699c19e972
hst/container: optional runtime and tmpdir sharing
...
Sharing and persisting these directories do not always make sense. Make it optional here.
Closes #16 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-19 04:11:38 +09:00
e47aebb7a0
internal/app/outcome: apply configured filesystems late
...
This enables configured filesystems to cover system mount points.
Closes #8 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-19 01:41:52 +09:00
d4284c109d
internal/app/spruntime: emulate pam_systemd type
...
This sets XDG_SESSION_TYPE to the corresponding values specified in pam_systemd(8) according to enablements.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-18 04:33:04 +09:00
52e3324ef4
test/sandbox: ignore nondeterministic mount point
...
No idea what systemd is doing with this to cause its options to change.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-14 07:08:39 +09:00
9e48d7f562
hst/config: move container fields from toplevel
...
This change also moves pd behaviour to cmd/hakurei, as this does not belong in the hst API.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-07 04:24:45 +09:00
f280994957
internal/app: check nscd socket for path hiding
...
This can seriously break things, and exposes extra host attack surface, so include it here.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-10-05 20:47:30 +09:00
773253fdf5
test/sandbox: raise timeout
...
The integration vm is being very slow for some reason. This change should reduce spurious timeouts.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-24 19:41:59 +09:00
1cdc6b4246
test/sandbox: create marker in /var/tmp
...
This prepares the test suite for private TMPDIR.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-14 16:45:17 +09:00
56aad8dc11
test/sandbox/tool: marker pathname from flag
...
Since this is going to be placed in a shared directory, it needs to be unique to the identity. Instead of trying to figure out identity from mountinfo, just have the test script pass hardcoded values.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-14 15:57:41 +09:00
83c4f8b767
test/sandbox: check extra writable paths
...
This is not always obvious from mountinfo.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-14 15:12:51 +09:00
d0ddd71934
test/sandbox: bind /var/tmp writable
...
This makes it possible to place markers with private tmpdir.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-14 14:59:53 +09:00
ca247b8037
internal/app: mount /dev/shm early
...
This avoids covering /dev/shm mounts from hst.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-09-14 01:49:42 +09:00
acb6931f3e
app/seal: leave $DISPLAY as is on host abstract
...
This helps work around faulty software that misinterprets unix: DISPLAY string.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-27 20:42:03 +09:00
9bc8532d56
container/initdev: mount tmpfs on shm for ro dev
...
Programs expect /dev/shm to be a writable tmpfs.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-26 03:27:07 +09:00
4cf694d2b3
hst: use hsu userid for share path suffix
...
The privileged user is identifier to hakurei through its hsu userid. Using the kernel uid here makes little sense and is a leftover design choice from before hsu was implemented.
Closes #7 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-26 02:16:33 +09:00
c9facb746b
hst/config: remove data field, rename dir to home
...
There is no reason to give the home directory special treatment, as this behaviour can be quite confusing. The home directory also does not necessarily require its own mount point, it could be provided by a parent or simply be ephemeral.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-26 00:56:10 +09:00
0dcac55a0c
hst/config: remove container etc field
...
This no longer needs special treatment since it can be specified as a generic filesystem entry.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-25 19:24:33 +09:00
5db0714072
container: optionally isolate host abstract UNIX domain sockets via landlock
2025-08-18 16:28:14 +09:00
22d577ab49
test/sandbox: do not discard stderr getting hash
...
This is the first hakurei run in the test, if the container outright fails to start this is often where it happens, so throwing away the output is very unhelpful.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-18 11:36:13 +09:00
83a1c75f1a
app: set up acl on X11 socket
...
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging security/hakurei#1 .
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-18 11:30:58 +09:00
9ed3ba85ea
hst/fs: implement overlay fstype
...
This finally exposes overlay mounts in the high level hakurei API.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-15 04:00:55 +09:00
4433c993fa
nix: check config via hakurei
...
This is unfortunately the only feasible way of doing this in nix.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-15 03:27:54 +09:00
38245559dc
container/ops: mount dev readonly
...
There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-03 19:18:53 +09:00
3b8a3d3b00
app: remount root readonly
...
This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 23:56:28 +09:00
ec33061c92
nix: remove nscd cover
...
This is a pd workaround that does nothing in the nixos module.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 22:04:58 +09:00
af0899de96
hst/container: mount tmpfs via magic src string
...
There's often good reason to mount tmpfs in the container.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 21:23:52 +09:00
547a2adaa4
container/mount: pass tmpfs flags
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 18:59:06 +09:00
387b86bcdd
app: integrate container autoroot
...
Doing this instead of mounting directly on / because it's impossible to ensure a parent is available for every path hakurei wants to mount to. This situation is similar to autoetc hence the similar name, however a symlink mirror will not work in this case.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 04:21:54 +09:00
987981df73
test/sandbox: check pd behaviour
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-08-01 03:27:02 +09:00
625632c593
nix: update flake lock
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-26 18:57:54 +09:00
749a2779f5
test/sandbox: add arm64 constants
...
Most of these are differences in qemu.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-09 05:36:35 +09:00
e574042d76
test/sandbox: verify seccomp on all test cases
...
This change also makes seccomp hashes cross-platform.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-09 04:21:35 +09:00
2b44493e8a
test/sandbox: guard on testtool tag
...
This tool should not show up when building hakurei normally.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-07 20:11:29 +09:00
c30dd4e630
test/sandbox/seccomp: remove uselib
...
This syscall is not wired on all platforms. This test barely does anything anyway and seccomp is covered by the privileged test instrumentation.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-07 15:28:55 +09:00
d2f9a9b83b
treewide: migrate to hakurei.app
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-07-03 03:30:39 +09:00
87e008d56d
treewide: rename to hakurei
...
Fortify makes little sense for a container tool.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-25 04:57:41 +09:00
717771ae80
app: share runtime dir
...
This allows apps with the same identity to access the same runtime dir.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-08 03:24:48 +09:00
b7e991de5b
nix: update flake lock
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-06-05 04:05:39 +09:00
2ffca6984a
nix: use reverse-DNS style id as unique identifier
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-05-25 20:12:30 +09:00
f30a439bcd
nix: improve common usability
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-05-16 04:40:12 +09:00
008e9e7fc5
nix: update flake lock
2025-05-07 21:35:37 +09:00
ae6f5ede19
fst: mount passthrough /dev writable
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 20:01:54 +09:00
807d511c8b
test/sandbox: check device outcome
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 19:55:16 +09:00
9967909460
sandbox: relative autoetc links
...
This allows nested containers to use autoetc, and increases compatibility with other implementations.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-04-11 18:54:00 +09:00
297b444dfb
test: separate app and sandbox
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 22:09:46 +09:00
89a05909a4
test: move test program to sandbox directory
...
This prepares for the separation of app and sandbox tests.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 21:09:16 +09:00
f772940768
test/sandbox: treat ESRCH as temporary failure
...
This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 03:50:59 +09:00
8886c40974
test/sandbox: separate check filter
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-30 02:15:08 +09:00
8b62e08b44
test: build test program in nixos config
...
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-29 19:33:17 +09:00
ff3cfbb437
test/sandbox: check seccomp outcome
...
This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-28 02:24:27 +09:00
