security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases 6 Wiki Activity

hst/fsbind: optional autoroot behaviour
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m17s
Details
Test / Hakurei (push) Successful in 3m10s
Details
Test / Hpkg (push) Successful in 4m9s
Details
Test / Sandbox (race detector) (push) Successful in 4m33s
Details
Test / Hakurei (race detector) (push) Successful in 5m9s
Details
Test / Flake checks (push) Successful in 1m23s
Details

Browse Source 
This allows autoroot to be configured via Filesystem.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-08-25 17:44:12 +09:00
parent 8db906ee64
commit 059164d4fa
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 70 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
hst/fsbind.go
View File

@ -24,9 +24,21 @@ type FSBind struct {
Device bool `json:"dev,omitempty"` Device bool `json:"dev,omitempty"`
// skip this mount point if the host path does not exist // skip this mount point if the host path does not exist
Optional bool `json:"optional,omitempty"` Optional bool `json:"optional,omitempty"`
// enable autoroot behaviour;
// this requires Target to be [container.AbsFHSRoot].
AutoRoot bool `json:"autoroot,omitempty"`
} }
func (b *FSBind) Valid() bool { return b != nil && b.Source != nil } func (b *FSBind) Valid() bool {
if b == nil || b.Source == nil {
return false
}
if b.AutoRoot && (b.Target == nil || b.Target.String() != container.FHSRoot) {
return false
}
return true
}
func (b *FSBind) Path() *container.Absolute { func (b *FSBind) Path() *container.Absolute {
if !b.Valid() { if !b.Valid() {
@ -64,28 +76,45 @@ func (b *FSBind) Apply(ops *container.Ops) {
if b.Optional { if b.Optional {
flags |= container.BindOptional flags |= container.BindOptional
} }
ops.Bind(b.Source, target, flags)
if !b.AutoRoot {
ops.Bind(b.Source, target, flags)
} else {
ops.Root(b.Source, flags)
}
} }
func (b *FSBind) String() string { func (b *FSBind) String() string {
g := 4
if !b.Valid() { if !b.Valid() {
return "<invalid>" return "<invalid>"
} }
g += len(b.Source.String()) var flagSym string
if b.Device {
flagSym = "d"
} else if b.Write {
flagSym = "w"
}
if b.AutoRoot {
prefix := "autoroot"
if flagSym != "" {
prefix += ":" + flagSym
}
if b.Source.String() != container.FHSRoot {
return prefix + ":" + b.Source.String()
}
return prefix
}
g := 4 + len(b.Source.String())
if b.Target != nil { if b.Target != nil {
g += len(b.Target.String()) g += len(b.Target.String())
} }
expr := new(strings.Builder) expr := new(strings.Builder)
expr.Grow(g) expr.Grow(g)
expr.WriteString(flagSym)
if b.Device {
expr.WriteString("d")
} else if b.Write {
expr.WriteString("w")
}
if !b.Optional { if !b.Optional {
expr.WriteString("*") expr.WriteString("*")

31
hst/fsbind_test.go
View File

@ -62,5 +62,36 @@ func TestFSBind(t *testing.T) {
Target: m("/"), Target: m("/"),
}}, m("/"), ms("/"), }}, m("/"), ms("/"),
"*/"}, "*/"},
{"autoroot nil target", &hst.FSBind{
Source: m("/"),
AutoRoot: true,
}, false, nil, nil, nil, "<invalid>"},
{"autoroot bad target", &hst.FSBind{
Source: m("/"),
Target: m("/etc/"),
AutoRoot: true,
}, false, nil, nil, nil, "<invalid>"},
{"autoroot pd", &hst.FSBind{
Target: m("/"),
Source: m("/"),
Write: true,
AutoRoot: true,
}, true, container.Ops{&container.AutoRootOp{
Host: m("/"),
Flags: container.BindWritable,
}}, m("/"), ms("/"), "autoroot:w"},
{"autoroot silly", &hst.FSBind{
Target: m("/"),
Source: m("/etc"),
Write: true,
AutoRoot: true,
}, true, container.Ops{&container.AutoRootOp{
Host: m("/etc"),
Flags: container.BindWritable,
}}, m("/"), ms("/etc"), "autoroot:w:/etc"},
}) })
} }