rosa/hakurei
6
3
Fork 2
Code Issues 12 Pull Requests 2 Actions 2 Packages Projects Releases 15 Wiki Activity

internal/pkg: optional landlock LSM
All checks were successful
Test / Create distribution (push) Successful in 1m15s
Details
Test / Sandbox (push) Successful in 3m8s
Details
Test / Hakurei (push) Successful in 4m17s
Details
Test / ShareFS (push) Successful in 4m22s
Details
Test / Sandbox (race detector) (push) Successful in 5m43s
Details
Test / Hakurei (race detector) (push) Successful in 6m51s
Details
Test / Flake checks (push) Successful in 1m29s
Details

Browse Source 
The alpine linux riscv64 kernel does not enable Landlock LSM, and kernel compilation is not yet feasible.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2026-04-07 12:44:07 +09:00
parent 6907700d67
commit 10f8b1c221
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/pkg/exec.go
View File

@@ -397,6 +397,7 @@ const SeccompPresets = std.PresetStrict &
func (a *execArtifact) makeContainer( func (a *execArtifact) makeContainer(
ctx context.Context, ctx context.Context,
msg message.Msg, msg message.Msg,
flags int,
hostNet bool, hostNet bool,
temp, work *check.Absolute, temp, work *check.Absolute,
getArtifact GetArtifactFunc, getArtifact GetArtifactFunc,
@@ -423,7 +424,9 @@ func (a *execArtifact) makeContainer(
z.SeccompFlags |= seccomp.AllowMultiarch z.SeccompFlags |= seccomp.AllowMultiarch
z.ParentPerm = 0700 z.ParentPerm = 0700
z.HostNet = hostNet z.HostNet = hostNet
z.HostAbstract = flags&CHostAbstract != 0
z.Hostname = "cure" z.Hostname = "cure"
z.SetScheduler = flags&CSchedIdle != 0
z.SchedPolicy = ext.SCHED_IDLE z.SchedPolicy = ext.SCHED_IDLE
if z.HostNet { if z.HostNet {
z.Hostname = "cure-net" z.Hostname = "cure-net"
@@ -559,6 +562,7 @@ func (c *Cache) EnterExec(
var z *container.Container var z *container.Container
z, err = e.makeContainer( z, err = e.makeContainer(
ctx, c.msg, ctx, c.msg,
c.flags,
hostNet, hostNet,
temp, work, temp, work,
func(a Artifact) (*check.Absolute, unique.Handle[Checksum]) { func(a Artifact) (*check.Absolute, unique.Handle[Checksum]) {
@@ -598,14 +602,13 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
msg := f.GetMessage() msg := f.GetMessage()
var z *container.Container var z *container.Container
if z, err = a.makeContainer( if z, err = a.makeContainer(
ctx, msg, hostNet, ctx, msg, f.cache.flags, hostNet,
f.GetTempDir(), f.GetWorkDir(), f.GetTempDir(), f.GetWorkDir(),
f.GetArtifact, f.GetArtifact,
f.cache.Ident, f.cache.Ident,
); err != nil { ); err != nil {
return return
} }
z.SetScheduler = f.cache.flags&CSchedIdle != 0
var status io.Writer var status io.Writer
if status, err = f.GetStatusWriter(); err != nil { if status, err = f.GetStatusWriter(); err != nil {

8
internal/pkg/pkg.go
View File

@@ -521,6 +521,14 @@ const (
// was caused by an incorrect checksum accidentally left behind while // was caused by an incorrect checksum accidentally left behind while
// bumping a package. Only enable this if you are really sure you need it. // bumping a package. Only enable this if you are really sure you need it.
CAssumeChecksum CAssumeChecksum
// CHostAbstract disables restriction of sandboxed processes from connecting
// to an abstract UNIX socket created by a host process.
//
// This is considered less secure in some systems, but does not introduce
// impurity due to [KindExecNet] being [KnownChecksum]. This flag exists
// to support kernels without Landlock LSM enabled.
CHostAbstract
) )
// Cache is a support layer that implementations of [Artifact] can use to store // Cache is a support layer that implementations of [Artifact] can use to store