From 1b5ecd9eaf3289d164d8ed1bce6013e0e4ef8e86 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Thu, 3 Jul 2025 02:59:43 +0900 Subject: [PATCH] container: move out of toplevel This allows slightly easier use of the vanity url. This also provides some disambiguation between low level containers and hakurei app containers. Signed-off-by: Ophestra --- .../internal/app/instance/common/container.go | 54 ++++++------ .../app/internal/setuid/app_nixos_test.go | 26 +++--- .../app/internal/setuid/app_pd_test.go | 78 ++++++++-------- .../internal/app/internal/setuid/app_test.go | 6 +- .../app/internal/setuid/export_test.go | 4 +- .../internal/app/internal/setuid/process.go | 4 +- .../internal/app/internal/setuid/seal.go | 10 +-- .../internal/app/internal/setuid/shim.go | 30 +++---- cmd/hakurei/main.go | 6 +- cmd/planterette/app.go | 2 +- cmd/planterette/with.go | 2 +- container.go => container/container.go | 6 +- .../container_test.go | 88 +++++++++---------- executable.go => container/executable.go | 2 +- .../executable_test.go | 6 +- init.go => container/init.go | 4 +- mount.go => container/mount.go | 4 +- msg.go => container/msg.go | 2 +- ops.go => container/ops.go | 2 +- output.go => container/output.go | 2 +- params.go => container/params.go | 2 +- path.go => container/path.go | 4 +- .../seccomp}/libseccomp-helper.c | 0 .../seccomp}/libseccomp-helper.h | 0 {seccomp => container/seccomp}/libseccomp.go | 0 .../seccomp}/libseccomp_test.go | 2 +- .../seccomp}/mksysnum_linux.pl | 0 {seccomp => container/seccomp}/presets.go | 0 .../seccomp}/presets_clone_backwards2.go | 0 .../seccomp}/presets_clone_generic.go | 0 {seccomp => container/seccomp}/proc.go | 0 {seccomp => container/seccomp}/seccomp.go | 0 .../seccomp}/seccomp_test.go | 2 +- {seccomp => container/seccomp}/syscall.go | 0 .../seccomp}/syscall_extra_linux_amd64.go | 0 .../seccomp}/syscall_linux_amd64.go | 0 .../seccomp}/syscall_test.go | 0 syscall.go => container/syscall.go | 2 +- sysctl.go => container/sysctl.go | 2 +- {vfs => container/vfs}/mangle.go | 0 {vfs => container/vfs}/mangle_test.go | 2 +- {vfs => container/vfs}/mountinfo.go | 0 {vfs => container/vfs}/mountinfo_test.go | 2 +- {vfs => container/vfs}/unfold.go | 0 {vfs => container/vfs}/unfold_test.go | 2 +- helper/container.go | 8 +- helper/container_test.go | 16 ++-- hst/container.go | 2 +- hst/template.go | 2 +- internal/output.go | 4 +- internal/sys/std.go | 4 +- ldd/exec.go | 26 +++--- system/dbus/dbus_test.go | 12 +-- system/dbus/proc.go | 26 +++--- system/output.go | 8 +- 55 files changed, 232 insertions(+), 234 deletions(-) rename container.go => container/container.go (96%) rename container_test.go => container/container_test.go (80%) rename executable.go => container/executable.go (95%) rename executable_test.go => container/executable_test.go (56%) rename init.go => container/init.go (99%) rename mount.go => container/mount.go (97%) rename msg.go => container/msg.go (98%) rename ops.go => container/ops.go (99%) rename output.go => container/output.go (95%) rename params.go => container/params.go (98%) rename path.go => container/path.go (96%) rename {seccomp => container/seccomp}/libseccomp-helper.c (100%) rename {seccomp => container/seccomp}/libseccomp-helper.h (100%) rename {seccomp => container/seccomp}/libseccomp.go (100%) rename {seccomp => container/seccomp}/libseccomp_test.go (98%) rename {seccomp => container/seccomp}/mksysnum_linux.pl (100%) rename {seccomp => container/seccomp}/presets.go (100%) rename {seccomp => container/seccomp}/presets_clone_backwards2.go (100%) rename {seccomp => container/seccomp}/presets_clone_generic.go (100%) rename {seccomp => container/seccomp}/proc.go (100%) rename {seccomp => container/seccomp}/seccomp.go (100%) rename {seccomp => container/seccomp}/seccomp_test.go (96%) rename {seccomp => container/seccomp}/syscall.go (100%) rename {seccomp => container/seccomp}/syscall_extra_linux_amd64.go (100%) rename {seccomp => container/seccomp}/syscall_linux_amd64.go (100%) rename {seccomp => container/seccomp}/syscall_test.go (100%) rename syscall.go => container/syscall.go (98%) rename sysctl.go => container/sysctl.go (98%) rename {vfs => container/vfs}/mangle.go (100%) rename {vfs => container/vfs}/mangle_test.go (90%) rename {vfs => container/vfs}/mountinfo.go (100%) rename {vfs => container/vfs}/mountinfo_test.go (99%) rename {vfs => container/vfs}/unfold.go (100%) rename {vfs => container/vfs}/unfold_test.go (98%) diff --git a/cmd/hakurei/internal/app/instance/common/container.go b/cmd/hakurei/internal/app/instance/common/container.go index b7e2631..3e4740d 100644 --- a/cmd/hakurei/internal/app/instance/common/container.go +++ b/cmd/hakurei/internal/app/instance/common/container.go @@ -8,10 +8,10 @@ import ( "path" "syscall" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" + "git.gensokyo.uk/security/hakurei/container/seccomp" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal/sys" - "git.gensokyo.uk/security/hakurei/seccomp" "git.gensokyo.uk/security/hakurei/system/dbus" ) @@ -21,12 +21,12 @@ const preallocateOpsCount = 1 << 5 // NewContainer initialises [sandbox.Params] via [hst.ContainerConfig]. // Note that remaining container setup must be queued by the caller. -func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*hakurei.Params, map[string]string, error) { +func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*container.Params, map[string]string, error) { if s == nil { return nil, nil, syscall.EBADE } - container := &hakurei.Params{ + params := &container.Params{ Hostname: s.Hostname, SeccompFlags: s.SeccompFlags, SeccompPresets: s.SeccompPresets, @@ -35,47 +35,47 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*hakurei } { - ops := make(hakurei.