container: move out of toplevel

This allows slightly easier use of the vanity url. This also provides some disambiguation between low level containers and hakurei app containers.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/hakurei/internal/app/instance/common/container.go

@@ -8,10 +8,10 @@ import (
 	"path"
 	"syscall"
 
-	"git.gensokyo.uk/security/hakurei"
+	"git.gensokyo.uk/security/hakurei/container"
+	"git.gensokyo.uk/security/hakurei/container/seccomp"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/seccomp"
 	"git.gensokyo.uk/security/hakurei/system/dbus"
 )
 
@@ -21,12 +21,12 @@ const preallocateOpsCount = 1 << 5
 
 // NewContainer initialises [sandbox.Params] via [hst.ContainerConfig].
 // Note that remaining container setup must be queued by the caller.
-func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*hakurei.Params, map[string]string, error) {
+func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*container.Params, map[string]string, error) {
 	if s == nil {
 		return nil, nil, syscall.EBADE
 	}
 
-	container := &hakurei.Params{
+	params := &container.Params{
 		Hostname:       s.Hostname,
 		SeccompFlags:   s.SeccompFlags,
 		SeccompPresets: s.SeccompPresets,
@@ -35,47 +35,47 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*hakurei
 	}
 
 	{
-		ops := make(hakurei.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
-		container.Ops = &ops
+		ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
+		params.Ops = &ops
 	}
 
 	if s.Multiarch {
-		container.SeccompFlags |= seccomp.AllowMultiarch
+		params.SeccompFlags |= seccomp.AllowMultiarch
 	}
 
 	if !s.SeccompCompat {
-		container.SeccompPresets |= seccomp.PresetExt
+		params.SeccompPresets |= seccomp.PresetExt
 	}
 	if !s.Devel {
-		container.SeccompPresets |= seccomp.PresetDenyDevel
+		params.SeccompPresets |= seccomp.PresetDenyDevel
 	}
 	if !s.Userns {
-		container.SeccompPresets |= seccomp.PresetDenyNS
+		params.SeccompPresets |= seccomp.PresetDenyNS
 	}
 	if !s.Tty {
-		container.SeccompPresets |= seccomp.PresetDenyTTY
+		params.SeccompPresets |= seccomp.PresetDenyTTY
 	}
 
 	if s.MapRealUID {
 		/* some programs fail to connect to dbus session running as a different uid
 		so this workaround is introduced to map priv-side caller uid in container */
-		container.Uid = os.Getuid()
-		*uid = container.Uid
-		container.Gid = os.Getgid()
-		*gid = container.Gid
+		params.Uid = os.Getuid()
+		*uid = params.Uid
+		params.Gid = os.Getgid()
+		*gid = params.Gid
 	} else {
-		*uid = hakurei.OverflowUid()
-		*gid = hakurei.OverflowGid()
+		*uid = container.OverflowUid()
+		*gid = container.OverflowGid()
 	}
 
-	container.
+	params.
 		Proc("/proc").
 		Tmpfs(hst.Tmp, 1<<12, 0755)
 
 	if !s.Device {
-		container.Dev("/dev").Mqueue("/dev/mqueue")
+		params.Dev("/dev").Mqueue("/dev/mqueue")
 	} else {
-		container.Bind("/dev", "/dev", hakurei.BindWritable|hakurei.BindDevice)
+		params.Bind("/dev", "/dev", container.BindWritable|container.BindDevice)
 	}
 
 	/* retrieve paths and hide them if they're made available in the sandbox;
@@ -154,29 +154,29 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*hakurei
 
 		var flags int
 		if c.Write {
-			flags |= hakurei.BindWritable
+			flags |= container.BindWritable
 		}
 		if c.Device {
-			flags |= hakurei.BindDevice | hakurei.BindWritable
+			flags |= container.BindDevice | container.BindWritable
 		}
 		if !c.Must {
-			flags |= hakurei.BindOptional
+			flags |= container.BindOptional
 		}
-		container.Bind(c.Src, dest, flags)
+		params.Bind(c.Src, dest, flags)
 	}
 
