@gensokyo.uk>
There are significant limitations to using the overlay mount, and the implementation in the kernel is quite quirky. For now the Op is quite robust, however a higher level interface for it has not been decided yet.
Signed-off-by: Ophestra <cat@gensokyo.uk>
The vm state is discarded often, and it is quite cumbersome to set everything up again when the shell history is gone.
Signed-off-by: Ophestra <cat@gensokyo.uk>