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover)) - container.Ops = &ops + ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover)) + params.Ops = &ops } if s.Multiarch { - container.SeccompFlags |= seccomp.AllowMultiarch + params.SeccompFlags |= seccomp.AllowMultiarch } if !s.SeccompCompat { - container.SeccompPresets |= seccomp.PresetExt + params.SeccompPresets |= seccomp.PresetExt } if !s.Devel { - container.SeccompPresets |= seccomp.PresetDenyDevel + params.SeccompPresets |= seccomp.PresetDenyDevel } if !s.Userns { - container.SeccompPresets |= seccomp.PresetDenyNS + params.SeccompPresets |= seccomp.PresetDenyNS } if !s.Tty { - container.SeccompPresets |= seccomp.PresetDenyTTY + params.SeccompPresets |= seccomp.PresetDenyTTY } if s.MapRealUID { /* some programs fail to connect to dbus session running as a different uid so this workaround is introduced to map priv-side caller uid in container */ - container.Uid = os.Getuid() - *uid = container.Uid - container.Gid = os.Getgid() - *gid = container.Gid + params.Uid = os.Getuid() + *uid = params.Uid + params.Gid = os.Getgid() + *gid = params.Gid } else { - *uid = hakurei.OverflowUid() - *gid = hakurei.OverflowGid() + *uid = container.OverflowUid() + *gid = container.OverflowGid() } - container. + params. Proc("/proc"). Tmpfs(hst.Tmp, 1<<12, 0755) if !s.Device { - container.Dev("/dev").Mqueue("/dev/mqueue") + params.Dev("/dev").Mqueue("/dev/mqueue") } else { - container.Bind("/dev", "/dev", hakurei.BindWritable|hakurei.BindDevice) + params.Bind("/dev", "/dev", container.BindWritable|container.BindDevice) } /* retrieve paths and hide them if they're made available in the sandbox; @@ -154,29 +154,29 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*hakurei var flags int if c.Write { - flags |= hakurei.BindWritable + flags |= container.BindWritable } if c.Device { - flags |= hakurei.BindDevice | hakurei.BindWritable + flags |= container.BindDevice | container.BindWritable } if !c.Must { - flags |= hakurei.BindOptional + flags |= container.BindOptional } - container.Bind(c.Src, dest, flags) + params.Bind(c.Src, dest, flags) } // cover matched paths for i, ok := range hidePathMatch { if ok { - container.Tmpfs(hidePaths[i], 1<<13, 0755) + params.Tmpfs(hidePaths[i], 1<<13, 0755) } } for _, l := range s.Link { - container.Link(l[0], l[1]) + params.Link(l[0], l[1]) } - return container, maps.Clone(s.Env), nil + return params, maps.Clone(s.Env), nil } func evalSymlinks(os sys.State, v *string) error { diff --git a/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go b/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go index 29dfdd8..df955af 100644 --- a/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go +++ b/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go @@ -1,10 +1,10 @@ package setuid_test import ( - "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" + "git.gensokyo.uk/security/hakurei/container" + "git.gensokyo.uk/security/hakurei/container/seccomp" "git.gensokyo.uk/security/hakurei/hst" - "git.gensokyo.uk/security/hakurei/seccomp" "git.gensokyo.uk/security/hakurei/system" "git.gensokyo.uk/security/hakurei/system/acl" "git.gensokyo.uk/security/hakurei/system/dbus" @@ -94,7 +94,7 @@ var testCasesNixos = []sealTestCase{ }). UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write). UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write), - &hakurei.Params{ + &container.Params{ Uid: 1971, Gid: 100, Dir: "/var/lib/persist/module/hakurei/0/1", @@ -114,7 +114,7 @@ var testCasesNixos = []sealTestCase{ "XDG_SESSION_CLASS=user", "XDG_SESSION_TYPE=tty", }, - Ops: new(hakurei.Ops). + Ops: new(container.Ops). Proc("/proc"). Tmpfs(hst.Tmp, 4096, 0755). Dev("/dev").Mqueue("/dev/mqueue"). @@ -122,18 +122,18 @@ var testCasesNixos = []sealTestCase{ Bind("/usr/bin", "/usr/bin", 0). Bind("/nix/store", "/nix/store", 0). Bind("/run/current-system", "/run/current-system", 0). - Bind("/sys/block", "/sys/block", hakurei.BindOptional). - Bind("/sys/bus", "/sys/bus", hakurei.BindOptional). - Bind("/sys/class", "/sys/class", hakurei.BindOptional). - Bind("/sys/dev", "/sys/dev", hakurei.BindOptional). - Bind("/sys/devices", "/sys/devices", hakurei.BindOptional). + Bind("/sys/block", "/sys/block", container.BindOptional). + Bind("/sys/bus", "/sys/bus", container.BindOptional). + Bind("/sys/class", "/sys/class", container.BindOptional). + Bind("/sys/dev", "/sys/dev", container.BindOptional). + Bind("/sys/devices", "/sys/devices", container.BindOptional). Bind("/run/opengl-driver", "/run/opengl-driver", 0). - Bind("/dev/dri", "/dev/dri", hakurei.BindDevice|hakurei.BindWritable|hakurei.BindOptional). + Bind("/dev/dri", "/dev/dri", container.BindDevice|container.BindWritable|container.BindOptional). Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1"). Tmpfs("/run/user", 4096, 0755). - Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", hakurei.BindWritable). - Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", hakurei.BindWritable). - Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", hakurei.BindWritable). + Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", container.BindWritable). + Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", container.BindWritable). + Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", container.BindWritable). Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")). Place("/etc/group", []byte("hakurei:x:100:\n")). Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0). diff --git a/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go b/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go index 2236510..ee1eceb 100644 --- a/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go +++ b/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go @@ -3,10 +3,10 @@ package setuid_test import ( "os" - "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" + "git.gensokyo.uk/security/hakurei/container" + "git.gensokyo.uk/security/hakurei/container/seccomp" "git.gensokyo.uk/security/hakurei/hst" - "git.gensokyo.uk/security/hakurei/seccomp" "git.gensokyo.uk/security/hakurei/system" "git.gensokyo.uk/security/hakurei/system/acl" "git.gensokyo.uk/security/hakurei/system/dbus" @@ -28,7 +28,7 @@ var testCasesPd = []sealTestCase{ Ensure("/tmp/hakurei.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/0", acl.Read, acl.Write, acl.Execute). Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute). Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute), - &hakurei.Params{ + &container.Params{ Dir: "/home/chronos", Path: "/run/current-system/sw/bin/zsh", Args: []string{"/run/current-system/sw/bin/zsh"}, @@ -41,30 +41,30 @@ var testCasesPd = []sealTestCase{ "XDG_SESSION_CLASS=user", "XDG_SESSION_TYPE=tty", }, - Ops: new(hakurei.Ops). + Ops: new(container.Ops). Proc("/proc"). Tmpfs(hst.Tmp, 4096, 0755). Dev("/dev").Mqueue("/dev/mqueue"). - Bind("/bin", "/bin", hakurei.BindWritable). - Bind("/boot", "/boot", hakurei.BindWritable). - Bind("/home", "/home", hakurei.BindWritable). - Bind("/lib", "/lib", hakurei.BindWritable). - Bind("/lib64", "/lib64", hakurei.BindWritable). - Bind("/nix", "/nix", hakurei.BindWritable). - Bind("/root", "/root", hakurei.BindWritable). - Bind("/run", "/run", hakurei.BindWritable). - Bind("/srv", "/srv", hakurei.BindWritable). - Bind("/sys", "/sys", hakurei.BindWritable). - Bind("/usr", "/usr", hakurei.BindWritable). - Bind("/var", "/var", hakurei.BindWritable). - Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional). + Bind("/bin", "/bin", container.BindWritable). + Bind("/boot", "/boot", container.BindWritable). + Bind("/home", "/home", container.BindWritable). + Bind("/lib", "/lib", container.BindWritable). + Bind("/lib64", "/lib64", container.BindWritable). + Bind("/nix", "/nix", container.BindWritable). + Bind("/root", "/root", container.BindWritable). + Bind("/run", "/run", container.BindWritable). + Bind("/srv", "/srv", container.BindWritable). + Bind("/sys", "/sys", container.BindWritable). + Bind("/usr", "/usr", container.BindWritable). + Bind("/var", "/var", container.BindWritable). + Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional). Tmpfs("/run/user/1971", 8192, 0755). Tmpfs("/run/dbus", 8192, 0755). Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac"). Tmpfs("/run/user", 4096, 0755). - Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", hakurei.BindWritable). - Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", hakurei.BindWritable). - Bind("/home/chronos", "/home/chronos", hakurei.BindWritable). + Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", container.BindWritable). + Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", container.BindWritable). + Bind("/home/chronos", "/home/chronos", container.BindWritable). Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")). Place("/etc/group", []byte("hakurei:x:65534:\n")). Tmpfs("/var/run/nscd", 8192, 0755), @@ -166,7 +166,7 @@ var testCasesPd = []sealTestCase{ }). UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write). UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write), - &hakurei.Params{ + &container.Params{ Dir: "/home/chronos", Path: "/run/current-system/sw/bin/zsh", Args: []string{"zsh", "-c", "exec chromium "}, @@ -184,31 +184,31 @@ var testCasesPd = []sealTestCase{ "XDG_SESSION_CLASS=user", "XDG_SESSION_TYPE=tty", }, - Ops: new(hakurei.Ops). + Ops: new(container.Ops). Proc("/proc"). Tmpfs(hst.Tmp, 4096, 0755). Dev("/dev").Mqueue("/dev/mqueue"). - Bind("/bin", "/bin", hakurei.BindWritable). - Bind("/boot", "/boot", hakurei.BindWritable). - Bind("/home", "/home", hakurei.BindWritable). - Bind("/lib", "/lib", hakurei.BindWritable). - Bind("/lib64", "/lib64", hakurei.BindWritable). - Bind("/nix", "/nix", hakurei.BindWritable). - Bind("/root", "/root", hakurei.BindWritable). - Bind("/run", "/run", hakurei.BindWritable). - Bind("/srv", "/srv", hakurei.BindWritable). - Bind("/sys", "/sys", hakurei.BindWritable). - Bind("/usr", "/usr", hakurei.BindWritable). - Bind("/var", "/var", hakurei.BindWritable). - Bind("/dev/dri", "/dev/dri", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional). - Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional). + Bind("/bin", "/bin", container.BindWritable). + Bind("/boot", "/boot", container.BindWritable). + Bind("/home", "/home", container.BindWritable). + Bind("/lib", "/lib", container.BindWritable). + Bind("/lib64", "/lib64", container.BindWritable). + Bind("/nix", "/nix", container.BindWritable). + Bind("/root", "/root", container.BindWritable). + Bind("/run", "/run", container.BindWritable). + Bind("/srv", "/srv", container.BindWritable). + Bind("/sys", "/sys", container.BindWritable). + Bind("/usr", "/usr", container.BindWritable). + Bind("/var", "/var", container.BindWritable). + Bind("/dev/dri", "/dev/dri", container.BindWritable|container.BindDevice|container.BindOptional). + Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional). Tmpfs("/run/user/1971", 8192, 0755). Tmpfs("/run/dbus", 8192, 0755). Etc("/etc", "ebf083d1b175911782d413369b64ce7c"). Tmpfs("/run/user", 4096, 0755). - Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", hakurei.BindWritable). - Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", hakurei.BindWritable). - Bind("/home/chronos", "/home/chronos", hakurei.BindWritable). + Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", container.BindWritable). + Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", container.BindWritable). + Bind("/home/chronos", "/home/chronos", container.BindWritable). Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")). Place("/etc/group", []byte("hakurei:x:65534:\n")). Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0). diff --git a/cmd/hakurei/internal/app/internal/setuid/app_test.go b/cmd/hakurei/internal/app/internal/setuid/app_test.go index 18f5ec3..f95f371 100644 --- a/cmd/hakurei/internal/app/internal/setuid/app_test.go +++ b/cmd/hakurei/internal/app/internal/setuid/app_test.go @@ -7,9 +7,9 @@ import ( "testing" "time" - "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/internal/setuid" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal/sys" "git.gensokyo.uk/security/hakurei/system" @@ -21,7 +21,7 @@ type sealTestCase struct { config *hst.Config id app.ID wantSys *system.I - wantContainer *hakurei.Params + wantContainer *container.Params } func TestApp(t *testing.T) { @@ -32,7 +32,7 @@ func TestApp(t *testing.T) { a := setuid.NewWithID(tc.id, tc.os) var ( gotSys *system.I - gotContainer *hakurei.Params + gotContainer *container.Params ) if !t.Run("seal", func(t *testing.T) { if sa, err := a.Seal(tc.config); err != nil { diff --git a/cmd/hakurei/internal/app/internal/setuid/export_test.go b/cmd/hakurei/internal/app/internal/setuid/export_test.go index 66d16a1..812215e 100644 --- a/cmd/hakurei/internal/app/internal/setuid/export_test.go +++ b/cmd/hakurei/internal/app/internal/setuid/export_test.go @@ -1,8 +1,8 @@ package setuid import ( - "git.gensokyo.uk/security/hakurei" . "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/internal/sys" "git.gensokyo.uk/security/hakurei/system" ) @@ -14,7 +14,7 @@ func NewWithID(id ID, os sys.State) App { return a } -func AppIParams(a App, sa SealedApp) (*system.I, *hakurei.Params) { +func AppIParams(a App, sa SealedApp) (*system.I, *container.Params) { v := a.(*app) seal := sa.