cmd/hsu: remove parent check

This check serves no real purpose and only makes it more difficult to start containers.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/hsu/main.go

@@ -21,15 +21,6 @@
 // following paragraphs are considered an internal detail and not covered by the
 // compatibility promise.
 //
-// After checking credentials, hsu checks via /proc/ the absolute pathname of
-// its parent process, and fails if it does not match the hakurei pathname set
-// at link time. This is not a security feature: the priv-side is considered
-// trusted, and this feature makes no attempt to address the racy nature of
-// querying /proc/, or debuggers attached to the parent process. Instead, this
-// aims to discourage misuse and reduce confusion if the user accidentally
-// stumbles upon this program. It also prevents accidental use of the incorrect
-// installation of hsu in some environments.
-//
 // Since target container environment variables are set up in shim via the
 // [container] infrastructure, the environment is used for parameters from the
 // parent process.
@@ -62,7 +53,6 @@ import (
 	"runtime"
 	"slices"
 	"strconv"
-	"strings"
 	"syscall"
 )
 
@@ -107,18 +97,6 @@ func main() {
 		return
 	}
 
-	var toolPath string
-	pexe := filepath.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
-	if p, err := os.Readlink(pexe); err != nil {
-		log.Fatalf("cannot read parent executable path: %v", err)
-	} else if strings.HasSuffix(p, " (deleted)") {
-		log.Fatal("hakurei executable has been deleted")
-	} else if p != hakureiPath {
-		log.Fatal("this program must be started by hakurei")
-	} else {
-		toolPath = p
-	}
-
 	// refuse to run if hsurc is not protected correctly
 	if s, err := os.Stat(hsuConfPath); err != nil {
 		log.Fatal(err)
@@ -205,7 +183,7 @@ func main() {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
 
-	if err := syscall.Exec(toolPath, []string{
+	if err := syscall.Exec(hakureiPath, []string{
 		"hakurei",
 		"shim",
 	}, []string{