security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases 6 Wiki Activity

hst/config: handle filesystem entry targeting root
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m20s
Details
Test / Hpkg (push) Successful in 4m2s
Details
Test / Sandbox (race detector) (push) Successful in 4m24s
Details
Test / Hakurei (race detector) (push) Successful in 5m6s
Details
Test / Hakurei (push) Successful in 2m10s
Details
Test / Flake checks (push) Successful in 1m24s
Details

Browse Source 
This allows any fstype supported by hst to be directly mounted on sysroot. A special case in internal/app applies the matching entry early and excludes it from path hiding.

Closes #5.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-08-25 17:51:08 +09:00
parent 059164d4fa
commit 1438096339
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
7 changed files with 64 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/hakurei/print.go
View File

@ -110,10 +110,6 @@ func printShowInstance(
} }
t.Printf(" Flags:\t%s\n", strings.Join(flags, " ")) t.Printf(" Flags:\t%s\n", strings.Join(flags, " "))
if params.AutoRoot != nil {
t.Printf(" Root:\t%s (%d)\n", params.AutoRoot, params.RootFlags)
}
etc := params.Etc etc := params.Etc
if etc == nil { if etc == nil {
etc = container.AbsFHSEtc etc = container.AbsFHSEtc

31
cmd/hakurei/print_test.go
View File

@ -42,12 +42,12 @@ func Test_printShowInstance(t *testing.T) {
Data: /var/lib/hakurei/u0/org.chromium.Chromium Data: /var/lib/hakurei/u0/org.chromium.Chromium
Hostname: localhost Hostname: localhost
Flags: userns devel net abstract device tty mapuid autoetc Flags: userns devel net abstract device tty mapuid autoetc
Root: /var/lib/hakurei/base/org.debian (2)
Etc: /etc/ Etc: /etc/
Path: /run/current-system/sw/bin/chromium Path: /run/current-system/sw/bin/chromium
Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
Filesystem Filesystem
autoroot:w:/var/lib/hakurei/base/org.debian
w+ephemeral(-rwxr-xr-x):/tmp/ w+ephemeral(-rwxr-xr-x):/tmp/
w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
*/nix/store */nix/store
@ -121,12 +121,12 @@ App
Data: /var/lib/hakurei/u0/org.chromium.Chromium Data: /var/lib/hakurei/u0/org.chromium.Chromium
Hostname: localhost Hostname: localhost
Flags: userns devel net abstract device tty mapuid autoetc Flags: userns devel net abstract device tty mapuid autoetc
Root: /var/lib/hakurei/base/org.debian (2)
Etc: /etc/ Etc: /etc/
Path: /run/current-system/sw/bin/chromium Path: /run/current-system/sw/bin/chromium
Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
Filesystem Filesystem
autoroot:w:/var/lib/hakurei/base/org.debian
w+ephemeral(-rwxr-xr-x):/tmp/ w+ephemeral(-rwxr-xr-x):/tmp/
w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
*/nix/store */nix/store
@ -279,6 +279,13 @@ App
"map_real_uid": true, "map_real_uid": true,
"device": true, "device": true,
"filesystem": [ "filesystem": [
{
"type": "bind",
"dst": "/",
"src": "/var/lib/hakurei/base/org.debian",
"write": true,
"autoroot": true
},
{ {
"type": "ephemeral", "type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
@ -325,8 +332,6 @@ App
"linkname": "/run/user/150" "linkname": "/run/user/150"
} }
], ],
"auto_root": "/var/lib/hakurei/base/org.debian",
"root_flags": 2,
"etc": "/etc/", "etc": "/etc/",
"auto_etc": true "auto_etc": true
} }
@ -428,6 +433,13 @@ App
"map_real_uid": true, "map_real_uid": true,
"device": true, "device": true,
"filesystem": [ "filesystem": [
{
"type": "bind",
"dst": "/",
"src": "/var/lib/hakurei/base/org.debian",
"write": true,
"autoroot": true
},
{ {
"type": "ephemeral", "type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
@ -474,8 +486,6 @@ App
"linkname": "/run/user/150" "linkname": "/run/user/150"
} }
], ],
"auto_root": "/var/lib/hakurei/base/org.debian",
"root_flags": 2,
"etc": "/etc/", "etc": "/etc/",
"auto_etc": true "auto_etc": true
} }
@ -631,6 +641,13 @@ func Test_printPs(t *testing.T) {
"map_real_uid": true, "map_real_uid": true,
"device": true, "device": true,
"filesystem": [ "filesystem": [
{
"type": "bind",
"dst": "/",
"src": "/var/lib/hakurei/base/org.debian",
"write": true,
"autoroot": true
},
{ {
"type": "ephemeral", "type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
@ -677,8 +694,6 @@ func Test_printPs(t *testing.T) {
"linkname": "/run/user/150" "linkname": "/run/user/150"
} }
], ],
"auto_root": "/var/lib/hakurei/base/org.debian",
"root_flags": 2,
"etc": "/etc/", "etc": "/etc/",
"auto_etc": true "auto_etc": true
} }

9
hst/config.go
View File

@ -93,17 +93,12 @@ type (
// pass through all devices // pass through all devices
Device bool `json:"device,omitempty"` Device bool `json:"device,omitempty"`
// container mount points // container mount points;
// if the first element targets /, it is inserted early and excluded from path hiding
Filesystem []FilesystemConfigJSON `json:"filesystem"` Filesystem []FilesystemConfigJSON `json:"filesystem"`
// create symlinks inside container filesystem // create symlinks inside container filesystem
Link []LinkConfig `json:"symlink"` Link []LinkConfig `json:"symlink"`
// automatically bind mount top-level directories to container root;
// the zero value disables this behaviour
AutoRoot *container.Absolute `json:"auto_root,omitempty"`
// extra flags for AutoRoot
RootFlags int `json:"root_flags,omitempty"`
// read-only /etc directory // read-only /etc directory
Etc *container.Absolute `json:"etc,omitempty"` Etc *container.Absolute `json:"etc,omitempty"`
// automatically set up /etc symlinks // automatically set up /etc symlinks