(*outcome) if v.outcome != seal || v.id != seal.id { diff --git a/cmd/hakurei/internal/app/internal/setuid/process.go b/cmd/hakurei/internal/app/internal/setuid/process.go index 50d1723..28b4211 100644 --- a/cmd/hakurei/internal/app/internal/setuid/process.go +++ b/cmd/hakurei/internal/app/internal/setuid/process.go @@ -12,9 +12,9 @@ import ( "syscall" "time" - "git.gensokyo.uk/security/hakurei" . "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/state" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" "git.gensokyo.uk/security/hakurei/system" @@ -94,7 +94,7 @@ func (seal *outcome) Run(rs *RunState) error { cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) } var e *gob.Encoder - if fd, encoder, err := hakurei.Setup(&cmd.ExtraFiles); err != nil { + if fd, encoder, err := container.Setup(&cmd.ExtraFiles); err != nil { return hlog.WrapErrSuffix(err, "cannot create shim setup pipe:") } else { diff --git a/cmd/hakurei/internal/app/internal/setuid/seal.go b/cmd/hakurei/internal/app/internal/setuid/seal.go index de17dcb..6c301ff 100644 --- a/cmd/hakurei/internal/app/internal/setuid/seal.go +++ b/cmd/hakurei/internal/app/internal/setuid/seal.go @@ -16,9 +16,9 @@ import ( "sync/atomic" "syscall" - "git.gensokyo.uk/security/hakurei" . "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/instance/common" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" @@ -80,7 +80,7 @@ type outcome struct { sys *system.I ctx context.Context - container *hakurei.Params + container *container.Params env map[string]string sync *os.File @@ -334,7 +334,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co seal.sys.Ensure(runtimeDirInst, 0700) seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute) seal.container.Tmpfs("/run/user", 1<<12, 0755) - seal.container.Bind(runtimeDirInst, innerRuntimeDir, hakurei.BindWritable) + seal.container.Bind(runtimeDirInst, innerRuntimeDir, container.BindWritable) } { @@ -345,7 +345,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co seal.sys.Ensure(tmpdirInst, 01700) seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute) // mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp - seal.container.Bind(tmpdirInst, "/tmp", hakurei.BindWritable) + seal.container.Bind(tmpdirInst, "/tmp", container.BindWritable) } { @@ -357,7 +357,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co if seal.user.username != "" { username = seal.user.username } - seal.container.Bind(seal.user.data, homeDir, hakurei.BindWritable) + seal.container.Bind(seal.user.data, homeDir, container.BindWritable) seal.container.Dir = homeDir seal.env["HOME"] = homeDir seal.env["USER"] = username diff --git a/cmd/hakurei/internal/app/internal/setuid/shim.go b/cmd/hakurei/internal/app/internal/setuid/shim.go index 0281f80..264ee0a 100644 --- a/cmd/hakurei/internal/app/internal/setuid/shim.go +++ b/cmd/hakurei/internal/app/internal/setuid/shim.go @@ -10,10 +10,10 @@ import ( "syscall" "time" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" + "git.gensokyo.uk/security/hakurei/container/seccomp" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" - "git.gensokyo.uk/security/hakurei/seccomp" ) /* @@ -74,7 +74,7 @@ type shimParams struct { Monitor int // finalised container params - Container *hakurei.Params + Container *container.Params // path to outer home directory Home string @@ -86,7 +86,7 @@ type shimParams struct { func ShimMain() { hlog.Prepare("shim") - if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil { + if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil { log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err) } @@ -94,11 +94,11 @@ func ShimMain() { params shimParams closeSetup func() error ) - if f, err := hakurei.Receive(shimEnv, ¶ms, nil); err != nil { - if errors.Is(err, hakurei.ErrInvalid) { + if f, err := container.Receive(shimEnv, ¶ms, nil); err != nil { + if errors.Is(err, container.ErrInvalid) { log.Fatal("invalid config descriptor") } - if errors.Is(err, hakurei.ErrNotSet) { + if errors.Is(err, container.ErrNotSet) { log.Fatal("HAKUREI_SHIM not set") } @@ -149,17 +149,17 @@ func ShimMain() { } ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) defer stop() // unreachable - container := hakurei.New(ctx, name) - container.Params = *params.Container - container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr - container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) } - container.WaitDelay = 2 * time.Second + z := container.New(ctx, name) + z.Params = *params.Container + z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr + z.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) } + z.WaitDelay = 2 * time.Second - if err := container.Start(); err != nil { + if err := z.Start(); err != nil { hlog.PrintBaseError(err, "cannot start container:") os.Exit(1) } - if err := container.Serve(); err != nil { + if err := z.Serve(); err != nil { hlog.PrintBaseError(err, "cannot configure container:") } @@ -170,7 +170,7 @@ func ShimMain() { log.Fatalf("cannot load syscall filter: %v", err) } - if err := container.Wait(); err != nil { + if err := z.Wait(); err != nil { var exitError *exec.ExitError if !errors.As(err, &exitError) { if errors.Is(err, context.Canceled) { diff --git a/cmd/hakurei/main.go b/cmd/hakurei/main.go index ef6b3e5..11259a0 100644 --- a/cmd/hakurei/main.go +++ b/cmd/hakurei/main.go @@ -9,7 +9,7 @@ import ( "log" "os" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" "git.gensokyo.uk/security/hakurei/internal/sys" @@ -28,9 +28,9 @@ var std sys.State = new(sys.Std) func main() { // early init path, skips root check and duplicate PR_SET_DUMPABLE - hakurei.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput) + container.