 	// cover matched paths
 	for i, ok := range hidePathMatch {
 		if ok {
-			container.Tmpfs(hidePaths[i], 1<<13, 0755)
+			params.Tmpfs(hidePaths[i], 1<<13, 0755)
 		}
 	}
 
 	for _, l := range s.Link {
-		container.Link(l[0], l[1])
+		params.Link(l[0], l[1])
 	}
 
-	return container, maps.Clone(s.Env), nil
+	return params, maps.Clone(s.Env), nil
 }
 
 func evalSymlinks(os sys.State, v *string) error {

cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go

@@ -1,10 +1,10 @@
 package setuid_test
 
 import (
-	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/container"
+	"git.gensokyo.uk/security/hakurei/container/seccomp"
 	"git.gensokyo.uk/security/hakurei/hst"
-	"git.gensokyo.uk/security/hakurei/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 	"git.gensokyo.uk/security/hakurei/system/acl"
 	"git.gensokyo.uk/security/hakurei/system/dbus"
@@ -94,7 +94,7 @@ var testCasesNixos = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
-		&hakurei.Params{
+		&container.Params{
 			Uid:  1971,
 			Gid:  100,
 			Dir:  "/var/lib/persist/module/hakurei/0/1",
@@ -114,7 +114,7 @@ var testCasesNixos = []sealTestCase{
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Ops: new(hakurei.Ops).
+			Ops: new(container.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
@@ -122,18 +122,18 @@ var testCasesNixos = []sealTestCase{
 				Bind("/usr/bin", "/usr/bin", 0).
 				Bind("/nix/store", "/nix/store", 0).
 				Bind("/run/current-system", "/run/current-system", 0).
-				Bind("/sys/block", "/sys/block", hakurei.BindOptional).
-				Bind("/sys/bus", "/sys/bus", hakurei.BindOptional).
-				Bind("/sys/class", "/sys/class", hakurei.BindOptional).
-				Bind("/sys/dev", "/sys/dev", hakurei.BindOptional).
-				Bind("/sys/devices", "/sys/devices", hakurei.BindOptional).
+				Bind("/sys/block", "/sys/block", container.BindOptional).
+				Bind("/sys/bus", "/sys/bus", container.BindOptional).
+				Bind("/sys/class", "/sys/class", container.BindOptional).
+				Bind("/sys/dev", "/sys/dev", container.BindOptional).
+				Bind("/sys/devices", "/sys/devices", container.BindOptional).
 				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
-				Bind("/dev/dri", "/dev/dri", hakurei.BindDevice|hakurei.BindWritable|hakurei.BindOptional).
+				Bind("/dev/dri", "/dev/dri", container.BindDevice|container.BindWritable|container.BindOptional).
 				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
 				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", hakurei.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", hakurei.BindWritable).
-				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", hakurei.BindWritable).
+				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", container.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", container.BindWritable).
+				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", container.BindWritable).
 				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:100:\n")).
 				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).

cmd/hakurei/internal/app/internal/setuid/app_pd_test.go

@@ -3,10 +3,10 @@ package setuid_test
 import (
 	"os"
 