9
hst/hst.go
View File

@ -97,6 +97,7 @@ func Template() *Config {
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT", "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
}, },
Filesystem: []FilesystemConfigJSON{ Filesystem: []FilesystemConfigJSON{
{&FSBind{container.AbsFHSRoot, container.AbsFHSVarLib.Append("hakurei/base/org.debian"), true, false, false, true}},
{&FSEphemeral{Target: container.AbsFHSTmp, Write: true, Perm: 0755}}, {&FSEphemeral{Target: container.AbsFHSTmp, Write: true, Perm: 0755}},
{&FSOverlay{ {&FSOverlay{
Target: container.MustAbs("/nix/store"), Target: container.MustAbs("/nix/store"),
@ -111,11 +112,9 @@ func Template() *Config {
Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}}, Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
{&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}}, {&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
}, },
Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}}, Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
AutoRoot: container.AbsFHSVarLib.Append("hakurei/base/org.debian"), Etc: container.AbsFHSEtc,
RootFlags: container.BindWritable, AutoEtc: true,
Etc: container.AbsFHSEtc,
AutoEtc: true,
}, },
} }
} }

9
hst/hst_test.go
View File

@ -102,6 +102,13 @@ func TestTemplate(t *testing.T) {
"map_real_uid": true, "map_real_uid": true,
"device": true, "device": true,
"filesystem": [ "filesystem": [
{
"type": "bind",
"dst": "/",
"src": "/var/lib/hakurei/base/org.debian",
"write": true,
"autoroot": true
},
{ {
"type": "ephemeral", "type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
@ -148,8 +155,6 @@ func TestTemplate(t *testing.T) {
"linkname": "/run/user/150" "linkname": "/run/user/150"
} }
], ],
"auto_root": "/var/lib/hakurei/base/org.debian",
"root_flags": 2,
"etc": "/etc/", "etc": "/etc/",
"auto_etc": true "auto_etc": true
} }

29
internal/app/container_linux.go
View File

@ -74,8 +74,19 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
*gid = container.OverflowGid() *gid = container.OverflowGid()
} }
if s.AutoRoot != nil { filesystem := s.Filesystem
params.Root(s.AutoRoot, s.RootFlags) var autoroot *hst.FSBind
// valid happens late, so root mount gets it here
if len(filesystem) > 0 && filesystem[0].Valid() && filesystem[0].Path().String() == container.FHSRoot {
// if the first element targets /, it is inserted early and excluded from path hiding
rootfs := filesystem[0].FilesystemConfig
filesystem = filesystem[1:]
rootfs.Apply(params.Ops)
// autoroot requires special handling during path hiding
if b, ok := rootfs.(*hst.FSBind); ok && b.Valid() && b.AutoRoot {
autoroot = b
}
} }
params. params.
@ -128,7 +139,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
} }
var hidePathSourceCount int var hidePathSourceCount int
for i, c := range s.Filesystem { for i, c := range filesystem {
if !c.Valid() { if !c.Valid() {
return nil, nil, fmt.Errorf("invalid filesystem at index %d", i) return nil, nil, fmt.Errorf("invalid filesystem at index %d", i)
} }
@ -138,10 +149,10 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
hidePathSourceCount += len(c.Host()) hidePathSourceCount += len(c.Host())
} }
// AutoRoot is a collection of many BindMountOp internally // AutoRootOp is a collection of many BindMountOp internally
var autoRootEntries []fs.DirEntry var autoRootEntries []fs.DirEntry
if s.AutoRoot != nil { if autoroot != nil {
if d, err := os.ReadDir(s.AutoRoot.String()); err != nil { if d, err := os.ReadDir(autoroot.Source.String()); err != nil {
return nil, nil, err return nil, nil, err
} else { } else {
// autoroot counter // autoroot counter
@ -153,17 +164,17 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
hidePathSource := make([]*container.Absolute, 0, hidePathSourceCount) hidePathSource := make([]*container.Absolute, 0, hidePathSourceCount)
// fs append // fs append
for _, c := range s.Filesystem { for _, c := range filesystem {
// all entries already checked above // all entries already checked above
hidePathSource = append(hidePathSource, c.Host()...) hidePathSource = append(hidePathSource, c.Host()...)
} }
// autoroot append // autoroot append
if s.AutoRoot != nil { if autoroot != nil {
for _, ent := range autoRootEntries { for _, ent := range autoRootEntries {
name := ent.Name() name := ent.Name()
if container.IsAutoRootBindable(name) { if container.IsAutoRootBindable(name) {
hidePathSource = append(hidePathSource, s.AutoRoot.Append(name)) hidePathSource = append(hidePathSource, autoroot.Source.Append(name))
} }
} }
} }

10
internal/app/seal_linux.go
View File

@ -244,8 +244,14 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
Tty: true, Tty: true,
AutoEtc: true, AutoEtc: true,
AutoRoot: container.AbsFHSRoot, Filesystem: []hst.FilesystemConfigJSON{
RootFlags: container.BindWritable, {&hst.FSBind{
Target: container.AbsFHSRoot,
Source: container.AbsFHSRoot,
Write: true,
AutoRoot: true,
}},
},
} }
// bind GPU stuff // bind GPU stuff