From 1ba1cb886584966b4e6e65284a04dfaf8962ed65 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Mon, 29 Sep 2025 07:07:16 +0900 Subject: [PATCH] hst/config: remove seccomp bit fields These serve little purpose and are not friendly for use from other languages. Signed-off-by: Ophestra --- cmd/hakurei/print_test.go | 6 ------ cmd/hpkg/app.go | 8 +------- cmd/hpkg/with.go | 17 ++++++++--------- hst/config.go | 5 ----- hst/hst.go | 25 +++++++++++-------------- hst/hst_test.go | 2 -- internal/app/container.go | 10 ++++------ 7 files changed, 24 insertions(+), 49 deletions(-) diff --git a/cmd/hakurei/print_test.go b/cmd/hakurei/print_test.go index a097898..49579a8 100644 --- a/cmd/hakurei/print_test.go +++ b/cmd/hakurei/print_test.go @@ -259,8 +259,6 @@ App "container": { "hostname": "localhost", "wait_delay": -1, - "seccomp_flags": 1, - "seccomp_presets": 1, "seccomp_compat": true, "devel": true, "userns": true, @@ -415,8 +413,6 @@ App "container": { "hostname": "localhost", "wait_delay": -1, - "seccomp_flags": 1, - "seccomp_presets": 1, "seccomp_compat": true, "devel": true, "userns": true, @@ -625,8 +621,6 @@ func Test_printPs(t *testing.T) { "container": { "hostname": "localhost", "wait_delay": -1, - "seccomp_flags": 1, - "seccomp_presets": 1, "seccomp_compat": true, "devel": true, "userns": true, diff --git a/cmd/hpkg/app.go b/cmd/hpkg/app.go index 5fd5e64..1a1437f 100644 --- a/cmd/hpkg/app.go +++ b/cmd/hpkg/app.go @@ -6,7 +6,6 @@ import ( "os" "hakurei.app/container" - "hakurei.app/container/seccomp" "hakurei.app/hst" "hakurei.app/system/dbus" ) @@ -92,6 +91,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg Device: app.Device, Tty: app.Tty || flagDropShell, MapRealUID: app.MapRealUID, + Multiarch: app.Multiarch, Filesystem: []hst.FilesystemConfigJSON{ {FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}}, @@ -113,12 +113,6 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg {Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true}, }, } - if app.Multiarch { - config.Container.SeccompFlags |= seccomp.AllowMultiarch - } - if app.Bluetooth { - config.Container.SeccompFlags |= seccomp.AllowBluetooth - } return config } diff --git a/cmd/hpkg/with.go b/cmd/hpkg/with.go index 578d525..59545c6 100644 --- a/cmd/hpkg/with.go +++ b/cmd/hpkg/with.go @@ -6,7 +6,6 @@ import ( "strings" "hakurei.app/container" - "hakurei.app/container/seccomp" "hakurei.app/hst" ) @@ -43,11 +42,11 @@ func withNixDaemon( Identity: app.Identity, Container: &hst.ContainerConfig{ - Hostname: formatHostname(app.Name) + "-" + action, - Userns: true, // nix sandbox requires userns - HostNet: net, - SeccompFlags: seccomp.AllowMultiarch, - Tty: dropShell, + Hostname: formatHostname(app.Name) + "-" + action, + Userns: true, // nix sandbox requires userns + HostNet: net, + Multiarch: true, + Tty: dropShell, Filesystem: []hst.FilesystemConfigJSON{ {FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}}, @@ -83,9 +82,9 @@ func withCacheDir( Identity: app.Identity, Container: &hst.ContainerConfig{ - Hostname: formatHostname(app.Name) + "-" + action, - SeccompFlags: seccomp.AllowMultiarch, - Tty: dropShell, + Hostname: formatHostname(app.Name) + "-" + action, + Multiarch: true, + Tty: dropShell, Filesystem: []hst.FilesystemConfigJSON{ {FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: workDir.Append(container.FHSEtc), Special: true}}, {FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}}, diff --git a/hst/config.go b/hst/config.go index bd8f637..3aa71aa 100644 --- a/hst/config.go +++ b/hst/config.go @@ -4,7 +4,6 @@ import ( "time" "hakurei.app/container" - "hakurei.app/container/seccomp" "hakurei.app/system/dbus" ) @@ -66,10 +65,6 @@ type ( // a negative value causes the container to be terminated immediately on cancellation WaitDelay time.Duration `json:"wait_delay,omitempty"` - // extra seccomp flags - SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"` - // extra seccomp presets - SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"` // disable project-specific filter extensions SeccompCompat bool `json:"seccomp_compat,omitempty"` // allow ptrace and friends diff --git a/hst/hst.go b/hst/hst.go index 5399cba..8a72b50 100644 --- a/hst/hst.go +++ b/hst/hst.go @@ -7,7 +7,6 @@ import ( "os" "hakurei.app/container" - "hakurei.app/container/seccomp" "hakurei.app/system/dbus" ) @@ -106,19 +105,17 @@ func Template() *Config { Groups: []string{"video", "dialout", "plugdev"}, Container: &ContainerConfig{ - Hostname: "localhost", - Devel: true, - Userns: true, - HostNet: true, - HostAbstract: true, - Device: true, - WaitDelay: -1, - SeccompFlags: seccomp.AllowMultiarch, - SeccompPresets: seccomp.PresetExt, - SeccompCompat: true, - Tty: true, - Multiarch: true, - MapRealUID: true, + Hostname: "localhost", + Devel: true, + Userns: true, + HostNet: true, + HostAbstract: true, + Device: true, + WaitDelay: -1, + SeccompCompat: true, + Tty: true, + Multiarch: true, + MapRealUID: true, // example API credentials pulled from Google Chrome // DO NOT USE THESE IN A REAL BROWSER Env: map[string]string{ diff --git a/hst/hst_test.go b/hst/hst_test.go index 70f7e53..0c25fa7 100644 --- a/hst/hst_test.go +++ b/hst/hst_test.go @@ -166,8 +166,6 @@ func TestTemplate(t *testing.T) { "container": { "hostname": "localhost", "wait_delay": -1, - "seccomp_flags": 1, - "seccomp_presets": 1, "seccomp_compat": true, "devel": true, "userns": true, diff --git a/internal/app/container.go b/internal/app/container.go index ae9dbf3..eef4e22 100644 --- a/internal/app/container.go +++ b/internal/app/container.go @@ -32,12 +32,10 @@ func newContainer( } params := &container.Params{ - Hostname: s.Hostname, - SeccompFlags: s.SeccompFlags, - SeccompPresets: s.SeccompPresets, - RetainSession: s.Tty, - HostNet: s.HostNet, - HostAbstract: s.HostAbstract, + Hostname: s.Hostname, + RetainSession: s.Tty, + HostNet: s.HostNet, + HostAbstract: s.HostAbstract, // the container is canceled when shim is requested to exit or receives an interrupt or termination signal; // this behaviour is implemented in the shim