-	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/container"
+	"git.gensokyo.uk/security/hakurei/container/seccomp"
 	"git.gensokyo.uk/security/hakurei/hst"
-	"git.gensokyo.uk/security/hakurei/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 	"git.gensokyo.uk/security/hakurei/system/acl"
 	"git.gensokyo.uk/security/hakurei/system/dbus"
@@ -28,7 +28,7 @@ var testCasesPd = []sealTestCase{
 			Ensure("/tmp/hakurei.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/0", acl.Read, acl.Write, acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
-		&hakurei.Params{
+		&container.Params{
 			Dir:  "/home/chronos",
 			Path: "/run/current-system/sw/bin/zsh",
 			Args: []string{"/run/current-system/sw/bin/zsh"},
@@ -41,30 +41,30 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Ops: new(hakurei.Ops).
+			Ops: new(container.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", hakurei.BindWritable).
-				Bind("/boot", "/boot", hakurei.BindWritable).
-				Bind("/home", "/home", hakurei.BindWritable).
-				Bind("/lib", "/lib", hakurei.BindWritable).
-				Bind("/lib64", "/lib64", hakurei.BindWritable).
-				Bind("/nix", "/nix", hakurei.BindWritable).
-				Bind("/root", "/root", hakurei.BindWritable).
-				Bind("/run", "/run", hakurei.BindWritable).
-				Bind("/srv", "/srv", hakurei.BindWritable).
-				Bind("/sys", "/sys", hakurei.BindWritable).
-				Bind("/usr", "/usr", hakurei.BindWritable).
-				Bind("/var", "/var", hakurei.BindWritable).
-				Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional).
+				Bind("/bin", "/bin", container.BindWritable).
+				Bind("/boot", "/boot", container.BindWritable).
+				Bind("/home", "/home", container.BindWritable).
+				Bind("/lib", "/lib", container.BindWritable).
+				Bind("/lib64", "/lib64", container.BindWritable).
+				Bind("/nix", "/nix", container.BindWritable).
+				Bind("/root", "/root", container.BindWritable).
+				Bind("/run", "/run", container.BindWritable).
+				Bind("/srv", "/srv", container.BindWritable).
+				Bind("/sys", "/sys", container.BindWritable).
+				Bind("/usr", "/usr", container.BindWritable).
+				Bind("/var", "/var", container.BindWritable).
+				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
 				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", hakurei.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", hakurei.BindWritable).
-				Bind("/home/chronos", "/home/chronos", hakurei.BindWritable).
+				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", container.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", container.BindWritable).
+				Bind("/home/chronos", "/home/chronos", container.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:65534:\n")).
 				Tmpfs("/var/run/nscd", 8192, 0755),
@@ -166,7 +166,7 @@ var testCasesPd = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
-		&hakurei.Params{
+		&container.Params{
 			Dir:  "/home/chronos",
 			Path: "/run/current-system/sw/bin/zsh",
 			Args: []string{"zsh", "-c", "exec chromium "},
@@ -184,31 +184,31 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Ops: new(hakurei.Ops).
+			Ops: new(container.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", hakurei.BindWritable).
-				Bind("/boot", "/boot", hakurei.BindWritable).
-				Bind("/home", "/home", hakurei.BindWritable).
-				Bind("/lib", "/lib", hakurei.BindWritable).
-				Bind("/lib64", "/lib64", hakurei.BindWritable).
-				Bind("/nix", "/nix", hakurei.BindWritable).
-				Bind("/root", "/root", hakurei.BindWritable).
-				Bind("/run", "/run", hakurei.BindWritable).
-				Bind("/srv", "/srv", hakurei.BindWritable).
-				Bind("/sys", "/sys", hakurei.BindWritable).
-				Bind("/usr", "/usr", hakurei.BindWritable).
-				Bind("/var", "/var", hakurei.BindWritable).
-				Bind("/dev/dri", "/dev/dri", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional).
-				Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional).
+				Bind("/bin", "/bin", container.BindWritable).
+				Bind("/boot", "/boot", container.BindWritable).
+				Bind("/home", "/home", container.BindWritable).
+				Bind("/lib", "/lib", container.BindWritable).
+				Bind("/lib64", "/lib64", container.BindWritable).
+				Bind("/nix", "/nix", container.BindWritable).
+				Bind("/root", "/root", container.BindWritable).
+				Bind("/run", "/run", container.BindWritable).
+				Bind("/srv", "/srv", container.BindWritable).
+				Bind("/sys", "/sys", container.BindWritable).
+				Bind("/usr", "/usr", container.BindWritable).
+				Bind("/var", "/var", container.BindWritable).
+				Bind("/dev/dri", "/dev/dri", container.BindWritable|container.BindDevice|container.BindOptional).
+				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
 				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", hakurei.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", hakurei.BindWritable).
-				Bind("/home/chronos", "/home/chronos", hakurei.BindWritable).
+				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", container.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", container.BindWritable).
+				Bind("/home/chronos", "/home/chronos", container.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:65534:\n")).
 				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).