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput) - if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil { + if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil { log.Printf("cannot set SUID_DUMP_DISABLE: %s", err) // not fatal: this program runs as the privileged user } diff --git a/cmd/planterette/app.go b/cmd/planterette/app.go index a8adcc5..41e1e02 100644 --- a/cmd/planterette/app.go +++ b/cmd/planterette/app.go @@ -6,8 +6,8 @@ import ( "os" "path" + "git.gensokyo.uk/security/hakurei/container/seccomp" "git.gensokyo.uk/security/hakurei/hst" - "git.gensokyo.uk/security/hakurei/seccomp" "git.gensokyo.uk/security/hakurei/system" "git.gensokyo.uk/security/hakurei/system/dbus" ) diff --git a/cmd/planterette/with.go b/cmd/planterette/with.go index a2eb02e..76e0861 100644 --- a/cmd/planterette/with.go +++ b/cmd/planterette/with.go @@ -5,9 +5,9 @@ import ( "path" "strings" + "git.gensokyo.uk/security/hakurei/container/seccomp" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal" - "git.gensokyo.uk/security/hakurei/seccomp" ) func withNixDaemon( diff --git a/container.go b/container/container.go similarity index 96% rename from container.go rename to container/container.go index 5bbc5d3..62aa16d 100644 --- a/container.go +++ b/container/container.go @@ -1,5 +1,5 @@ -// Package hakurei implements unprivileged Linux containers with built-in support for syscall filtering. -package hakurei +// Package container implements unprivileged Linux containers with built-in support for syscall filtering. +package container import ( "context" @@ -14,7 +14,7 @@ import ( . "syscall" "time" - "git.gensokyo.uk/security/hakurei/seccomp" + "git.gensokyo.uk/security/hakurei/container/seccomp" ) type ( diff --git a/container_test.go b/container/container_test.go similarity index 80% rename from container_test.go rename to container/container_test.go index 4604d02..95f5361 100644 --- a/container_test.go +++ b/container/container_test.go @@ -1,4 +1,4 @@ -package hakurei_test +package container_test import ( "bytes" @@ -12,13 +12,13 @@ import ( "testing" "time" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" + "git.gensokyo.uk/security/hakurei/container/seccomp" + "git.gensokyo.uk/security/hakurei/container/vfs" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" "git.gensokyo.uk/security/hakurei/ldd" - "git.gensokyo.uk/security/hakurei/seccomp" - "git.gensokyo.uk/security/hakurei/vfs" ) const ( @@ -29,10 +29,10 @@ const ( func TestContainer(t *testing.T) { { oldVerbose := hlog.Load() - oldOutput := hakurei.GetOutput() + oldOutput := container.GetOutput() internal.InstallOutput(true) t.Cleanup(func() { hlog.Store(oldVerbose) }) - t.Cleanup(func() { hakurei.SetOutput(oldOutput) }) + t.Cleanup(func() { container.SetOutput(oldOutput) }) } testCases := []struct { @@ -40,7 +40,7 @@ func TestContainer(t *testing.T) { filter bool session bool net bool - ops *hakurei.Ops + ops *container.Ops mnt []*vfs.MountInfoEntry host string rules []seccomp.NativeRule @@ -48,28 +48,28 @@ func TestContainer(t *testing.T) { presets seccomp.FilterPreset }{ {"minimal", true, false, false, - new(hakurei.Ops), nil, "test-minimal", + new(container.Ops), nil, "test-minimal", nil, 0, seccomp.PresetStrict}, {"allow", true, true, true, - new(hakurei.Ops), nil, "test-minimal", + new(container.Ops), nil, "test-minimal", nil, 0, seccomp.PresetExt | seccomp.PresetDenyDevel}, {"no filter", false, true, true, - new(hakurei.Ops), nil, "test-no-filter", + new(container.Ops), nil, "test-no-filter", nil, 0, seccomp.PresetExt}, {"custom rules", true, true, true, - new(hakurei.Ops), nil, "test-no-filter", + new(container.Ops), nil, "test-no-filter", []seccomp.NativeRule{ {seccomp.ScmpSyscall(syscall.SYS_SETUID), seccomp.ScmpErrno(syscall.EPERM), nil}, }, 0, seccomp.PresetExt}, {"tmpfs", true, false, false, - new(hakurei.Ops). + new(container.Ops). Tmpfs(hst.Tmp, 0, 0755), []*vfs.MountInfoEntry{ e("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore), }, "test-tmpfs", nil, 0, seccomp.PresetStrict}, {"dev", true, true /* go test output is not a tty */, false, - new(hakurei.Ops). + new(container.Ops). Dev("/dev"). Mqueue("/dev/mqueue"), []*vfs.MountInfoEntry{ @@ -91,34 +91,34 @@ func TestContainer(t *testing.T) { ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second) defer cancel() - container := hakurei.New(ctx, "/usr/bin/sandbox.test", "-test.v", + c := container.New(ctx, "/usr/bin/sandbox.test", "-test.v", "-test.run=TestHelperCheckContainer", "--", "check", tc.host) - container.Uid = 1000 - container.Gid = 100 - container.Hostname = tc.host - container.CommandContext = commandContext - container.Stdout, container.Stderr = os.Stdout, os.Stderr - container.Ops = tc.ops - container.SeccompRules = tc.rules - container.SeccompFlags = tc.flags | seccomp.AllowMultiarch - container.SeccompPresets = tc.presets - container.SeccompDisable = !tc.filter - container.RetainSession = tc.session - container.HostNet = tc.net - if container.Args[5] == "" { + c.Uid = 1000 + c.Gid = 100 + c.Hostname = tc.host + c.CommandContext = commandContext + c.Stdout, c.Stderr = os.Stdout, os.Stderr + c.Ops = tc.ops + c.SeccompRules = tc.rules + c.SeccompFlags = tc.flags | seccomp.AllowMultiarch + c.SeccompPresets = tc.presets + c.SeccompDisable = !tc.filter + c.RetainSession = tc.session + c.HostNet = tc.net + if c.Args[5] == "" { if name, err := os.Hostname(); err != nil { t.Fatalf("cannot get hostname: %v", err) } else { - container.Args[5] = name + c.Args[5] = name } } - container. + c. Tmpfs("/tmp", 0, 0755). Bind(os.Args[0], os.Args[0], 0). Mkdir("/usr/bin", 0755). Link(os.Args[0], "/usr/bin/sandbox.test"). - Place("/etc/hostname", []byte(container.Args[5])) + Place("/etc/hostname", []byte(c.Args[5])) // in case test has cgo enabled var libPaths []string if entries, err := ldd.ExecFilter(ctx, @@ -131,10 +131,10 @@ func TestContainer(t *testing.T) { libPaths = ldd.Path(entries) } for _, name := range libPaths { - container.Bind(name, name, 0) + c.Bind(name, name, 0) } // needs /proc to check mountinfo - container.Proc("/proc") + c.Proc("/proc") mnt := make([]*vfs.MountInfoEntry, 0, 3+len(libPaths)) mnt = append(mnt, e("/sysroot", "/", "rw,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore)) @@ -152,16 +152,16 @@ func TestContainer(t *testing.T) { if err := gob.NewEncoder(want).Encode(mnt); err != nil { t.Fatalf("cannot serialise expected mount points: %v", err) } - container.Stdin = want + c.Stdin = want - if err := container.Start(); err != nil { + if err := c.Start(); err != nil { hlog.PrintBaseError(err, "start:") t.Fatalf("cannot start container: %v", err) - } else if err = container.Serve(); err != nil { + } else if err = c.Serve(); err != nil { hlog.PrintBaseError(err, "serve:") t.Errorf("cannot serve setup params: %v", err) } - if err := container.Wait(); err != nil { + if err := c.Wait(); err != nil { hlog.PrintBaseError(err, "wait:") t.Fatalf("wait: %v", err) } @@ -185,14 +185,14 @@ func e(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoE } func TestContainerString(t *testing.T) { - container := hakurei.New(t.Context(), "ldd", "/usr/bin/env") - container.SeccompFlags |= seccomp.AllowMultiarch - container.SeccompRules = seccomp.Preset( + c := container.New(t.Context(), "ldd", "/usr/bin/env") + c.SeccompFlags |= seccomp.AllowMultiarch + c.SeccompRules = seccomp.Preset( seccomp.PresetExt|seccomp.PresetDenyNS|seccomp.PresetDenyTTY, - container.SeccompFlags) - container.SeccompPresets = seccomp.PresetStrict + c.SeccompFlags) + c.SeccompPresets = seccomp.PresetStrict want := `argv: ["ldd" "/usr/bin/env"], filter: true, rules: 65, flags: 0x1, presets: 0xf` - if got := container.String(); got != want { + if got := c.String(); got != want { t.Errorf("String: %s, want %s", got, want) } } @@ -201,8 +201,8 @@ func TestHelperInit(t *testing.T) { if len(os.Args) != 5 || os.Args[4] != "init" { return } - hakurei.SetOutput(hlog.Output{}) - hakurei.Init(hlog.Prepare, internal.InstallOutput) + container.SetOutput(hlog.Output{}) + container.Init(hlog.Prepare, internal.InstallOutput) } func TestHelperCheckContainer(t *testing.T) { diff --git a/executable.go b/container/executable.go similarity index 95% rename from executable.go rename to container/executable.go index 2214156..d19d56f 100644 --- a/executable.go +++ b/container/executable.go @@ -1,4 +1,4 @@ -package hakurei +package container import ( "log" diff --git a/executable_test.go b/container/executable_test.go similarity index 56% rename from executable_test.go rename to container/executable_test.go index 27b6223..00e67b7 100644 --- a/executable_test.go +++ b/container/executable_test.go @@ -1,15 +1,15 @@ -package hakurei_test +package container_test import ( "os" "testing" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" ) func TestExecutable(t *testing.T) { for i := 0; i < 16; i++ { - if got := hakurei.MustExecutable(); got != os.Args[0] { + if got := container.MustExecutable(); got != os.Args[0] { t.Errorf("MustExecutable: %q, want %q", got, os.Args[0]) } diff --git a/init.go b/container/init.go similarity index 99% rename from init.go rename to container/init.go index cb7fd84..18d38c3 100644 --- a/init.go +++ b/container/init.go @@ -1,4 +1,4 @@ -package hakurei +package container import ( "errors" @@ -13,7 +13,7 @@ import ( . "syscall" "time" - "git.gensokyo.uk/security/hakurei/seccomp" + "git.gensokyo.uk/security/hakurei/container/seccomp" ) const ( diff --git a/mount.go b/container/mount.go similarity index 97% rename from mount.go rename to container/mount.go index 44e1d9c..eddec2f 100644 --- a/mount.go +++ b/container/mount.go @@ -1,4 +1,4 @@ -package hakurei +package container import ( "errors" @@ -7,7 +7,7 @@ import ( "path/filepath" . "syscall" - "git.gensokyo.uk/security/hakurei/vfs" + "git.gensokyo.uk/security/hakurei/container/vfs" ) func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) error { diff --git a/msg.go b/container/msg.go similarity index 98% rename from msg.go rename to container/msg.go index aa7a272..3f29e99 100644 --- a/msg.go +++ b/container/msg.go @@ -1,4 +1,4 @@ -package hakurei +package container import ( "log" diff --git a/ops.go b/container/ops.go similarity index 99% rename from ops.go rename to container/ops.go index 8d5a9e3..236d1ac 100644 --- a/ops.go +++ b/container/ops.go @@ -1,4 +1,4 @@ -package hakurei +package container import ( "encoding/gob" diff --git a/output.go b/container/output.go similarity index 95% rename from output.go rename to container/output.go index d64d471..6bedd55 100644 --- a/output.go +++ b/container/output.go @@ -1,4 +1,4 @@ -package hakurei +package container var msg Msg = new(DefaultMsg) diff --git a/params.go b/container/params.go similarity index 98% rename from params.go rename to container/params.go index 4744123..e4328a7 100644 --- a/params.go +++ b/container/params.go @@ -1,4 +1,4 @@ -package hakurei +package container import ( "encoding/gob" diff --git a/path.go b/container/path.go similarity index 96% rename from path.go rename to container/path.go index 9e777ee..a3938ff 100644 --- a/path.go +++ b/container/path.go @@ -1,4 +1,4 @@ -package hakurei +package container import ( "errors" @@ -10,7 +10,7 @@ import ( "strings" "syscall" - "git.gensokyo.uk/security/hakurei/vfs" + "git.gensokyo.uk/security/hakurei/container/vfs" ) const ( diff --git a/seccomp/libseccomp-helper.c b/container/seccomp/libseccomp-helper.c similarity index 100% rename from seccomp/libseccomp-helper.c rename to container/seccomp/libseccomp-helper.c diff --git a/seccomp/libseccomp-helper.h b/container/seccomp/libseccomp-helper.h similarity index 100% rename from seccomp/libseccomp-helper.h rename to container/seccomp/libseccomp-helper.h diff --git a/seccomp/libseccomp.go b/container/seccomp/libseccomp.go similarity index 100% rename from seccomp/libseccomp.go rename to container/seccomp/libseccomp.go diff --git a/seccomp/libseccomp_test.go b/container/seccomp/libseccomp_test.go similarity index 98% rename from seccomp/libseccomp_test.go rename to container/seccomp/libseccomp_test.go index 441245b..a8bfcbf 100644 --- a/seccomp/libseccomp_test.go +++ b/container/seccomp/libseccomp_test.go @@ -8,7 +8,7 @@ import ( "syscall" "testing" - . "git.gensokyo.uk/security/hakurei/seccomp" + . "git.gensokyo.uk/security/hakurei/container/seccomp" ) func TestExport(t *testing.T) { diff --git a/seccomp/mksysnum_linux.pl b/container/seccomp/mksysnum_linux.pl similarity index 100% rename from seccomp/mksysnum_linux.pl rename to container/seccomp/mksysnum_linux.pl diff --git a/seccomp/presets.go b/container/seccomp/presets.go similarity index 100% rename from seccomp/presets.go rename to container/seccomp/presets.go diff --git a/seccomp/presets_clone_backwards2.go b/container/seccomp/presets_clone_backwards2.go similarity index 100% rename from seccomp/presets_clone_backwards2.go rename to container/seccomp/presets_clone_backwards2.go diff --git a/seccomp/presets_clone_generic.go b/container/seccomp/presets_clone_generic.go similarity index 100% rename from seccomp/presets_clone_generic.go rename to container/seccomp/presets_clone_generic.go diff --git a/seccomp/proc.go b/container/seccomp/proc.go similarity index 100% rename from seccomp/proc.go rename to container/seccomp/proc.go diff --git a/seccomp/seccomp.go b/container/seccomp/seccomp.go similarity index 100% rename from seccomp/seccomp.go rename to container/seccomp/seccomp.go diff --git a/seccomp/seccomp_test.go b/container/seccomp/seccomp_test.go similarity index 96% rename from seccomp/seccomp_test.go rename to container/seccomp/seccomp_test.go index 9b43f46..2b59c9b 100644 --- a/seccomp/seccomp_test.go +++ b/container/seccomp/seccomp_test.go @@ -6,7 +6,7 @@ import ( "syscall" "testing" - "git.gensokyo.uk/security/hakurei/seccomp" + "git.gensokyo.uk/security/hakurei/container/seccomp" ) func