security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

hst/config: handle filesystem entry targeting root
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m20s
Details
Test / Hpkg (push) Successful in 4m2s
Details
Test / Sandbox (race detector) (push) Successful in 4m24s
Details
Test / Hakurei (race detector) (push) Successful in 5m6s
Details
Test / Hakurei (push) Successful in 2m10s
Details
Test / Flake checks (push) Successful in 1m24s
Details

Browse Source 
This allows any fstype supported by hst to be directly mounted on sysroot. A special case in internal/app applies the matching entry early and excludes it from path hiding.

Closes #5.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-08-25 17:51:08 +09:00
parent 059164d4fa
commit 1438096339
7 changed files with 64 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
internal/app/container_linux.go
View File

@@ -74,8 +74,19 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
*gid = container.OverflowGid()
}
if s.AutoRoot != nil {
params.Root(s.AutoRoot, s.RootFlags)
filesystem := s.Filesystem
var autoroot *hst.FSBind
// valid happens late, so root mount gets it here
if len(filesystem) > 0 && filesystem[0].Valid() && filesystem[0].Path().String() == container.FHSRoot {
// if the first element targets /, it is inserted early and excluded from path hiding
rootfs := filesystem[0].FilesystemConfig
filesystem = filesystem[1:]
rootfs.Apply(params.Ops)
// autoroot requires special handling during path hiding
if b, ok := rootfs.(*hst.FSBind); ok && b.Valid() && b.AutoRoot {
autoroot = b
}
}
params.
@@ -128,7 +139,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
}
var hidePathSourceCount int
for i, c := range s.Filesystem {
for i, c := range filesystem {
if !c.Valid() {
return nil, nil, fmt.Errorf("invalid filesystem at index %d", i)
}
@@ -138,10 +149,10 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
hidePathSourceCount += len(c.Host())
}
// AutoRoot is a collection of many BindMountOp internally
// AutoRootOp is a collection of many BindMountOp internally
var autoRootEntries []fs.DirEntry
if s.AutoRoot != nil {
if d, err := os.ReadDir(s.AutoRoot.String()); err != nil {
if autoroot != nil {
if d, err := os.ReadDir(autoroot.Source.String()); err != nil {
return nil, nil, err
} else {
// autoroot counter
@@ -153,17 +164,17 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
hidePathSource := make([]*container.Absolute, 0, hidePathSourceCount)
// fs append
for _, c := range s.Filesystem {
for _, c := range filesystem {
// all entries already checked above
hidePathSource = append(hidePathSource, c.Host()...)
}
// autoroot append
if s.AutoRoot != nil {
if autoroot != nil {
for _, ent := range autoRootEntries {
name := ent.Name()
if container.IsAutoRootBindable(name) {
hidePathSource = append(hidePathSource, s.AutoRoot.Append(name))
hidePathSource = append(hidePathSource, autoroot.Source.Append(name))
}
}
}

10
internal/app/seal_linux.go
View File

@@ -244,8 +244,14 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
Tty: true,
AutoEtc: true,
AutoRoot: container.AbsFHSRoot,
RootFlags: container.BindWritable,
Filesystem: []hst.FilesystemConfigJSON{
{&hst.FSBind{
Target: container.AbsFHSRoot,
Source: container.AbsFHSRoot,
Write: true,
AutoRoot: true,
}},
},
}
// bind GPU stuff