cmd/hakurei/internal/app/internal/setuid/app_test.go

@@ -7,9 +7,9 @@ import (
 	"testing"
 	"time"
 
-	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/internal/setuid"
+	"git.gensokyo.uk/security/hakurei/container"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
 	"git.gensokyo.uk/security/hakurei/system"
@@ -21,7 +21,7 @@ type sealTestCase struct {
 	config        *hst.Config
 	id            app.ID
 	wantSys       *system.I
-	wantContainer *hakurei.Params
+	wantContainer *container.Params
 }
 
 func TestApp(t *testing.T) {
@@ -32,7 +32,7 @@ func TestApp(t *testing.T) {
 			a := setuid.NewWithID(tc.id, tc.os)
 			var (
 				gotSys       *system.I
-				gotContainer *hakurei.Params
+				gotContainer *container.Params
 			)
 			if !t.Run("seal", func(t *testing.T) {
 				if sa, err := a.Seal(tc.config); err != nil {

cmd/hakurei/internal/app/internal/setuid/export_test.go

@@ -1,8 +1,8 @@
 package setuid
 
 import (
-	"git.gensokyo.uk/security/hakurei"
 	. "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/container"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
 	"git.gensokyo.uk/security/hakurei/system"
 )
@@ -14,7 +14,7 @@ func NewWithID(id ID, os sys.State) App {
 	return a
 }
 
-func AppIParams(a App, sa SealedApp) (*system.I, *hakurei.Params) {
+func AppIParams(a App, sa SealedApp) (*system.I, *container.Params) {
 	v := a.(*app)
 	seal := sa.(*outcome)
 	if v.outcome != seal || v.id != seal.id {

cmd/hakurei/internal/app/internal/setuid/process.go

@@ -12,9 +12,9 @@ import (
 	"syscall"
 	"time"
 
-	"git.gensokyo.uk/security/hakurei"
 	. "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/state"
+	"git.gensokyo.uk/security/hakurei/container"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 	"git.gensokyo.uk/security/hakurei/system"
@@ -94,7 +94,7 @@ func (seal *outcome) Run(rs *RunState) error {
 	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }
 
 	var e *gob.Encoder
-	if fd, encoder, err := hakurei.Setup(&cmd.ExtraFiles); err != nil {
+	if fd, encoder, err := container.Setup(&cmd.ExtraFiles); err != nil {
 		return hlog.WrapErrSuffix(err,
 			"cannot create shim setup pipe:")
 	} else {

cmd/hakurei/internal/app/internal/setuid/seal.go

@@ -16,9 +16,9 @@ import (
 	"sync/atomic"
 	"syscall"
 
-	"git.gensokyo.uk/security/hakurei"
 	. "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/instance/common"
+	"git.gensokyo.uk/security/hakurei/container"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
@@ -80,7 +80,7 @@ type outcome struct {
 	sys  *system.I
 	ctx  context.Context
 
-	container *hakurei.Params
+	container *container.Params
 	env       map[string]string
 	sync      *os.File
 
@@ -334,7 +334,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		seal.sys.Ensure(runtimeDirInst, 0700)
 		seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute)
 		seal.container.Tmpfs("/run/user", 1<<12, 0755)
-		seal.container.Bind(runtimeDirInst, innerRuntimeDir, hakurei.BindWritable)
+		seal.container.Bind(runtimeDirInst, innerRuntimeDir, container.BindWritable)
 	}
 
 	{
@@ -345,7 +345,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		seal.sys.Ensure(tmpdirInst, 01700)
 		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
 		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
-		seal.container.Bind(tmpdirInst, "/tmp", hakurei.BindWritable)
+		seal.container.Bind(tmpdirInst, "/tmp", container.BindWritable)
 	}
 