TestLibraryError(t *testing.T) { diff --git a/seccomp/syscall.go b/container/seccomp/syscall.go similarity index 100% rename from seccomp/syscall.go rename to container/seccomp/syscall.go diff --git a/seccomp/syscall_extra_linux_amd64.go b/container/seccomp/syscall_extra_linux_amd64.go similarity index 100% rename from seccomp/syscall_extra_linux_amd64.go rename to container/seccomp/syscall_extra_linux_amd64.go diff --git a/seccomp/syscall_linux_amd64.go b/container/seccomp/syscall_linux_amd64.go similarity index 100% rename from seccomp/syscall_linux_amd64.go rename to container/seccomp/syscall_linux_amd64.go diff --git a/seccomp/syscall_test.go b/container/seccomp/syscall_test.go similarity index 100% rename from seccomp/syscall_test.go rename to container/seccomp/syscall_test.go diff --git a/syscall.go b/container/syscall.go similarity index 98% rename from syscall.go rename to container/syscall.go index 4b22c23..791cffa 100644 --- a/syscall.go +++ b/container/syscall.go @@ -1,4 +1,4 @@ -package hakurei +package container import ( "syscall" diff --git a/sysctl.go b/container/sysctl.go similarity index 98% rename from sysctl.go rename to container/sysctl.go index aa74da4..7fcb94b 100644 --- a/sysctl.go +++ b/container/sysctl.go @@ -1,4 +1,4 @@ -package hakurei +package container import ( "bytes" diff --git a/vfs/mangle.go b/container/vfs/mangle.go similarity index 100% rename from vfs/mangle.go rename to container/vfs/mangle.go diff --git a/vfs/mangle_test.go b/container/vfs/mangle_test.go similarity index 90% rename from vfs/mangle_test.go rename to container/vfs/mangle_test.go index 54af8fb..d9444a8 100644 --- a/vfs/mangle_test.go +++ b/container/vfs/mangle_test.go @@ -3,7 +3,7 @@ package vfs_test import ( "testing" - "git.gensokyo.uk/security/hakurei/vfs" + "git.gensokyo.uk/security/hakurei/container/vfs" ) func TestUnmangle(t *testing.T) { diff --git a/vfs/mountinfo.go b/container/vfs/mountinfo.go similarity index 100% rename from vfs/mountinfo.go rename to container/vfs/mountinfo.go diff --git a/vfs/mountinfo_test.go b/container/vfs/mountinfo_test.go similarity index 99% rename from vfs/mountinfo_test.go rename to container/vfs/mountinfo_test.go index 255f1c9..cec7dcd 100644 --- a/vfs/mountinfo_test.go +++ b/container/vfs/mountinfo_test.go @@ -12,7 +12,7 @@ import ( "syscall" "testing" - "git.gensokyo.uk/security/hakurei/vfs" + "git.gensokyo.uk/security/hakurei/container/vfs" ) func TestMountInfo(t *testing.T) { diff --git a/vfs/unfold.go b/container/vfs/unfold.go similarity index 100% rename from vfs/unfold.go rename to container/vfs/unfold.go diff --git a/vfs/unfold_test.go b/container/vfs/unfold_test.go similarity index 98% rename from vfs/unfold_test.go rename to container/vfs/unfold_test.go index 59e5204..c464e0f 100644 --- a/vfs/unfold_test.go +++ b/container/vfs/unfold_test.go @@ -8,7 +8,7 @@ import ( "syscall" "testing" - "git.gensokyo.uk/security/hakurei/vfs" + "git.gensokyo.uk/security/hakurei/container/vfs" ) func TestUnfold(t *testing.T) { diff --git a/helper/container.go b/helper/container.go index 861ae4a..dbff368 100644 --- a/helper/container.go +++ b/helper/container.go @@ -9,7 +9,7 @@ import ( "slices" "sync" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/helper/proc" ) @@ -20,13 +20,13 @@ func New( wt io.WriterTo, stat bool, argF func(argsFd, statFd int) []string, - cmdF func(container *hakurei.Container), + cmdF func(z *container.Container), extraFiles []*os.File, ) Helper { var args []string h := new(helperContainer) h.helperFiles, args = newHelperFiles(ctx, wt, stat, argF, extraFiles) - h.Container = hakurei.New(ctx, name, args...) + h.Container = container.New(ctx, name, args...) h.WaitDelay = WaitDelay if cmdF != nil { cmdF(h.Container) @@ -40,7 +40,7 @@ type helperContainer struct { mu sync.Mutex *helperFiles - *hakurei.Container + *container.Container } func (h *helperContainer) Start() error { diff --git a/helper/container_test.go b/helper/container_test.go index e6e5a21..574b24b 100644 --- a/helper/container_test.go +++ b/helper/container_test.go @@ -7,7 +7,7 @@ import ( "os/exec" "testing" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/helper" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" @@ -34,15 +34,13 @@ func TestContainer(t *testing.T) { t.Run("implementation compliance", func(t *testing.T) { testHelper(t, func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper { - return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(container *hakurei.Container) { - setOutput(&container.Stdout, &container.Stderr) - container.CommandContext = func(ctx context.Context) (cmd *exec.Cmd) { + return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(z *container.Container) { + setOutput(&z.Stdout, &z.Stderr) + z.CommandContext = func(ctx context.Context) (cmd *exec.Cmd) { return exec.CommandContext(ctx, os.Args[0], "-test.v", "-test.run=TestHelperInit", "--", "init") } - container.Bind("/", "/", 0) - container.Proc("/proc") - container.Dev("/dev") + z.Bind("/", "/", 0).Proc("/proc").Dev("/dev") }, nil) }) }) @@ -52,6 +50,6 @@ func TestHelperInit(t *testing.T) { if len(os.Args) != 5 || os.Args[4] != "init" { return } - hakurei.SetOutput(hlog.Output{}) - hakurei.Init(hlog.Prepare, func(bool) { internal.InstallOutput(false) }) + container.SetOutput(hlog.Output{}) + container.Init(hlog.Prepare, func(bool) { internal.InstallOutput(false) }) } diff --git a/hst/container.go b/hst/container.go index 1a5c4eb..f0e2dec 100644 --- a/hst/container.go +++ b/hst/container.go @@ -1,7 +1,7 @@ package hst import ( - "git.gensokyo.uk/security/hakurei/seccomp" + "git.gensokyo.uk/security/hakurei/container/seccomp" ) type ( diff --git a/hst/template.go b/hst/template.go index 60cbfa7..5e1e8cc 100644 --- a/hst/template.go +++ b/hst/template.go @@ -1,7 +1,7 @@ package hst import ( - "git.gensokyo.uk/security/hakurei/seccomp" + "git.gensokyo.uk/security/hakurei/container/seccomp" "git.gensokyo.uk/security/hakurei/system" "git.gensokyo.uk/security/hakurei/system/dbus" ) diff --git a/internal/output.go b/internal/output.go index a15be77..4e14868 100644 --- a/internal/output.go +++ b/internal/output.go @@ -1,13 +1,13 @@ package internal import ( - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/internal/hlog" "git.gensokyo.uk/security/hakurei/system" ) func InstallOutput(verbose