diff --git a/cmd/hakurei/main.go b/cmd/hakurei/main.go index 169ac6c0..b7722bc3 100644 --- a/cmd/hakurei/main.go +++ b/cmd/hakurei/main.go @@ -13,6 +13,7 @@ import ( "syscall" "hakurei.app/container" + "hakurei.app/ext" "hakurei.app/message" ) @@ -35,8 +36,8 @@ func main() { msg := message.New(log.Default()) early := earlyHardeningErrs{ - yamaLSM: container.SetPtracer(0), - dumpable: container.SetDumpable(container.SUID_DUMP_DISABLE), + yamaLSM: ext.SetPtracer(0), + dumpable: ext.SetDumpable(ext.SUID_DUMP_DISABLE), } if os.Geteuid() == 0 { diff --git a/cmd/mbf/main.go b/cmd/mbf/main.go index 3dc1f06e..484423da 100644 --- a/cmd/mbf/main.go +++ b/cmd/mbf/main.go @@ -24,6 +24,7 @@ import ( "hakurei.app/container/fhs" "hakurei.app/container/seccomp" "hakurei.app/container/std" + "hakurei.app/ext" "hakurei.app/internal/pkg" "hakurei.app/internal/rosa" "hakurei.app/message" @@ -271,7 +272,7 @@ func main() { return errors.New("report requires 1 argument") } - if container.Isatty(int(w.Fd())) { + if ext.Isatty(int(w.Fd())) { return errors.New("output appears to be a terminal") } return rosa.WriteReport(msg, w, cache) diff --git a/container/capability.go b/container/capability.go index 3ea9d028..1d98ec4b 100644 --- a/container/capability.go +++ b/container/capability.go @@ -3,6 +3,8 @@ package container import ( "syscall" "unsafe" + + "hakurei.app/ext" ) const ( @@ -51,15 +53,15 @@ func capset(hdrp *capHeader, datap *[2]capData) error { // capBoundingSetDrop drops a capability from the calling thread's capability bounding set. func capBoundingSetDrop(cap uintptr) error { - return Prctl(syscall.PR_CAPBSET_DROP, cap, 0) + return ext.Prctl(syscall.PR_CAPBSET_DROP, cap, 0) } // capAmbientClearAll clears the ambient capability set of the calling thread. func capAmbientClearAll() error { - return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) + return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) } // capAmbientRaise adds to the ambient capability set of the calling thread. func capAmbientRaise(cap uintptr) error { - return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) + return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) } diff --git a/container/dispatcher.go b/container/dispatcher.go index 710e4392..dce5f023 100644 --- a/container/dispatcher.go +++ b/container/dispatcher.go @@ -13,6 +13,7 @@ import ( "hakurei.app/container/seccomp" "hakurei.app/container/std" + "hakurei.app/ext" "hakurei.app/internal/netlink" "hakurei.app/message" ) @@ -143,8 +144,8 @@ func (k direct) new(f func(k syscallDispatcher)) { go f(k) } func (direct) lockOSThread() { runtime.LockOSThread() } -func (direct) setPtracer(pid uintptr) error { return SetPtracer(pid) } -func (direct) setDumpable(dumpable uintptr) error { return SetDumpable(dumpable) } +func (direct) setPtracer(pid uintptr) error { return ext.SetPtracer(pid) } +func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) } func (direct) setNoNewPrivs() error { return SetNoNewPrivs() } func (direct) lastcap(msg message.Msg) uintptr { return LastCap(msg) } @@ -152,7 +153,7 @@ func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(h func (direct) capBoundingSetDrop(cap uintptr) error { return capBoundingSetDrop(cap) } func (direct) capAmbientClearAll() error { return capAmbientClearAll() } func (direct) capAmbientRaise(cap uintptr) error { return capAmbientRaise(cap) } -func (direct) isatty(fd int) bool { return Isatty(fd) } +func (direct) isatty(fd int) bool { return ext.Isatty(fd) } func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) { return Receive(key, e, fdp) } diff --git a/container/init.go b/container/init.go index 8fbf757e..3e2ec809 100644 --- a/container/init.go +++ b/container/init.go @@ -17,6 +17,7 @@ import ( "hakurei.app/container/fhs" "hakurei.app/container/seccomp" + "hakurei.app/ext" "hakurei.app/message" ) @@ -178,7 +179,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) { } // write uid/gid map here so parent does not need to set dumpable - if err := k.setDumpable(SUID_DUMP_USER); err != nil { + if err := k.setDumpable(ext.SUID_DUMP_USER); err != nil { k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err) } if err := k.writeFile(fhs.Proc+"self/uid_map", @@ -196,7 +197,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) { 0); err != nil { k.fatalf(msg, "%v", err) } - if err := k.setDumpable(SUID_DUMP_DISABLE); err != nil { + if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil { k.fatalf(msg, "cannot set SUID_DUMP_DISABLE: %v", err) } @@ -290,7 +291,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) { { var fd int - if err := IgnoringEINTR(func() (err error) { + if err := ext.IgnoringEINTR(func() (err error) { fd, err = k.open(fhs.Root, O_DIRECTORY|O_RDONLY, 0) return }); err != nil { diff --git a/container/mount.go b/container/mount.go index 171b210b..f6a8844f 100644 --- a/container/mount.go +++ b/container/mount.go @@ -6,6 +6,7 @@ import ( "os" . "syscall" + "hakurei.app/ext" "hakurei.app/message" "hakurei.app/vfs" ) @@ -115,7 +116,7 @@ func (p *procPaths) remount(msg message.Msg, target string, flags uintptr) error var targetKFinal string { var destFd int - if err := IgnoringEINTR(func() (err error) { + if err := ext.IgnoringEINTR(func() (err error) { destFd, err = p.k.open(targetFinal, O_PATH|O_CLOEXEC, 0) return }); err != nil { diff --git a/container/syscall.go b/container/syscall.go index f5c634b0..c71e298c 100644 --- a/container/syscall.go +++ b/container/syscall.go @@ -7,40 +7,9 @@ import ( "hakurei.app/ext" ) -// Prctl manipulates various aspects of the behavior of the calling thread or process. -func Prctl(op, arg2, arg3 uintptr) error { - r, _, errno := Syscall(SYS_PRCTL, op, arg2, arg3) - if r < 0 { - return errno - } - return nil -} - -// SetPtracer allows processes to ptrace(2) the calling process. -func SetPtracer(pid uintptr) error { return Prctl(PR_SET_PTRACER, pid, 0) } - -// linux/sched/coredump.h -const ( - SUID_DUMP_DISABLE = iota - SUID_DUMP_USER -) - -// SetDumpable sets the "dumpable" attribute of the calling process. -func SetDumpable(dumpable uintptr) error { return Prctl(PR_SET_DUMPABLE, dumpable, 0) } - // SetNoNewPrivs sets the calling thread's no_new_privs attribute. -func SetNoNewPrivs() error { return Prctl(PR_SET_NO_NEW_PRIVS, 1, 0) } - -// Isatty tests whether a file descriptor refers to a terminal. -func Isatty(fd int) bool { - var buf [8]byte - r, _, _ := Syscall( - SYS_IOCTL, - uintptr(fd), - TIOCGWINSZ, - uintptr(unsafe.Pointer(&buf[0])), - ) - return r == 0 +func SetNoNewPrivs() error { + return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0) } // schedParam is equivalent to struct sched_param from include/linux/sched.h. @@ -73,19 +42,3 @@ func schedSetscheduler(tid int, policy ext.SchedPolicy, param *schedParam) error } return nil } - -// IgnoringEINTR makes a function call and repeats it if it returns an -// EINTR error. This appears to be required even though we install all -// signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846. -// Also #20400 and #36644 are issues in which a signal handler is -// installed without setting SA_RESTART. None of these are the common case, -// but there are enough of them that it seems that we can't avoid -// an EINTR loop. -func IgnoringEINTR(fn func() error) error { - for { - err := fn() - if err != EINTR { - return err - } - } -} diff --git a/ext/syscall.go b/ext/syscall.go index cee35cc5..30901d2d 100644 --- a/ext/syscall.go +++ b/ext/syscall.go @@ -5,8 +5,62 @@ import ( "strconv" "sync" "syscall" + "unsafe" ) +// Prctl manipulates various aspects of the behavior of the calling thread or process. +func Prctl(op, arg2, arg3 uintptr) error { + r, _, errno := syscall.Syscall(syscall.SYS_PRCTL, op, arg2, arg3) + if r < 0 { + return errno + } + return nil +} + +// SetPtracer allows processes to ptrace(2) the calling process. +func SetPtracer(pid uintptr) error { + return Prctl(syscall.PR_SET_PTRACER, pid, 0) +} + +// linux/sched/coredump.h +const ( + SUID_DUMP_DISABLE = iota + SUID_DUMP_USER +) + +// SetDumpable sets the "dumpable" attribute of the calling process. +func SetDumpable(dumpable uintptr) error { + return Prctl(syscall.PR_SET_DUMPABLE, dumpable, 0) +} + +// Isatty tests whether a file descriptor refers to a terminal. +func Isatty(fd int) bool { + var buf [8]byte + r, _, _ := syscall.Syscall( + syscall.SYS_IOCTL, + uintptr(fd), + syscall.TIOCGWINSZ, + uintptr(unsafe.Pointer(&buf[0])), + ) + return r == 0 +} + +// IgnoringEINTR makes a function call and repeats it if it returns an +// EINTR error. This appears to be required even though we install all +// signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846. +// Also #20400 and #36644 are issues in which a signal handler is +// installed without setting SA_RESTART. None of these are the common case, +// but there are enough of them that it seems that we can't avoid +// an EINTR loop. +func IgnoringEINTR(fn func() error) error { + for { + err := fn() + if err != syscall.EINTR { + return err + } + } +} + // include/uapi/linux/close_range.h const ( CLOSE_RANGE_UNSHARE = 1 << (iota + 1) diff --git a/internal/outcome/dispatcher.go b/internal/outcome/dispatcher.go index e9f75237..a3d3dbbc 100644 --- a/internal/outcome/dispatcher.go +++ b/internal/outcome/dispatcher.go @@ -14,6 +14,7 @@ import ( "hakurei.app/container" "hakurei.app/container/seccomp" "hakurei.app/container/std" + "hakurei.app/ext" "hakurei.app/internal/dbus" "hakurei.app/internal/info" "hakurei.app/message" @@ -149,10 +150,10 @@ func (direct) notifyContext(parent context.Context, signals ...os.Signal) (ctx c return signal.NotifyContext(parent, signals...) } -func (direct) prctl(op, arg2, arg3 uintptr) error { return container.Prctl(op, arg2, arg3) } +func (direct) prctl(op, arg2, arg3 uintptr) error { return ext.Prctl(op, arg2, arg3) } func (direct) overflowUid(msg message.Msg) int { return container.OverflowUid(msg) } func (direct) overflowGid(msg message.Msg) int { return container.OverflowGid(msg) } -func (direct) setDumpable(dumpable uintptr) error { return container.SetDumpable(dumpable) } +func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) } func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) { return container.Receive(key, e, fdp) } diff --git a/internal/outcome/shim.go b/internal/outcome/shim.go index 3f5a86dc..43be1282 100644 --- a/internal/outcome/shim.go +++ b/internal/outcome/shim.go @@ -159,7 +159,7 @@ func shimEntrypoint(k syscallDispatcher) { logger.SetFlags(0) } - if err := k.setDumpable(container.SUID_DUMP_DISABLE); err != nil { + if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil { k.fatalf("cannot set SUID_DUMP_DISABLE: %v", err) } diff --git a/internal/outcome/shim_test.go b/internal/outcome/shim_test.go index 532a2c77..61d167f5 100644 --- a/internal/outcome/shim_test.go +++ b/internal/outcome/shim_test.go @@ -14,6 +14,7 @@ import ( "hakurei.app/container/seccomp" "hakurei.app/container/std" "hakurei.app/container/stub" + "hakurei.app/ext" "hakurei.app/hst" "hakurei.app/internal/env" ) @@ -135,14 +136,14 @@ func TestShimEntrypoint(t *testing.T) { {"dumpable", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, new(log.Logger), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, stub.UniqueError(11)), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, stub.UniqueError(11)), call("fatalf", stub.ExpectArgs{"cannot set SUID_DUMP_DISABLE: %v", []any{stub.UniqueError(11)}}, nil, nil), }}, nil}, {"receive exit request", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", outcomeState{}, nil}, nil, io.EOF), @@ -155,7 +156,7 @@ func TestShimEntrypoint(t *testing.T) { {"receive fd", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", outcomeState{}, nil}, nil, syscall.EBADF), @@ -168,7 +169,7 @@ func TestShimEntrypoint(t *testing.T) { {"receive env", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", outcomeState{}, nil}, nil, container.ErrReceiveEnv), @@ -181,7 +182,7 @@ func TestShimEntrypoint(t *testing.T) { {"receive strange", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", outcomeState{}, nil}, nil, stub.UniqueError(10)), @@ -194,7 +195,7 @@ func TestShimEntrypoint(t *testing.T) { {"reparent", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", func() outcomeState { @@ -214,7 +215,7 @@ func TestShimEntrypoint(t *testing.T) { {"invalid state", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", func() outcomeState { @@ -233,7 +234,7 @@ func TestShimEntrypoint(t *testing.T) { {"sigaction pipe", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, &os.SyscallError{Syscall: "pipe2", Err: stub.UniqueError(9)}), call("fatal", stub.ExpectArgs{[]any{"pipe2: unique error 9 injected by the test suite"}}, nil, nil), @@ -242,7 +243,7 @@ func TestShimEntrypoint(t *testing.T) { {"sigaction cgo", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, syscall.ENOTRECOVERABLE), call("fatalf", stub.ExpectArgs{"cannot install SIGCONT handler: %v", []any{syscall.ENOTRECOVERABLE}}, nil, nil), @@ -251,7 +252,7 @@ func TestShimEntrypoint(t *testing.T) { {"sigaction strange", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, stub.UniqueError(8)), call("fatalf", stub.ExpectArgs{"cannot set up exit request: %v", []any{stub.UniqueError(8)}}, nil, nil), @@ -260,7 +261,7 @@ func TestShimEntrypoint(t *testing.T) { {"prctl", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil), @@ -276,7 +277,7 @@ func TestShimEntrypoint(t *testing.T) { {"toContainer", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", func() outcomeState { @@ -297,7 +298,7 @@ func TestShimEntrypoint(t *testing.T) { {"bad ops", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", func() outcomeState { @@ -318,7 +319,7 @@ func TestShimEntrypoint(t *testing.T) { {"start", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil), @@ -342,7 +343,7 @@ func TestShimEntrypoint(t *testing.T) { {"start logger signalread", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil), @@ -366,7 +367,7 @@ func TestShimEntrypoint(t *testing.T) { {"serve", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil), @@ -389,7 +390,7 @@ func TestShimEntrypoint(t *testing.T) { {"seccomp", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil), @@ -413,7 +414,7 @@ func TestShimEntrypoint(t *testing.T) { {"exited closesetup earlyrequested", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil), @@ -440,7 +441,7 @@ func TestShimEntrypoint(t *testing.T) { {"exited requested", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil), @@ -467,7 +468,7 @@ func TestShimEntrypoint(t *testing.T) { {"canceled orphaned", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil), @@ -493,7 +494,7 @@ func TestShimEntrypoint(t *testing.T) { {"strangewait invalidmsg", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil), @@ -520,7 +521,7 @@ func TestShimEntrypoint(t *testing.T) { {"success", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{ call("getMsg", stub.ExpectArgs{}, nil, nil), call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil), - call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil), + call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil), call("getppid", stub.ExpectArgs{}, 0xbad, nil), call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil), call("receive", stub.ExpectArgs{"HAKUREI_SHIM", templateState, nil}, nil, nil),