 	{
@@ -357,7 +357,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		if seal.user.username != "" {
 			username = seal.user.username
 		}
-		seal.container.Bind(seal.user.data, homeDir, hakurei.BindWritable)
+		seal.container.Bind(seal.user.data, homeDir, container.BindWritable)
 		seal.container.Dir = homeDir
 		seal.env["HOME"] = homeDir
 		seal.env["USER"] = username

cmd/hakurei/internal/app/internal/setuid/shim.go

@@ -10,10 +10,10 @@ import (
 	"syscall"
 	"time"
 
-	"git.gensokyo.uk/security/hakurei"
+	"git.gensokyo.uk/security/hakurei/container"
+	"git.gensokyo.uk/security/hakurei/container/seccomp"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
-	"git.gensokyo.uk/security/hakurei/seccomp"
 )
 
 /*
@@ -74,7 +74,7 @@ type shimParams struct {
 	Monitor int
 
 	// finalised container params
-	Container *hakurei.Params
+	Container *container.Params
 	// path to outer home directory
 	Home string
 
@@ -86,7 +86,7 @@ type shimParams struct {
 func ShimMain() {
 	hlog.Prepare("shim")
 
-	if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil {
+	if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
 		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
 	}
 
@@ -94,11 +94,11 @@ func ShimMain() {
 		params     shimParams
 		closeSetup func() error
 	)
-	if f, err := hakurei.Receive(shimEnv, &params, nil); err != nil {
-		if errors.Is(err, hakurei.ErrInvalid) {
+	if f, err := container.Receive(shimEnv, &params, nil); err != nil {
+		if errors.Is(err, container.ErrInvalid) {
 			log.Fatal("invalid config descriptor")
 		}
-		if errors.Is(err, hakurei.ErrNotSet) {
+		if errors.Is(err, container.ErrNotSet) {
 			log.Fatal("HAKUREI_SHIM not set")
 		}
 
@@ -149,17 +149,17 @@ func ShimMain() {
 	}
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer stop() // unreachable
-	container := hakurei.New(ctx, name)
-	container.Params = *params.Container
-	container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr
-	container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) }
-	container.WaitDelay = 2 * time.Second
+	z := container.New(ctx, name)
+	z.Params = *params.Container
+	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+	z.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) }
+	z.WaitDelay = 2 * time.Second
 
-	if err := container.Start(); err != nil {
+	if err := z.Start(); err != nil {
 		hlog.PrintBaseError(err, "cannot start container:")
 		os.Exit(1)
 	}
-	if err := container.Serve(); err != nil {
+	if err := z.Serve(); err != nil {
 		hlog.PrintBaseError(err, "cannot configure container:")
 	}
 
@@ -170,7 +170,7 @@ func ShimMain() {
 		log.Fatalf("cannot load syscall filter: %v", err)
 	}
 
-	if err := container.Wait(); err != nil {
+	if err := z.Wait(); err != nil {
 		var exitError *exec.ExitError
 		if !errors.As(err, &exitError) {
 			if errors.Is(err, context.Canceled) {

cmd/hakurei/main.go

@@ -9,7 +9,7 @@ import (
 	"log"
 	"os"
 
-	"git.gensokyo.uk/security/hakurei"
+	"git.gensokyo.uk/security/hakurei/container"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
@@ -28,9 +28,9 @@ var std sys.State = new(sys.Std)
 
 func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
-	hakurei.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
+	container.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
 
-	if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil {
+	if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
 		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
 		// not fatal: this program runs as the privileged user
 	}

cmd/planterette/app.go

@@ -6,8 +6,8 @@ import (
 	"os"
 	"path"
 
+	"git.gensokyo.uk/security/hakurei/container/seccomp"
 	"git.gensokyo.uk/security/hakurei/hst"
-	"git.gensokyo.uk/security/hakurei/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 	"git.gensokyo.uk/security/hakurei/system/dbus"
 )

cmd/planterette/with.go

@@ -5,9 +5,9 @@ import (
 	"path"
 	"strings"
 
+	"git.gensokyo.uk/security/hakurei/container/seccomp"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal"
-	"git.gensokyo.uk/security/hakurei/seccomp"
 )
 
 func withNixDaemon(