bool) { hlog.Store(verbose) - hakurei.SetOutput(hlog.Output{}) + container.SetOutput(hlog.Output{}) system.SetOutput(hlog.Output{}) } diff --git a/internal/sys/std.go b/internal/sys/std.go index 098eb3c..af46117 100644 --- a/internal/sys/std.go +++ b/internal/sys/std.go @@ -12,7 +12,7 @@ import ( "sync" "syscall" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" @@ -36,7 +36,7 @@ func (s *Std) Getgid() int { return os.Getgid() func (s *Std) LookupEnv(key string) (string, bool) { return os.LookupEnv(key) } func (s *Std) TempDir() string { return os.TempDir() } func (s *Std) LookPath(file string) (string, error) { return exec.LookPath(file) } -func (s *Std) MustExecutable() string { return hakurei.MustExecutable() } +func (s *Std) MustExecutable() string { return container.MustExecutable() } func (s *Std) LookupGroup(name string) (*user.Group, error) { return user.LookupGroup(name) } func (s *Std) ReadDir(name string) ([]os.DirEntry, error) { return os.ReadDir(name) } func (s *Std) Stat(name string) (fs.FileInfo, error) { return os.Stat(name) } diff --git a/ldd/exec.go b/ldd/exec.go index 9922ba1..2fa2ec4 100644 --- a/ldd/exec.go +++ b/ldd/exec.go @@ -8,8 +8,8 @@ import ( "os/exec" "time" - "git.gensokyo.uk/security/hakurei" - "git.gensokyo.uk/security/hakurei/seccomp" + "git.gensokyo.uk/security/hakurei/container" + "git.gensokyo.uk/security/hakurei/container/seccomp" ) const lddTimeout = 2 * time.Second @@ -27,24 +27,24 @@ func ExecFilter(ctx context.Context, p string) ([]*Entry, error) { c, cancel := context.WithTimeout(ctx, lddTimeout) defer cancel() - container := hakurei.New(c, "ldd", p) - container.CommandContext = commandContext - container.Hostname = "hakurei-ldd" - container.SeccompFlags |= seccomp.AllowMultiarch - container.SeccompPresets |= seccomp.PresetStrict + z := container.New(c, "ldd", p) + z.CommandContext = commandContext + z.Hostname = "hakurei-ldd" + z.SeccompFlags |= seccomp.AllowMultiarch + z.SeccompPresets |= seccomp.PresetStrict stdout, stderr := new(bytes.Buffer), new(bytes.Buffer) - container.Stdout = stdout - container.Stderr = stderr - container.Bind("/", "/", 0).Proc("/proc").Dev("/dev") + z.Stdout = stdout + z.Stderr = stderr + z.Bind("/", "/", 0).Proc("/proc").Dev("/dev") - if err := container.Start(); err != nil { + if err := z.Start(); err != nil { return nil, err } defer func() { _, _ = io.Copy(os.Stderr, stderr) }() - if err := container.Serve(); err != nil { + if err := z.Serve(); err != nil { return nil, err } - if err := container.Wait(); err != nil { + if err := z.Wait(); err != nil { m := stderr.Bytes() if bytes.Contains(m, append([]byte(p+": "), msgStatic...)) || bytes.Contains(m, msgStaticGlibc) { diff --git a/system/dbus/dbus_test.go b/system/dbus/dbus_test.go index 7b1e185..6fd2367 100644 --- a/system/dbus/dbus_test.go +++ b/system/dbus/dbus_test.go @@ -13,7 +13,7 @@ import ( "testing" "time" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" "git.gensokyo.uk/security/hakurei/helper" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" @@ -134,11 +134,11 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) { } p.CmdF = func(v any) { if useSandbox { - container := v.(*hakurei.Container) - if container.Args[0] != dbus.ProxyName { + z := v.(*container.Container) + if z.Args[0] != dbus.ProxyName { panic(fmt.Sprintf("unexpected argv0 %q", os.Args[0])) } - container.Args = append([]string{os.Args[0], "-test.run=TestHelperStub", "--"}, container.Args[1:]...) + z.Args = append([]string{os.Args[0], "-test.run=TestHelperStub", "--"}, z.Args[1:]...) } else { cmd := v.(*exec.Cmd) if cmd.Args[0] != dbus.ProxyName { @@ -208,6 +208,6 @@ func TestHelperInit(t *testing.T) { if len(os.Args) != 5 || os.Args[4] != "init" { return } - hakurei.SetOutput(hlog.Output{}) - hakurei.Init(hlog.Prepare, internal.InstallOutput) + container.SetOutput(hlog.Output{}) + container.Init(hlog.Prepare, internal.InstallOutput) } diff --git a/system/dbus/proc.go b/system/dbus/proc.go index e8cccd5..cb041d0 100644 --- a/system/dbus/proc.go +++ b/system/dbus/proc.go @@ -11,10 +11,10 @@ import ( "strconv" "syscall" - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" + "git.gensokyo.uk/security/hakurei/container/seccomp" "git.gensokyo.uk/security/hakurei/helper" "git.gensokyo.uk/security/hakurei/ldd" - "git.gensokyo.uk/security/hakurei/seccomp" ) // Start starts and configures a D-Bus proxy process. @@ -65,22 +65,22 @@ func (p *Proxy) Start() error { p.helper = helper.New( ctx, toolPath, p.final, true, - argF, func(container *hakurei.Container) { - container.SeccompFlags |= seccomp.AllowMultiarch - container.SeccompPresets |= seccomp.PresetStrict - container.Hostname = "hakurei-dbus" - container.CommandContext = p.CommandContext + argF, func(z *container.Container) { + z.SeccompFlags |= seccomp.AllowMultiarch + z.SeccompPresets |= seccomp.PresetStrict + z.Hostname = "hakurei-dbus" + z.CommandContext = p.CommandContext if p.output != nil { - container.Stdout, container.Stderr = p.output, p.output + z.Stdout, z.Stderr = p.output, p.output } if p.CmdF != nil { - p.CmdF(container) + p.CmdF(z) } // these lib paths are unpredictable, so mount them first so they cannot cover anything for _, name := range libPaths { - container.Bind(name, name, 0) + z.Bind(name, name, 0) } // upstream bus directories @@ -101,7 +101,7 @@ func (p *Proxy) Start() error { slices.Sort(upstreamPaths) upstreamPaths = slices.Compact(upstreamPaths) for _, name := range upstreamPaths { - container.Bind(name, name, 0) + z.Bind(name, name, 0) } // parent directories of bind paths @@ -115,12 +115,12 @@ func (p *Proxy) Start() error { slices.Sort(sockDirPaths) sockDirPaths = slices.Compact(sockDirPaths) for _, name := range sockDirPaths { - container.Bind(name, name, hakurei.BindWritable) + z.Bind(name, name, container.BindWritable) } // xdg-dbus-proxy bin path binPath := path.Dir(toolPath) - container.Bind(binPath, binPath, 0) + z.Bind(binPath, binPath, 0) }, nil) } diff --git a/system/output.go b/system/output.go index ad0559b..d431310 100644 --- a/system/output.go +++ b/system/output.go @@ -1,14 +1,14 @@ package system import ( - "git.gensokyo.uk/security/hakurei" + "git.gensokyo.uk/security/hakurei/container" ) -var msg hakurei.Msg = new(hakurei.DefaultMsg) +var msg container.Msg = new(container.DefaultMsg) -func SetOutput(v hakurei.Msg) { +func SetOutput(v container.Msg) { if v == nil { - msg = new(hakurei.DefaultMsg) + msg = new(container.DefaultMsg) } else { msg = v }